The invention relates to methods and systems for detecting online fraud.
Online fraud, especially in the form of phishing and identity theft, has been posing an increasing threat to Internet users worldwide. Sensitive identity information such as user names, IDs, passwords, social security and medical records, bank and credit card details obtained fraudulently by international criminal networks operating on the Internet are used to withdraw private funds and/or are further sold to third parties. Beside direct financial damage to individuals, online fraud also causes a range on unwanted side effects, such as increased security costs for companies, higher retail prices and banking fees, declining stock values, lower wages and decreased tax revenue.
In an exemplary phishing attempt, a fake website, sometimes also termed a clone, may pose as a genuine webpage belonging to an online retailer or a financial institution, asking the user to enter some personal/account information (e.g., username, password) and/or financial information (e.g. credit card number, account number, card security code). Once the information is submitted by the unsuspecting user, it is harvested by the fake website. Additionally, the user may be directed to another webpage which may install malicious software on the user's computer. The malicious software (e.g., viruses, Trojans) may continue to steal personal information by recording the keys pressed by the user while visiting certain webpages, and may transform the user's computer into a platform for launching other phishing or spam attacks.
Software running on an Internet user's computer system may be used to identify fraudulent online documents and to warn the user of a possible phishing/identity theft threat. Several approaches have been proposed for identifying a clone webpage, such as matching the webpage's Internet address to lists of known phishing or trusted addresses (techniques termed black- and white-listing, respectively).
In U.S. Pat. No. 7,457,823 B2, Shraim et al. describe a system which performs a plurality of tests on a web site or an electronic communication, assigns a score based on each of the tests, assigns a composite score based on the scores for each of the plurality of tests, and categorizes the web site/electronic communication as legitimate or fraudulent according to the plurality of scores and/or the composite score.
Experienced fraudsters are continuously developing countermeasures to such detection tools. Such countermeasures include frequently changing the IP addresses of the clone pages to escape blacklisting. Since the type and methods of online fraud evolve rapidly, successful detection may benefit from the development of new fraud-identifying tests.