Phyllis Schneck CipherTrust Inc.
Current approaches to web fraud detection focus on web-based data and entities: the content of fraudulent websites, names used in URLs, domain names and new domain registrations that contain a name or brand not belonging to the registrant - most likely to be used to lure Internet traffic toward that brand. In electronic messaging systems, reputation systems are used to classify senders and content. In the past, web fraud detection and messaging reputation systems have been disjoint.
In this paper, we propose a hybrid fraud detection framework that combines messaging reputation systems and web activity monitoring systems to improve protection and provide a multi-dimensional view of fraud, from set-up to execution to helping law enforcement track a cross-section of organized crime.
Messaging reputation systems analyse the past and present behaviour of an identity. Types of identities in the messaging system include IP addresses, domain names, URLs and message signatures. Identities monitored and classified in the messaging ecosystem can be mined in the web activity databases to find aliases of related activity and to train systems. For example, a single domain identity can be tied to a web host and mapped back to tens of domain names that are being used for the same website. New spoofed sites that are advertised in messaging traffic can be fed to web crawlers as training accelerators to help target the crawling activity based on recently used websites. We further create the capability to search the web reputation database immediately upon identifying potential fraud of a messaging identity such as an IP address.
We demonstrate that this new hybrid web and messaging reputation framework enables: