Tracking Online Fraud: Check Your Mileage Against Endpoint Data

If you want to detect malware or other potential risks across your enterprise, one time-honored method is to look at your endpoint behavior.

A recent Simility blog post detailed how it is tracking online fraud. With the help of a SaaS-based machine learning tool, the company and its beta customers have seen a 50 to 300 percent reduction in fraudulent online transactions.

Seven Keys to Tracking Online Fraud

In January, Simility looked at 100 different behaviors across 500,000 endpoints scattered around the world. It found more than 10,000 of those devices were compromised, and then looked for patterns of similar behavior.

Researchers found seven commonalities. These red flags can be applied in any organization to help security professionals identify fraudulent activities or suspicious behavior.

1. Mismatched OS and Device

A device is eight times more likely to be compromised if its OS is running on the wrong CPU, such as a 32-bit Windows running on a 64-bit processor. This is because the fraudsters are using a compromised version that they can better control.

2. Freshly Made Cookies

“Fraudsters clear their cookies 90 percent of the time, whereas unhacked users clear cookies only 10 percent of the time,” the study stated. Having more recently created browser cookies is a strong signal a PC has been compromised.

3. Do Not Track Set to Null

The browser setting Do Not Track has three possible legitimate values: yes, no or unspecified. Unfortunately, null is not a valid answer. There are other browser settings that have similar nonvalid settings; these are another warning sign of fraudulent activity.

4. Erased Browser Referrer History

Again, those tracking online fraud often see this as another tipoff. A PC with an erased history may be compromised, since a malicious actor is five times more likely to clear this history.

5. More Windows

Windows has such a high market share, and cybercriminals are no exception — in fact, they use these machines at a higher rate than the public. Chances are, if you are running on a Mac, your machine is legitimate. Windows users need to be a bit more careful regarding their security.

6. No Plugins or Extensions Installed

Most of the fraudster-controlled PCs had less than five browser plugins installed. Most legitimate PCs have more than that, with some users even installing over 25 plugins. However, more is not necessarily better. Too many plugins is one way that machines can be turned into botnet zombies because many are likely to be running older and unpatched versions.

7. Not Running Any Incognito Browser Sessions

A user running a private browsing session is three times as likely to be legitimate.

Check Your Mileage

Obviously, these indicators may differ depending on what kind of computers you have on your network and what your existing security best practices might be.

Still, this is an intriguing collection of behaviors that, taken together, might be useful. Set up your machine learning tools to track online fraud and see if your mileage is similar.

David Strom

Security Evangelist

David is an award-winning writer, speaker, editor, video blogger, and online communications professional who also...