WO2005048522A1

WO2005048522A1 - System and method of addressing email and electronic communication fraud

Info

Publication number: WO2005048522A1
Application number: PCT/US2004/036993
Authority: WO
Inventors: Lior Golan; Nira Rivner; Michal Tsur; Amir Orad; Naftali Bennett
Original assignee: Rsa Security Inc.
Priority date: 2003-11-07
Filing date: 2004-11-08
Publication date: 2005-05-26
Also published as: EP1683293A4; EP1683293A1

Abstract

A system and method may respond to a fraudulent attack, such as a Phishing attack. The system and method may send a number of responses to party committing fraud, the responses designed to mimic the responses to' a Phishing attack. The responses may include codes or marked information designed to entrap or detect the party committing fraud.

Description

SYSTEM AND METHOD OF ADDRESSING EMAIL AND ELECTRONIC COMMUNICATION FRAUD

FIELD OF THE INVENTION

The present invention relates to email fraud detection and prevention, more specifically to interfering with and/or tracking certain fraudulent attacks; furthermore, the present invention relates to testing data gathering systems.

BACKGROUND OF THE INVENTION

The rapid increase in the number of users of electronic mail and the low cost of distributing electronic messages via the Internet and other electronic communications networks has made marketing and communications with existing customers via e-mail an attractive advertising medium. Consequently, in addition to communications that are warranted by consumers, e-mail is now frequently used as the medium for unsolicited communication and marketing broadcasts of messages to e-mail addresses, _ι commonly known as "Spam". "Phishing", which may include e-mail identity fraud and brand impersonation are the newest forms of harmful Spam attacks that threaten the integrity of companies doing business online. Fraudulent Phishing email messages may be considered to be, for example, messages that appear to be sent from a legitimate company's website or domain address, but in fact are not. In reality, spammers or other parties are hijacking the company's brand to attract the attention of customers, often to gain personal information. Lately, financial institutions as well as other companies that have a trusted relationship with their customers have been attacked by Phishing. For the sake of example, and without limiting the generality of the phenomena, if a bank is attacked by PMshing, individuals may receive an e-mail which is allegedly sent by the bank, and are persuaded into supplying private or valuable identifying personal data online under several pretences - for example, without limitation, - so that the bank can register them to a ew service, or to protect against unauthorized charges. The damage to the bank, or any other company whose identity if faked is significant. Phishing can injure valuable corporate brand equity, ruin customer trust, increase operational costs through growing customer complaints, and present additional risks and problems. The bank or other attached company may has to publish a general warning to its customers, and sometimes even cancel or block people's accounts. PMshing may involve, but is not limited to, for example: (1) The originators of 'Thishing" e-mails attempt to make the e-mail distributed seem to be coming from a legitimate source. In order to achieve that goal, the Phishing e-mail may be disguised as a legitimate e-mail, and includes elements and characteristics of a legitimate organization, such as (without limitation) logo, domain names, brands and colors; (2) In order for the PMshing to be advantageous for its originators, the originators of "PMsMng" need to somehow divert information that the tasting consumers submit in response to the seemingly legitimate e-mail. Such information might be diverted via for example a link to a separate web-page that requires the individual to input valuable private information, or via telephone, if the e-mail directs the recipient to call a certain telephone number (following which the recipients valuable information might be collected over the phone). Such illegitimate links or contact telephone numbers may be referred to as "illegitimate contact pointers". The implications of the above characteristics of PMshing are that any PMsMng e- mails typically include a mixture of both legitimate and iUegitimate contact pointers (such as hnks to other web pages or telephone numbers). Legitimate contact pointers would point to web pages or telephone numbers that belong to legitimate e-mail senders. Illegitimate contact pointers would point to web pages or telephone numbers that belong to the parties committing fraud.

SUMMARY OF THE INVENTION

In one embodiment, a system and method may respond to a fraudulent attack, such as a PMshing attack. The system and method may send a number of responses to party committing fraud, the responses designed to mimic the responses to a PMshing attack. The responses may include codes or marked information designed to entrap or detect the party committing fraud. Embodiments of the present invention relate to a method and system for reducing negative consequences associated with the submitting of valuable and confidential information by individuals to fraudulent impostors, as well as for increasing the likelihood that fraudulent impostors be captured. Embodiments of the current mvention include a system and method for rmnimizmg the impact of PMsMng scams as well as facihtating the detection of the originators of the attack.

