August 10, 2016 By David Strom 2 min read

If you want to detect malware or other potential risks across your enterprise, one time-honored method is to look at your endpoint behavior.

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions.

Seven Keys to Tracking Online Fraud

In January, Simility looked at 100 different behaviors across 500,000 endpoints scattered around the world. It found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior.

Researchers found seven commonalities. These red flags can be applied in any organization to help security professionals identify fraudulent activities or suspicious behavior.

1. Mismatched OS and Device

A device is eight times more likely to be compromised if its OS is running on the wrong CPU, such as a 32-bit Windows running on a 64-bit processor. This is because the fraudsters are using a compromised version that they can better control.

2. Freshly Made Cookies

“Fraudsters clear their cookies 90 percent of the time, whereas unhacked users clear cookies only 10 percent of the time,” the study stated. Having more recently created browser cookies is a strong signal a PC has been compromised.

3. Do Not Track Set to Null

The browser setting Do Not Track has three possible legitimate values: yes, no or unspecified. Unfortunately, null is not a valid answer. There are other browser settings that have similar nonvalid settings; these are another warning sign of fraudulent activity.

4. Erased Browser Referrer History

Again, those tracking online fraud often see this as another tipoff. A PC with an erased history may be compromised, since a malicious actor is five times more likely to clear this history.

5. More Windows

Windows has such a high market share, and cybercriminals are no exception — in fact, they use these machines at a higher rate than the public. Chances are, if you are running on a Mac, your machine is legitimate. Windows users need to be a bit more careful regarding their security.

6. No Plugins or Extensions Installed

Most of the fraudster-controlled PCs had less than five browser plugins installed. Most legitimate PCs have more than that, with some users even installing over 25 plugins. However, more is not necessarily better. Too many plugins is one way that machines can be turned into botnet zombies because many are likely to be running older and unpatched versions.

7. Not Running Any Incognito Browser Sessions

A user running a private browsing session is three times as likely to be legitimate.

Check Your Mileage

Obviously, these indicators may differ depending on what kind of computers you have on your network and what your existing security best practices might be.

Still, this is an intriguing collection of behaviors that, taken together, might be useful. Set up your machine learning tools to track online fraud and see if your mileage is similar.

More from Fraud Protection

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

Unveiling the latest banking trojan threats in LATAM

9 min read - This post was made possible through the research contributions of Amir Gendler.In our most recent research in the Latin American (LATAM) region, we at IBM Security Lab have observed a surge in campaigns linked with malicious Chrome extensions. These campaigns primarily target Latin America, with a particular emphasis on its financial institutions.In this blog post, we’ll shed light on the group responsible for disseminating this campaign. We’ll delve into the method of web injects and Man in the Browser, and…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today