Fraudsters find creative ways to abuse e-commerce sites

Silver Tail Systems, a company that specializes in Web security, has seen a raft of creative fraud schemes

Even if your company website is secured with the latest software patches and has been tested by ethical hackers, it doesn't mean the scammers will stay away.

In fact, fraudsters are actually highly adaptable, looking for ways to exploit marketing campaigns or incentive programs. They often find ways to abuse a system that weren't considered by either fraud or security specialists, said Laura Mather, founder and chief strategy officer of Silver Tail Systems. Her company's software looks for odd behavior during transactions on e-commerce and banking sites.

Take the company that ran a marketing incentive program offering US$5 to people who referred their friends to sign up for an account. The company, which gave away a total of $8 million, gave $2 million of that to just one person in Eastern Europe, Mather said.

"There was no bug in the system," said Mather, who previously worked in fraud prevention for eBay and PayPal for three years. "The criminal was using the website in the way it was intended."

In that case, the fraudster registered a domain with lots of e-mail addresses and registered all of them. "What happens in these cases, the marketing team that launches the program celebrates, and then the fraud team goes, 'I think we need to look at your data,'" Mather said.

But the strange behavior can be detected in real time, which is Silver Tail Systems' focus. Its Forensics product looks at what happens during a Web session. When a person uses a website, the pattern is often the same, which makes different behavior, such as that of a criminal, stand out.

Forensics monitors all the clicks a person makes on a website and matches that to a pattern of behavior typically observed on the site. For example, if someone takes just a third of a second to complete a transaction when the average time is 97 seconds, Forensics would generate an alert.

Another Silver Tail product, Mitigation, can set rules for how systems should respond when certain kinds of suspected abuse is detected, such as locking someone out of their account.

Mather said Forensics has picked up on behavior that might not be detected by other systems. One of its U.K banking customers -- which can't be identified -- saw that an IP address in the U.S. was accessing 700 accounts per hour. But nothing was happening to the money.

"We were looking at this going 'This is really weird'," Mather said.

The attacker would log in to a person's account, go to their account statements and look at the last three months of transactions. Then the attacker would log out and move to the next account.

It turns out the bank had changed its procedures for how people authenticate themselves during phone banking. The customer service agent would ask a question about the last three months of transactions or other queries, such as what mobile provider the banking customer uses.

"The criminals were getting these statements so they could verify into the call center," Mather said.

A classic mistake is when companies incorporate some sort of account information into a URL. Often the URL can then be manipulated to show a different account, and if the website is configured incorrectly, the system will assume that the user has already been authenticated, Mather said.

If criminals log into an account and notice the issue, they can then cycle through accounts, harvesting addresses, phone numbers and email addresses, which could be used for targeted phishing attacks.

Another type of attack, called "man in the middle," also shows telltale signs during a banking transaction, Mather said. Often criminals who have installed malicious software on a computer are able to carry out a fraudulent transaction while a person is logged into their account and looking, at, for example, their account statement.

What the victim does not know is that the criminal has intervened in the web session and is carrying out a wire transfer. But an analysis of the "clickstream" can show the parallel actions, which would not happen during a normal transaction.

"As long as we assume that the vast majority of traffic is legitimate, it actually makes the criminal traffic stand out nicely," Mather said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags Silver Tail Systems

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Shining a light on creativity

MSI has long pushed the boundaries of invention with its ever-evolving range of laptops but it has now pulled off a world first with the new MSI Creative 17.

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?