BRIEF DESCRIPTION OF THE DRAWINGS

Embodiments of the mvention are illustrated by way of example and not limitation in the figures of the accompanying drawings, in wMch like reference numerals indicate corresponding, analogous or similar elements, and in wMch: Fig. 1 depicts a system according to one embodiment of the invention; and Fig. 2 illustrates a multiple-access-point computer network wMch may be used with an embodiment of the present invention. It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements maybe exaggerated relative to other elements for clarity.

DETAILED DESCRD?TION OF THE INVENTION

In the following description, various aspects of the present invention will be described. For purposes of explanation, specific configurations and details are set forth in order to provide a thorough understanding of the present invention. However, it will also be apparent to one skilled in the art that the present mvention may be practiced without the specific details presented herein. Furthermore, well-known features may be omitted or simphfied in order not to obscure the present invention. Various examples are given throughout this description. These are merely descriptions of specific embodiments of the invention, but the scope of the invention is not limited to the examples given. The goal of a useful anti-PMsMng and/or anti-fraud service may include, for example, any or all of the following: 1. Detection of potential PMshing scams; 2. Configuration options to allow the definition of PMsMng detection parameters; 3. Alerting against a detected scam; 4. Option for the targeted institution (e.g., bank, financial institution, etc.) to request: a. Blocking of the PMshing e-mail before it reaches the recipients' mailboxes; b. Alert to consumers' (e.g., accountholders, cardholders) e-mails; c. Alert to law enforcement or regulatory authorities; and/or d. Approval of the mail as an official e-mail by the mstitution (non- PMsMng); 5. Tools for minimizing the impact of the PMsMng scam, as well as tools that facilitate detecting the PMsMng origmators. According to one embodiment of the present invention, the detection of PMsMng scams can be done using existing anti e-mail-spam methods wMch can issue alerts whenever they detect an e-mail, wMch contains at least X (e.g., a suitable number, where one may be a s table number) legitimate contact pointers such as domains, trademarks, service names, phone numbers, etc., by a centralized service, such as a "Service Provider," along with illegitimate pointers. One such anti e-mail-spam method is called "honey pots" or "decoys". An anti e- mail-spam company that works with tMs method may set up numerous e-mail accounts that do not belong to real people or entities, and hsts them pubhc e-mail guides. If an e-mail gets to these addresses it can be either the result of a spam or an honest mistake. If the e-mail reaches several addresses the chances of an honest mistake are shm. Other methods may mclude for example content filtering or smffing. Once a potential PMsMng scam or other unwanted data commumcation is identified some pre-processing may be performed to make sure it is mdeed a suspicious e-mail or commumcation. Various devices and arcMtectures, and sets of devices may form a system according to various embodiments of the present invention, and my effect a method according to embodiments of the present invention. Methods accordmg to various embodiments of the present mvention may, for example, be executed by one or more processors or computing systems (mcludmg, for example, memories, processors, software, databases, etc.), wMch, for example, may be distributed across various sites or computing platforms; alternatively some methods according to embodiments may be executed by s gle processors or computing systems. The following illustration outlines a solution arcMtecture according to one embodiment of the present mvention; other smtable arcMtectures are possible m accordance with other embodiments of the mvention. Fig. 1 depicts a system accordmg to one embodiment of the mvention. A network 10 such as the Mternet, the Internet m combination with other networks, or some other network combmation of networks connects a set of entities. A central server 20 may provide services such as momtoring PMshing or other e-mail oriented fraud, and may try to counteract, mterfere with, or track such fraud, or attempt to track down the identity of the perpetrators. A set (where set can include one element) of institutions 30, such as banks, financial mstitutions, or other mstitutions, wMch may be targets of PMsMng or other fraud, may request services from the central server 20. One or more parties committing fraud (wMch may be known as for example "fraudsters") 40 may attempt to commit fraud via email, for example via "PMsMng", by sending fraudulent emails to a set of users 50, for example requesting the users to contact an mstitution 30 usmg a contact pomt or address (e.g., an email address, an Mternet address, etc.) or phone number that is actually directed to the party 40 or an associate. The contact po t or address may be made to appear as it if belongs to a legitimate institution 30. The central server 20 may attempt to send fake or other information to the contact point or other address to interfere with or stop fraudulent activities, m one embodiment server 20 momtors for PMsMng attacks; m other embodiments other entities such as