US 20070299915A1
(19) United States
(12) Patent Application Publication (10) Pub. No.: US 2007/0299915 A1
(43) Pub. Date:
Shraim et al.
(54)
CUSTOMER-BASED DETECTION OF
(60)
Provisional application No. 60/615,973, ?led on Oct.
4, 2004, provisional application No. 60/610,714, ?led
on Sep. 17, 2004, provisional application No. 60/ 610,
ONLINE FRAUD
(75) Inventors:
Dec. 27, 2007
715, ?led on Sep. 17, 2004.
Ihab Shraim, GermantoWn, MD
(US); Mark Shull, Chevy Chase,
Publication Classi?cation
MD (US)
(51)
Int. Cl.
G06F 15/16
(52)
Us. or. ...................................... .. 709/206;709/229
Correspondence Address:
TOWNSEND AND TOWNSEND AND CREW,
LLP
TWO EMBARCADERO CENTER, EIGHTH
FLOOR
SAN FRANCISCO, CA 94111-3834
(57)
(2006.01)
ABSTRACT
Various embodiments of the invention provide devices,
methods, systems and software for detecting, analyzing
and/or responding to a fraudulent activity. In particular
(73) Assignee:
MarkMonitor, Inc., Boise, ID
embodiments, an email message incoming to an organiza
tion may be analyzed to determine Whether such messages
are returned messages, Which might indicate a delivery
failure of an original message. Because the returned message
(Us)
(21) Appl. No.:
(22) Filed:
10/996,990
is received by the organization, it may be likely that the
original message purported to originate from the organiza
tion. If the original message did not in fact originate from the
organization, that fact might indicate that the original mes
Nov. 23, 2004
Related US. Application Data
sage is part of a fraudulent activity. In such case, the
(63) Continuation-in-part of application No. 10/709,398,
fraudulent activity might be investigated, and/or a response
to the fraudulent activity may be imitated and/or undertaken.
?led on May 2, 2004.
Monitoring Center
220
215
Customer
Patent Application Publication
Dec. 27, 2007 Sheet 1 0f 17
US 2007/0299915 A1
100
K170
‘
f
.
Address
Planter
" f
105d
f
.
105b
f
105e
Newsgroup
Domain‘
Email Feed
Feed
Registration
L
I
l
K115
v
Customer
‘
t
l f125b
l {125a
Correlation
K120
‘
Extended
‘
Monitoring
l [-1250
l {125d
Correlation
Correlation
Correlation
Engine
Engine
Engine
Engine
1
|
|
I
135\
v
—
‘
I
K110
y
105a
Chat Room
'
Hone Pot
Policy
F
v
‘
Event Manager
[-130
‘
W
Monitoring Center
155
v
v
v
v
Customer
Automated
Intelligence
interdiction and
Noti?cation
Reporting
Gathering
Response
K150
K145
\140 160
[
I
\ v
Administrative
Fig.~1A
165
vf
Tech nical/Dilution
Patent Application Publication
Dec. 27, 2007 Sheet 2 of 17
US 2007/0299915 A1
K170
[-180
User Interface
Userid
information
Tracking
Address Generator
Database
\175
'
19o
Domain
information
AP!
\195
Fig.v1B
185b
Patent Application Publication
Dec. 27, 2007 Sheet 3 0f 17
US 2007/0299915 A1
Moriitoring Center
\
220
200
215
j
Customer
225
240
245
Zone
Data
205
.
Safe
|
I
l
Patent Application Publication
Dec. 27, 2007 Sheet 4 0f 17
US 2007/0299915 A1
305
f
Processor(s)
Working
Storage Device(s)
Operating
Memory
310
/
System
315
f
-\
340/
Input Device(s)
/'
320
335
345
Application(s)
/ Output Device(s)
325
Communications
/
Subsystem
330
300
Fig. 3
Patent Application Publication
Dec. 27, 2007 Sheet 5 0f 17
US 2007/0299915 A1
Establish Customer
Pro?le
X
402
Create Safe Account(s) \
404
Monitor Safe Account(s) \
408
Select UserlD Elements \
408
Create UserlD
L\
410
Select Domain Name
\
412
Append Domain Name to
UserlD
\
414
Select Planting Location N
416
Plant Add ress(esi)
\
418
Track Planting Location »\
420
Gather Email
Message(s)
\
422
Analyze Email Message \
'\
400
424
Implement Feedback
L°°p
N
426
Fig. 4A
Patent Application Publication
Dec. 27, 2007 Sheet 6 0f 17
US 2007/0299915 A1
Access/Monitor Data
Source
.
