This post [] from Izzy at SiftScience describes patterns culled from 6 million transactions over a three month sample. The “fraud” sample consisted of transactions confirmed fraudulent by customers; “normal” samples consisted of transactions confirmed by customers to be non-fraudulent, as well as a subset of unlabeled transactions. These patterns are useful to Security Operations Center (SOC) teams who “hunt” for these things.
Here are some of the common traits of fraudulent users or Fraudsters:
Habit #1 Fraudsters go hungry
Whereas there is a dip in activity by normal users at lunch time, no such dip is observed in fraudulent transactions. When looking for out-of-ordinary behavior, the absence of any dip during the day might speak to a script which never tires.
Habit #2 Fraudsters are night owls
Analyzing fraudulent transactions as a percentage of all transactions, 3AM was found to be the most fraudulent hour in the day, and night-time in general was a more dangerous time. SOC teams should hunt for “after hours” behavior as a tip-off for bad actors.
Habit #3 Fraudsters are international
Look for traffic originating outside your home country. While these patterns change frequently, as a general rule, international traffic is worth trending and observing.
Habit #4 Fraudsters don multiple identities
Fraudsters tend to make multiple accounts on their laptop or phone to commit fraud. When multiple accounts are associated with the same device, the higher the likelihood of fraud. A user who has 6 accounts on her laptop is 15 times more likely to be fraudulent than the average person. Users with only 1 account however, are less likely to be fraudulent. SOC teams should look for multiple users using the same computer in a given time frame. Even in shared PC situations (e.g, nurses station in a hospital, it is unusual for much more than one user accessing a PC in a given shift.
Habit #5 Fraudsters use well known domains
The top 3 sources of fraud originated from Microsoft sites including Outlook.com, Hotmail and live.com. Traffic from/to such sites is worthy of trending and examining.
Habit #6 Fraudsters are boring
A widely recognized predictors of fraud is the number of digits in an email address. The more numbers, the more likely that it’s fraud.
Habit #7 Fraudsters like disposable things
We know that attacks almost always originate from DHCP addresses (which is why dshield.org/block.txt gives out /24 ranges). It is also true that the older an account age, the less likely (in general) it is involved in fraud. SOC teams must always look out for account creation.
Happy Hunting.
By A. N. Ananth, CEO of EventTracker
EventTracker offers a dynamic suite of award winning products for SIEM and event log management. SC Magazine BestBuy EventTracker Enterprise processes hundreds of millions of discrete log messages to deliver vital and actionable information, enabling organizations to identify and address security risks, improve IT security, and maintain regulatory compliance requirements with simplified audit functionality. Security Center offers instant security alerts and a real-time dashboard for viewing every incident in the infrastructure, and Log Manager is a monitoring and early threat detection tool.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.