Early fraud detection using a hybrid of messaging reputation and web activity

Phyllis Schneck CipherTrust Inc.

Current approaches to web fraud detection focus on web-based data and entities: the content of fraudulent websites, names used in URLs, domain names and new domain registrations that contain a name or brand not belonging to the registrant - most likely to be used to lure Internet traffic toward that brand. In electronic messaging systems, reputation systems are used to classify senders and content. In the past, web fraud detection and messaging reputation systems have been disjoint.

In this paper, we propose a hybrid fraud detection framework that combines messaging reputation systems and web activity monitoring systems to improve protection and provide a multi-dimensional view of fraud, from set-up to execution to helping law enforcement track a cross-section of organized crime.

Messaging reputation systems analyse the past and present behaviour of an identity. Types of identities in the messaging system include IP addresses, domain names, URLs and message signatures. Identities monitored and classified in the messaging ecosystem can be mined in the web activity databases to find aliases of related activity and to train systems. For example, a single domain identity can be tied to a web host and mapped back to tens of domain names that are being used for the same website. New spoofed sites that are advertised in messaging traffic can be fed to web crawlers as training accelerators to help target the crawling activity based on recently used websites. We further create the capability to search the web reputation database immediately upon identifying potential fraud of a messaging identity such as an IP address.

We demonstrate that this new hybrid web and messaging reputation framework enables:

    1. Faster fraud identification.
    2. Correlation of IP address reputation to messaging fraud such as phishing as well as web activities such as brand name misuse in site hosting.
    3. Improved training of both messaging and web reputation datasets with the real-time exchange of knowledge between behaviour of messaging entities with domain registration and web site content.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.