\
440
Acquire Information
-\
445
Evaluate Information
-\
450
Monitor Domain
\
455
Create Event
\
460
435
Fig. 4B
Patent Application Publication
Dec. 27, 2007 Sheet 7 0f 17
US 2007/0299915 A1
Access Domain
Information
470
Evaluate Domain
Suitability
475
Monitor Domain
Expiration
480
Acquire Domain
485
Seed Addresses
Accept Messages
495
465
Fig. 4C
Patent Application Publication
Dec. 27, 2007 Sheet 8 0f 17
US 2007/0299915 A1
Time Stamp Message \
505
Create Data File From
Message
\
510
Collect Data Files
-\
515
Parse Data File
\
520
Analyze Header
Information
\
525
Analyze Body
\
530
Analyze URL
\
535
Analyze Domain
Information
\
540
Score Data File
\
545
Categorize Data File
\
550
Fig. 5A
500
Patent Application Publication
Check URL Link
Dec. 27, 2007 Sheet 9 0f 17
US 2007/0299915 A1
Verify Active Ports
\
562
578
Obtain/Analyze DNS
Information
Test Crawl
\
30
564
Obtain/Analyze WHOIS
Information
Check Spelling/Grammar D32
\
566
Determine Geographical
Location
Test Forms
\
134
568
Evaluate Directory Path
Check for URLs
570
586
Evaluate URL Encoding
Check Image Links
572
588
Search Anti-Abuse
Information
Generate/Store
Checksum/Hash
574
590
Compare Checksum/
Check for Security '
Hash
576
\
592
560
Fig. 58
Patent Application Publication
Dec. 27, 2007 Sheet 10 0f 17
Create Event
US 2007/0299915 A1
\
605
Investigate
X
610
Report Results
-\
615
Analysis By Technician -\
620
Notify Customer
\
625
Confer with Customer \
630
Administrative Response -\
635
Technical Response \
600
Fig. 6
Patent Application Publication
Dec. 27, 2007 Sheet 11 0f 17
US 2007/0299915 A1
Acquire IP Address
705
Investigate Domain
Information
\
710
investigate IP Address
information
\
715
Validate Domain
Information
\
720
interrogate Server
\
725
Download Spoof Pages \
730
Analyze Spoof Pages \
735
Archive Spoof Pages \
740
Generate Event Report \
745
700
Fig. 7
Patent Application Publication
Dec. 27, 2007 Sheet 12 0f 17
Parse Spoofed Page
US 2007/0299915 A1
Respond to Confuse
\
805
Analyze Requested
850
Respond to Impede
Fields
\
810
Generate Safe Data
855
Respond to Prevent
\
815
Map Safe Data to Fields
860
Respond to Contain
\
820
865
Trace Use of Responsive
Format Response
Information
\
825
870
Obtain Diverse IP
Evaluate Standards
_
Addresses
830
875
Analyze Embedded
Respond from Diverse IP
Tests
Addresses
835
Analyze Round-Trip
'\
\
880
Respond through Mega
Proxy
Information
840
885
Ensure Responses Meet
Respond via Proxy
Criteria
Chaining
\
890
845
800
Patent Application Publication
Dec. 27, 2007 Sheet 13 0f 17
[- 905b
K- 905a
ISP
[- 9050
ISP
K- 905d
ISP
ISP
US 2007/0299915 A1
(
ISP
910
Network Meet-Me Center 920
Dilution Engine
+ l
J
I
+
I
I
930
930
930
930
930
930
I
I
I
I
I
I
Q5
MegaProxy
925
I__I_I__L_I__I
r-_—l
Li
900
Patent Application Publication
Dec. 27, 2007 Sheet 14 of 17
Acquire lP Blocks
US 2007/0299915 A1
\
955
Store Record of IP
Blocks
\
960
Provide Mega-Proxy -\
965
Identify Illegitimate
Web Site
\
970
I—>
l
l
Create Response
l
Obtain IP Address
|
I
I __
\
975
\980
_ Transmit Response from
IP Address
\
'\
985
950
Fig. 9B
Patent Application Publication
Dec. 27, 2007 Sheet 15 0f 17
US 2007/0299915 A1
I
1000
§\
c
/
250
ISP
—
ISP
Proxy \
/ Proxy
10403)
1035a-j
\1040c
\1035c
ISP
—
ISP
/
Proxy
1040b)
1035b-J
l70Q
J_ _
k1040d
\1035d
|——, r
1015a-\
/
|
Proxy
Proxy
1005
|
Proxy
\1o10a
\1 020a
[4015b
\
\1o1ob
Fraud Preventlon System
Peering Data
Proxy
\wzob
Peering Data
Center
PBX System
\
'
L
—
1025
—
Modem Pool
\1030
Fig. 10
-
Center
i
Patent Application Publication
Dec. 27, 2007 Sheet 16 of 17
US 2007/0299915 A1
Monitoring Center
\
220
1100
215
j
1 1M
user.com
1130
210
c:
205
Monitoring
Appliance
Customer
Mail
System \1110
1 105
225
1125
1120
Customer
Fig. 11A
1115
Patent Application Publication
Dec. 27, 2007 Sheet 17 0f 17
Provide Monitoring
Appliance
\
1155
