August 10, 2016 By David Strom 2 min read

If you want to detect malware or other potential risks across your enterprise, one time-honored method is to look at your endpoint behavior.

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions.

Seven Keys to Tracking Online Fraud

In January, Simility looked at 100 different behaviors across 500,000 endpoints scattered around the world. It found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior.

Researchers found seven commonalities. These red flags can be applied in any organization to help security professionals identify fraudulent activities or suspicious behavior.

1. Mismatched OS and Device

A device is eight times more likely to be compromised if its OS is running on the wrong CPU, such as a 32-bit Windows running on a 64-bit processor. This is because the fraudsters are using a compromised version that they can better control.

2. Freshly Made Cookies

“Fraudsters clear their cookies 90 percent of the time, whereas unhacked users clear cookies only 10 percent of the time,” the study stated. Having more recently created browser cookies is a strong signal a PC has been compromised.

3. Do Not Track Set to Null

The browser setting Do Not Track has three possible legitimate values: yes, no or unspecified. Unfortunately, null is not a valid answer. There are other browser settings that have similar nonvalid settings; these are another warning sign of fraudulent activity.

4. Erased Browser Referrer History

Again, those tracking online fraud often see this as another tipoff. A PC with an erased history may be compromised, since a malicious actor is five times more likely to clear this history.

5. More Windows

Windows has such a high market share, and cybercriminals are no exception — in fact, they use these machines at a higher rate than the public. Chances are, if you are running on a Mac, your machine is legitimate. Windows users need to be a bit more careful regarding their security.

6. No Plugins or Extensions Installed

Most of the fraudster-controlled PCs had less than five browser plugins installed. Most legitimate PCs have more than that, with some users even installing over 25 plugins. However, more is not necessarily better. Too many plugins is one way that machines can be turned into botnet zombies because many are likely to be running older and unpatched versions.

7. Not Running Any Incognito Browser Sessions

A user running a private browsing session is three times as likely to be legitimate.

Check Your Mileage

Obviously, these indicators may differ depending on what kind of computers you have on your network and what your existing security best practices might be.

Still, this is an intriguing collection of behaviors that, taken together, might be useful. Set up your machine learning tools to track online fraud and see if your mileage is similar.

More from Fraud Protection

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today