Fraudsters find creative ways to abuse e-commerce sites

Silver Tail Systems, a company that specializes in Web security, has seen a raft of creative fraud schemes

Even if your company website is secured with the latest software patches and has been tested by ethical hackers, it doesn't mean the scammers will stay away.

In fact, fraudsters are actually highly adaptable, looking for ways to exploit marketing campaigns or incentive programs. They often find ways to abuse a system that weren't considered by either fraud or security specialists, said Laura Mather, founder and chief strategy officer of Silver Tail Systems. Her company's software looks for odd behavior during transactions on e-commerce and banking sites.

Take the company that ran a marketing incentive program offering US$5 to people who referred their friends to sign up for an account. The company, which gave away a total of $8 million, gave $2 million of that to just one person in Eastern Europe, Mather said.

"There was no bug in the system," said Mather, who previously worked in fraud prevention for eBay and PayPal for three years. "The criminal was using the website in the way it was intended."

In that case, the fraudster registered a domain with lots of e-mail addresses and registered all of them. "What happens in these cases, the marketing team that launches the program celebrates, and then the fraud team goes, 'I think we need to look at your data,'" Mather said.

But the strange behavior can be detected in real time, which is Silver Tail Systems' focus. Its Forensics product looks at what happens during a Web session. When a person uses a website, the pattern is often the same, which makes different behavior, such as that of a criminal, stand out.

Forensics monitors all the clicks a person makes on a website and matches that to a pattern of behavior typically observed on the site. For example, if someone takes just a third of a second to complete a transaction when the average time is 97 seconds, Forensics would generate an alert.

Another Silver Tail product, Mitigation, can set rules for how systems should respond when certain kinds of suspected abuse is detected, such as locking someone out of their account.

Mather said Forensics has picked up on behavior that might not be detected by other systems. One of its U.K banking customers -- which can't be identified -- saw that an IP address in the U.S. was accessing 700 accounts per hour. But nothing was happening to the money.

"We were looking at this going 'This is really weird'," Mather said.

The attacker would log in to a person's account, go to their account statements and look at the last three months of transactions. Then the attacker would log out and move to the next account.

It turns out the bank had changed its procedures for how people authenticate themselves during phone banking. The customer service agent would ask a question about the last three months of transactions or other queries, such as what mobile provider the banking customer uses.

"The criminals were getting these statements so they could verify into the call center," Mather said.

A classic mistake is when companies incorporate some sort of account information into a URL. Often the URL can then be manipulated to show a different account, and if the website is configured incorrectly, the system will assume that the user has already been authenticated, Mather said.

If criminals log into an account and notice the issue, they can then cycle through accounts, harvesting addresses, phone numbers and email addresses, which could be used for targeted phishing attacks.

Another type of attack, called "man in the middle," also shows telltale signs during a banking transaction, Mather said. Often criminals who have installed malicious software on a computer are able to carry out a fraudulent transaction while a person is logged into their account and looking, at, for example, their account statement.

What the victim does not know is that the criminal has intervened in the web session and is carrying out a wire transfer. But an analysis of the "clickstream" can show the parallel actions, which would not happen during a normal transaction.

"As long as we assume that the vast majority of traffic is legitimate, it actually makes the criminal traffic stand out nicely," Mather said.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags securitySilver Tail Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments





Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?