Receive Email Message
at Customer
'\
1160
Identify Return Message \
1165
Forward Message to
Appliance
\
1170
Forward Log Entries
\
1175
Extract Relevant Portions
of Message
\
1180
Compile Summary
Message
\
1185
Transfer Message to
Fraud Prevention System \
1190
Analyze Message
\
1194
Identify Intended
Recipient
\
1198
Fig. 118
US 2007/0299915 A1
US 2007/0299915 A1
CUSTOMER-BASED DETECTION OF
ONLINE FRAUD
Dec. 27, 2007
unique in that, for virtually no cost, a purveyor of spam
(“spammer”) can easily and quickly generate and transmit
copious amounts of spam. Further, limitations in the Inter
CROSS REFERENCE TO RELATED
APPLICATIONS
[0001] This application is a continuation-in-part of, and
claims the bene?t of, US. patent application Ser. No.
10/709,398 ?led May 2, 2004 by Shraim et al. and entitled
“Online Fraud Solution,” the entire disclosure of Which is
incorporated herein by reference for all purposes. This
application also claims the bene?t of the following provi
sional applications, the entire disclosures of Which are
incorporated herein by reference for all purposes: U.S. Prov.
App. No. 60/615,973, ?led Oct. 4, 2004 by Shraim et al. and
entitled “Online Fraud Solution”; U.S. Prov. App. No.
60/610,714, ?led Sep. 17, 2004 by Shull and entitled “Meth
ods and Systems for Preventing Online Fraud”; and US.
Prov. App. No. 60/610,715, ?led Sep. 17, 2004 by Shull and
entitled “Customer-Based Detection of Online Fraud.”
[0002]
This application is also related to the following
commonly-oWned, copending applications, each of Which is
?led on a date even hereWith and is incorporated by refer
ence herein for all purposes: US. patent application Ser. No.
, ?led by Shraim et al. and entitled “Online Fraud
Solution” (attorney docket no. 040246-000120US); US.
patent application Ser. No.
, ?led by Shull et al. and
entitled “Enhanced Responses to Online Fraud” (attorney
docket no. 040246-000510US); US. patent application Ser.
No.
, ?led by Shull et al. and entitled “Early Detec
tion of Online Fraud” (attorney docket no. 040246
000700US); US. patent application Ser. No.
, ?led
by Shull et al. and entitled “Enhanced Responses to Online
Fraud” (attorney docket no. 040246-000800US); US. patent
application Ser. No.
, ?led by Shull et al. and entitled
net-standard simple mail transport protocol (“SMTP”) alloW
spammers to transmit spam With relative anonymity and,
therefore, With correspondingly little accountability. Conse
quently, even though spam annoys the vast majority of
recipients and, thus, generates feW successful sales oppor
tunities for the spammer relative to the amount of spam
transmitted, the spam “industry” is burgeoning: Given their
ability to inexpensively and quickly transmit enormous
quantities of spam, spammers can make a handsome pro?t
even from the relatively loW response rate to the spam
advertising.
[0006]
By their nature, spammers continually search for
neW recipients (victims) to Which to send spam. The spam
“industry,” therefore has launched a derivative industry of
“harvesters,” Who scour the Internet and other sources to
generate lists of valid email addresses, Which they then sell
to the spammers. (Obviously, since these activities go hand
in-hand, many spammers act as harvesters for themselves or
their felloW spammers). Harvesters use a variety of tech
niques for obtaining email address lists, and often develop
automated search programs (commonly referred to as
“robots” or “WebcraWlers”) that continually skulk about the
Internet searching for neW email addresses. For example,
harvesters obtain email addresses from Internet (and other)
neWs groups, chat rooms, and directory service (e.g., White
pages) sites, as Well as message boards, mailing lists, and
Web pages, on Which users commonly provide email
addresses for feedback, etc.
