Fraudsters Find Creative Ways to Abuse E-commerce Sites
Even if your company website is secured with the latest software patches and has been tested by ethical hackers, it doesn't mean the scammers will stay away.
In fact, fraudsters are actually highly adaptable, looking for ways to exploit marketing campaigns or incentive programs. They often find ways to abuse a system that weren't considered by either fraud or security specialists, said Laura Mather, founder and chief strategy officer of Silver Tail Systems. Her company's software looks for odd behavior during transactions on e-commerce and banking sites.
Take the company that ran a marketing incentive program offering US$5 to people who referred their friends to sign up for an account. The company, which gave away a total of $8 million, gave $2 million of that to just one person in Eastern Europe, Mather said.
"There was no bug in the system," said Mather, who previously worked in fraud prevention for eBay and PayPal for three years. "The criminal was using the website in the way it was intended."
In that case, the fraudster registered a domain with lots of e-mail addresses and registered all of them. "What happens in these cases, the marketing team that launches the program celebrates, and then the fraud team goes, 'I think we need to look at your data,'" Mather said.
But the strange behavior can be detected in real time, which is Silver Tail Systems' focus. Its Forensics product looks at what happens during a Web session. When a person uses a website, the pattern is often the same, which makes different behavior, such as that of a criminal, stand out.
Forensics monitors all the clicks a person makes on a website and matches that to a pattern of behavior typically observed on the site. For example, if someone takes just a third of a second to complete a transaction when the average time is 97 seconds, Forensics would generate an alert. (See also "2012 in Security: Rising Danger.")
Another Silver Tail product, Mitigation, can set rules for how systems should respond when certain kinds of suspected abuse is detected, such as locking someone out of their account.
Mather said Forensics has picked up on behavior that might not be detected by other systems. One of its U.K banking customers -- which can't be identified -- saw that an IP address in the U.S. was accessing 700 accounts per hour. But nothing was happening to the money.
"We were looking at this going 'This is really weird'," Mather said.
The attacker would log in to a person's account, go to their account statements and look at the last three months of transactions. Then the attacker would log out and move to the next account.
It turns out the bank had changed its procedures for how people authenticate themselves during phone banking. The customer service agent would ask a question about the last three months of transactions or other queries, such as what mobile provider the banking customer uses.
"The criminals were getting these statements so they could verify into the call center," Mather said.
A classic mistake is when companies incorporate some sort of account information into a URL. Often the URL can then be manipulated to show a different account, and if the website is configured incorrectly, the system will assume that the user has already been authenticated, Mather said.
If criminals log into an account and notice the issue, they can then cycle through accounts, harvesting addresses, phone numbers, and e-mail addresses, which could be used for targeted phishing attacks.
Another type of attack, called "man in the middle," also shows telltale signs during a banking transaction, Mather said. Often criminals who have installed malicious software on a computer are able to carry out a fraudulent transaction while a person is logged into their account and looking, at, for example, their account statement.
What the victim does not know is that the criminal has intervened in the web session and is carrying out a wire transfer. But an analysis of the "clickstream" can show the parallel actions, which would not happen during a normal transaction.
"As long as we assume that the vast majority of traffic is legitimate, it actually makes the criminal traffic stand out nicely," Mather said.