Proprietary Cyber Threat Intelligence

Fraudlogix has operated in the digital advertising fraud space since 2010, protecting the world’s largest advertising exchanges and networks. We recently found that the data we collect on botnets, malware, and infected devices that are used to commit ad fraud is highly applicable to the cyber security space. These same infected devices are being used by multiple threat actors for nefarious activities such as DDoS, unauthorized login attempts, network penetration, data theft breaches, etc.

The data is unique and large in scope. Our JavaScript sensors currently sit on over 12 million URLs and collect granular endpoint data on roughly 640 million unique users and 1.2 billion unique devices monthly.

 

Overview

First, watch this short video – it provides an overview of the data and how it is collected, answering most FAQ’s.

Data Feeds Available:

Full Data Feed

The Full Data Feed is an hourly deposit that contains over 100 MB of data in JSON format on all the threat events that we saw in the last 1 hour increment. The data contains 24 variables on each of the infected devices that we saw. These variables include the IP, user agent, ASN, etc.

Click here to see a full list of variables.
Variable Description
Fingerprint Fingerprint (based on a list of defined navigator/window properties)
pluginsArr Installed plugins Array
asnum Autonomous system number of client IP
country ISO two letter country code
deviceType Device type category
ip IP address of connecting host
ipclass IP address classification
srcport IP source port
sslCipher SSL cipher used for connection
sslProtocol SSL protocol used
bodyBytes Total number of HTTP request body bytes sent by client
bytes Total number of HTTP request bytes sent by client
headers Headers, which are defined for logging from request
connectionType Connection Type
useragent HTTP User-Agent
browsername Browser Name
os Operating System
vendor Vendor
device_family Device Family
sp1 Browser_platform detected from DOM
sp2 Browser_platform of the UA
spfp Boolean 0/1 if spoofed or not
risk_level Risk Level
timezone Timezone GMT with DST indicator
est_date_and_hour EST date and hour
IP Intelligence Feed

The IP Intelligence Feed is a cumulative list of all the IPs in the universe that we believe are high risk for infected machines and botnets/malware based on the traffic we’re seeing. There’s roughly 2 million IPs at any given time, updating hourly. The list is available as a downloadable file or via an API, and each IP is assigned a risk level and reason code for its inclusion.

Click here for more information on the logic/algorithms used to create the list.

Our JavaScript sensors are deployed across 12 million URLs and we identify both “good” (real/ human generated) traffic coming from IPs, as well as fake traffic that originates from infected devices/ botnets. A ratio between good and bad traffic is established and if the fake traffic volume and frequency dramatically outweighs the real traffic, then the IP is added to the list. This process is repeated each hour.

For further analysis, a dashboard has been set up that allows you to query any of the IPs in the file to get granular level data on the threat events and devices that we saw coming from that IP during the previous 60 days. See the process and search results below:

1. Enter the IP address.

2. View the list of threat events that Fraudlogix has seen in the last 60 days and select one.

3. Once the threat event is selected, see the granular device data that we saw.