[0007] The success of spam as a marketing technique has
begun to result in the use of spam to perpetrate “phishing”
operations. A phishing operation can be de?ned as any type
“Generating Phish Messages” (attorney docket no. 040246
of social engineering attack (typically relying the illegiti
001200US); US. patent application Ser. No.
, ?led
by Shull et al. and entitled “Advanced Responses to Online
Fraud” (attorney docket no. 040246-001300US); and US.
patent application Ser. No.
, ?led by Shull et al. and
mate use of a brand name) to induce a consumer to take an
entitled “Methods and Systems for Analyzing Data Related
action that he/ she otherWise Would not take. Phishing scams
can operate by bribery, ?attery, deceit, cajoling and through
other methods. Phishing operations often involve mass
contact of consumers (for example, by “spam” email mes
to Possible Online Fraud” (attorney docket no. 040246
sages, text messages, VoIP calls, instant messages, etc. as
001400US).
Well as through other devices) and generally direct contacted
COPYRIGHT NOTICE
[0003] A portion of the disclosure of this patent document
contains material that is subject to copyright protection. The
copyright oWner has no objection to the facsimile reproduc
tion by anyone of the patent document or the patent disclo
sure as it appears in the Patent and Trademark Of?ce patent
?le or records, but otherWise reserves all copyright rights
Whatsoever.
consumers to a response site, Which often is a Web site but
can also be a telephone number, etc.
[0008]
One fairly common example of a phishing scam is
a spam email message advertising a Well-knoWn softWare
application or package (Which in fact Was pirated or other
Wise obtained illegitimately) at a greatly reduced price, and
directing respondents to a Web site Where the softWare can
be purchased. Upon visiting the site, consumers Would (or
should) knoW that the advertised price is grossly unrealistic
and probably indicates some time of illegitimacy, such as
The present invention relates computer systems,
black- or gray-market goods. Some consumers, hoWever,
either out of ignorance or Willful blindness, Will accept the
phisher’s assurances that the softWare is legitimate and
and more particularly to systems, methods and softWare for
therefore Will purchase the illegitimate softWare, completing
detecting, preventing, responding to and/or otherWise deal
ing With online fraud.
[0005] Electronic mail (“email”) has become a staple of
modern communications. Unfortunately, hoWever, anyone
the phishing scam.
[0009] Another common phishing operation is knoWn as a
“spoo?ng” scam. This practice involves inserting a false
email address in the “From” or “Reply-to” headers of an
Who uses email on a regular basis is familiar With the vast
email message, thereby misleading the recipient into believ
quantities of “spam” (unsolicited email) sent to nearly every
email addressee from various advertisers. Although some
ing that the email originated from a relatively trusted source.
Spoofed emails often appear to be from Well-knoWn Internet
What analogous to traditional paper “junk mail,” spam is
service providers (“ISPs”) (such as, for example, America
BACKGROUND OF THE INVENTION
[0004]
US 2007/0299915 A1
Dec. 27, 2007
OnlineTM and The Microsoft NetWorkTM), or other high
ably both illegal and immoral, the relative anonymity of the
pro?le entities With easily-identi?able email addresses (in
cluding, for example IBMTM, MicrosoftTM, General
phishers, as Well as the international nature of the Internet,
MotorsTM and E-BayTM, as Well as various ?nancial institu
tions, online retailers and the like). This spoo?ng is unac
ceptable to these entities for many reasons, not the least
because it causes customer confusion, destroys the value of
a Well-cultivated online presence, creates general mistrust of
the spoofed brands and largely dilutes the value of a repu
table entity’s online communications and transactions.
hinders effective legal prosecution for these activities.
Merely by Way of example, the server associated With a
fraudulent Web site may be located in a country from Which
prosecution/extradition is highly unlikely. Moreover, these
fraudulent Web sites are often highly transient, existing on a
given server or ISP for a short time (perhaps only a matter
of days or even hours) before the phisher moves on to a neW
server or ISP. Compounding the enforcement problem is the
fact that many of the servers hosting fraudulent Web sites are
[0010] Further, in many cases, spammers and/or spoofers
have developed avenues of disseminating information
amongst their “industry,” including a variety of online for a
legitimate servers that have been compromised (or
“hacked”) by the phisher or his associates, With the oWner/
such as message boards, chat rooms, neWsgroups, and the
operator of the server having no idea that the server is
like. At such locations, spammers often discuss strategies for
more effective spamming/ spoo?ng, neW spoof sites, etc., as
secretly being used for illegitimate purposes.
