Security Experts:

Catch Me If You Can - Mining Data to Spot Cybercrime Patterns

Fighting web fraud is a game of cat and mouse between fraud analysts and cybercriminals where the odds are stacked against fraud analysts. The bad guys have the upper hand pitting tools, targets, time and tenacity against fraud analysts doing their best to identify fraudulent transactions, prevent web fraud while at the same time not stopping good customers from transacting at their web site. Intentify Cybercrime Patterns

The fraud analysts I’ve met are diligent, always looking for edge that puts them ahead of scammers. For fraud analysts getting hit by web fraud is personal—like the feeling of violation you would get opening your front door and discovering someone broke into your house. What gives fraud analysts edge against scammers? Data. Like all things digital, web fraud is measurable and mineable.

How does data help fraud analysts stop and prevent fraud? It depends on the nature and context of the transaction. I’ll use an example from the non-digital realm to illustrate. I came across new research by UCLA scientists working with L.A. police to analyze crime patterns in order to identify crime 'hotspots.' The research is federally funded by the National Science Foundation and the U.S. Department of Defense. The researchers developed a mathematical model that enables them to predict how “each type of crime hotspot will respond to increased policing, as well as when each type might occur, by a careful mathematical analysis involving what is known as bifurcation theory” according to a UCLA report. The researchers leverage crime data to determine “whether a particular neighborhood will see an increase in crime." One of the researches, Jeffrey Brantington, observes that "criminal offenders are essentially hunter-gatherers; they forage for opportunities to commit crimes.” Brantington’s observation applies to cybercriminals as well as local neighborhood carjackers.

Fraud analysts leverage data too—to discern patterns and identify cybercrime hotspots. Doing so enables them to adjust their strategy according to the patterns. This insight helps them increase their effectiveness at detecting fraud—and more importantly it helps them go on the offensive to prevent fraud. Here’s a simple example that illustrates how understanding patterns can help head-off fraud.

I queried our ThreatMetrix Fraud Network of global transaction data to see which countries for the month of May had the highest percent of transactions that were conducted using hidden proxies located in the United States. This view of web transaction traffic provides a window into behaviors that can be useful in identifying patterns that tip off cybercrime hot spots still in formation—a system fraud analysts can use to thwart scammers before they strike by tuning the rules that examine transactions looking for risk.

Hidden Proxy Usage

Keep in mind that just because someone is using a hidden proxy in the US from another country to appear as if they are located in the US isn’t always an indicator for fraud. For example, there may be political reasons why an internet user in a certain country takes pains to preserve their anonymity. But when this knowledge is combined with other transaction characteristics it can be a strong contributing factor to more accurately make the right call.

So, which country was hiding behind US proxies more any other as a percentage of all transactions (drum roll please)? The winner is—Iran, with a whopping 70% of all transactions coming through a hidden proxy in the US, followed by Burma with a comparatively small 17%. Tiny Benin, a country in West Africa, narrowly beat out the United States to make the top ten. I waded deeper into the data to try and understand why Iran might top out so much higher than any other country. I discovered that a disproportionate number of the Iranian-based hidden proxy transactions came through a single customer. I suspect this customer probably already knows this, and has researched further into the data by scrutinizing other characteristics of the transactions to determine the risk associated with them. It might be useful to run the same query on our network to see if a similar pattern existed in April, or six months ago. We might observe when this pattern emerged, and therefore better understand its origin. More data is better, as long as you can get it fast enough and have the analytical power to detect web crime patterns.

The researchers at UCLA want to give law enforcement authorities a leg-up on fighting crime by shining light on crime patterns early enough to help them focus resources early and use them wisely to stop crime and respond faster. Patterns can reveal the criminal mind from a macro perspective, providing them this advantage. This is even more critical in the fight against cybercriminals and scammers—where a fraction of a second can make all the difference.

Tom Grubb has over 20 years of experience in the technology industry. He is currently Vice President of Marketing at Nimsoft, a provider of Unified Monitoring solutions for virtualized data centers, hosted and managed services, cloud platforms, and SaaS resources. Most recently Tom was VP of Marketing at ThreatMetrix, a provider of online fraud prevention software. Tom has held marketing and product leadership positions at Sybase, Intuit, Vormetric and Embarcadero Technologies. Mr. Grubb co-founded Bluecurve, a systems monitoring and performance management software company that was acquired by Red Hat in 2000. He began his technology industry career as an analyst and product reviewer for Ziff-Davis and IDG’s PC World Magazine