Firefox add-on spoofs thousands of ad calls within seconds

Browser add-ons can enhance a user’s web experience, but they can also open the door for fraudsters to work behind the scenes. Pixalate has uncovered a sophisticated ad fraud practice which is made possible only through the use of a particular Firefox add-on, called IP Flood.

With the IP Flood add-on activated, a single fraudster can spoof thousands of ad calls within seconds, all of which appear to be coming from different domains (some of which are premium) and different user IP addresses.

Learn about the IP Flood ad fraud attack in just two minutes:

How it works

• This exploit is conducted via a Firefox add-on, but a similar Chrome browser extension also exists.
• The landing page features 8 links to domains. When you click on the domains without the IP Flood add-on activated, nothing happens.
• However, when you activate IP Flood and click on one of the links, a page opens and it assigns an IP address and a VAST tag.
• The moment the page is loaded, dozens — if not hundreds — of ad calls go out.
• Each ad request has a different, unique IP address, even though all are coming from the same dummy page.
• Many different URLs are spoofed, including some premium URLs (including countryliving.com, animalplanet.com, msn.com, amc.com, people.com, oprah.com, and more).
• Every time you refresh or reload the page a new wave of ad calls go out, again with different IP addresses and spoofed domains (along with other seemingly legitimate attributes).

What do the fraudsters gain from this tactic?

There are a handful of ways in which fraudsters might utilize this technology:

• This fraud ring spoofs referrals, so the fraudster could claim they have a ton of demand for high-quality sites, but in reality, the demand would just be bots coming from this type of setup.
• In addition to calling for the ads, the page could also load the ads, in which case the fraudster would collect the money before moving on to a new page (in order to avoid detection).
• It could simply be used as a force of chaos meant to cast doubt on every transaction in the ecosystem.

Remaining vigilant with add-ons

The add-on marketplace is open and constantly evolving, which means the fraudsters are always finding new ways to exploit add-ons.

By reverse-engineering this sophisticated fraud, Pixalate was able to improve its detection of invalid traffic generated from add-ons, something we have always taken seriously.