Well as trade and/or advertise lists of harvested addresses.
to deal With these abuses.
By using these resources, spammers and/or spoofers can
focus on the most effective spamming/ spoo?ng techniques,
learn from and/or copy the spoofed Web sites of others, and
the like. Such resources also alloW a neW spammer or
spoofer to quickly pick up effective spamming and/or spoof
ing techniques.
[0011] Perhaps most alarmingly, spain (and spoofed spam
in particular) has increasingly been used to promote fraudu
lent activity such as phishing attacks, including identity
theft, unauthorized credit card transactions and/or account
WithdraWals, and the like. This technique involves masquer
ading as a trusted business in order to induce an unsuspect
ing consumer to provide con?dential personal information,
[0014]
Accordingly, there is a need for ef?cient solutions
BRIEF SUMMARY
[0015] Various embodiments of the invention provide
devices, methods, systems and softWare for detecting, ana
lyzing and/or responding to a fraudulent activity. In particu
lar embodiments, an email message incoming to an organi
zation may be analyzed to determine Whether such messages
are returned messages, Which might indicate a delivery
failure of an original message. Because the returned message
is received by the organization, it may be likely that the
original message purported to originate from the organiza
tion. If the original message did not in fact originate from the
organization, that fact might indicate that the original mes
often in response to a purported request to update account
sage is part of a fraudulent activity. In such case, the
information, con?rm an online transaction, etc. Merely by
Way of example, a spoofer may send a spoof email purport
ing to be from the recipient’s bank and requesting (ironi
fraudulent activity might be investigated, and/or a response
cally) that the recipient “con?rm” her identity by providing
con?dential information by reply email or by logging on to
to the fraudulent activity may be imitated and/or undertaken.
[0016] One set of embodiments provides devices for
detecting a possible online fraud. An exemplary device may
comprise a processor and instructions executable by the
a fraudulent Web site. Similarly, a common spoofed message
requests that the recipient log on to a Well-knoWn e-com
processor to receive an electronic message addressed to an
merce site and “update” credit card information stored by
that site.
electronic message may indicate that an original message
could not be delivered to an intended addressee, Wherein the
[0012]
Spain messages (and in particular those that are
part of a phishing scheme) often include a uniform resource
locator (“URL”) linking to the Web site of the phisher. The
Web site may, for example, be a response point for the sale
of illegitimate goods. In other cases, the URL may be
con?gured to appear to be associated With the Web site of a
spoofed sender, but may actually redirects the recipient to a
spoofed Web site (i.e., a Web site that imitates or is designed
to look like the Web site of the spoofed source of the email).
Upon visiting the spoofed Web site, the recipient may be
presented With a form that requests information such as the
recipient’s address, phone number, social security number,
organization (Which can be a legitimate business, etc.). The
original message purported to originate from the organiza
tion. The device may be further con?gured to transfer at least
a portion of the electronic message to a correlation engine
for processing. In some cases, the correlation engine may be
incorporated Within the device and/or operated by a security
provider. In particular cases, the correlation engine may be
a part of a separate fraud detection and/ or prevention system
maintained by the security provider. In other cases, the
device may be located at the organization, in communication
With (and/or incorporated) Within an email system of the
organization, etc.
[0017] In some cases, the original message (Which may be
bank account number, credit card number, mother’s maiden
name, etc. The recipient, believing that she is communicat
part of the electronic message) might comprise a URL,
ing With a trusted company, may provide some or all of this
other cases, the electronic message may incorporate other
portions of the original message, such as a header portion, a
information, Which then is at the spammer’s disposal to use
for any of a variety of illegitimate purposes. (In some cases,
the link may be con?gured to present a legitimate Web site,
With an illegitimate and/or spoofed popup WindoW presented
over the legitimate Web site With instructions to provide
personal information, etc., Which Will be collected by the
and/or the device can be con?gured to extract the URL. In
body portion (or a portion thereof), etc. The device may be
con?gured to prepare a message extract and/or a summary of
a plurality of messages, and send the message extract and/or
summary message to a correlation engine for analysis.
phisher)
[0018] Another set of embodiments provides systems for
detecting possible online fraud. One exemplary system can
[0013] Thus, phishing scams and other illegitimate online
activities have ?ourished. While such activity is indisput
comprise a device (such as the device described above), as
Well as a correlation engine. The correlation engine can be
© Copyright 2026 Paperzz