institutions may inform server 20 regarding PMsMng attacks. The contact point may be an e-mail address. Thus the data in a response may be sent to the party committing fraud via email, possibly directly (e.g. by the party requesting the details to be sent via the "Reply To" email option, or by a JavaScript client side code that does so automatically, etc.) or indirectly to the party (e.g., the party may implement a web-to-mail mterface, wherem the user data is eventually sent to an email address from where it is later collected by the party). Central server 20 may clude one or more database(s) 22, a controller or processor 24, and software 26, wMch may mclude for example, an identity generator 28, or other suitable modules. Controller or processor 24 may execute mstructions m software 26 to perform various functions such as those described herein. The functionahty of central server 20 may be implemented m other manners, such as being distributed among other sites, be g mcluded m one or more Mstitutions, etc. For example, in one embodiment a bank may include the fraud blockmg or trackmg capabihties as described here . The central server 20 may have as customers mstitutions 30 that wish to stop and/or entrap fraud committing parties, but such a customer-client relationsMp is not needed; for example central server 20 may be a government or non-profit entity, part of a consortium of Mterested parties, or part of an institution 30. The central server 20 may detect fraudulent activity (e.g., PMsMng); alternatively the central server 20 may act after being requested by an other party wMch has detected fraudulent activity. The central server 20 may for example, provide multiple responses to a contact pomt created by a party 40. The central server may respond multiple times to mimic a group of users responding to the fraud (each response may mclude different data), and the responses maybe timed, paced, and/or numbered to mimic the natural response of a large group of people. For example, responses may start with a flurry and then gradually slow down, and each response may be sent at a somewhat random time within an overall desired pattern. The total number of responses may be proportion to a size of the attack in response to wMch the responses are sent. For example, the number of responses canbe X% (e.g., 0.1%, 1%, 5%, 10%, etc.) of the number of emails or other commumcations that constituted the PMsMng or other attack, possibly based on known response rates. Each response may be for example the central server filhng m or sending details to a web site or web form, possibly at the contact pomt. Furthermore, within each response, data may be entered at a speed an pace to mimic a human entering information usmg a keyboard and pomting device (e.g., mouse). A response may mclude a set of details such as a set of false personal information. Multiple sets of false personal information can be created and for example stored M a database 22. According to one embodiment of the current mvention the central server may perform tasks such as, for example: Dilution: For example, a PMsMng website (e.g., at a contact pomt defined by a party 40) maintained by a party 40 wMch tries to collect data from the central server (or "Service Provider") customers (e.g., mstitutions 30) is filled with fake records of people, thus diluting the quality of data that the parties cornmittmg fraud obtaM; (2) Mark & Block: For example, usMg responses with marked data, the PMsMng website wMch tries to collect data from mstiMtion 30 is filled with fake records of people. When the central server 20 detects that those "fake people" attempt to access the central server 20 real website/Service or an Mstitution 30 website, it may be possible to identify the source of that attempt (usmg the phony records) and to block any further attempts from that same source (e.g. IP, location etc), tMs way, when the party cornmitting fraud (e.g., "fraudster") attempts to access central server 20 or MstiMtion 30 service usmg real valuable stolen data (and not the fake one sent to it) such usage will be blocked, mcludmg good details; (3) Mark and Capture: For example, the PMsMng website wMch tries to collect data from the Service Provider's customers, is filled with fake records of people via responses with marked data. When the Service Provider detects that these "fake people" attempt to enter the Service Provider's real website, the Service Provider can attempt to locate the party committing fraud. A central server 20 or mstiMtion 30 can mo tor, for example, an MstiMtion or central server website, for the use of marked data M an attempted transaction. Other actions may be taken. According to one embodiment of the current vention dummy responses may be sent to the fraudulent site (e.g., mamtamed by a party 40) by, for example, the central server 20 as if the responses were cormng from real users who were defrauded by the scam. The fraudMent site is fed with useless records, and hence the quality of data that is obtamed is diluted. According to one embodiment the amount of responses can be configurable so that it would be consistent with the estimated attack size (importantly the estimated number of users who may actoally give away their personal information, wMch can be deterrmned by usmg statistical assessment). According to one embodiment, in order to avoid suspicion on behalf of the party committing fraud 40, the central server 20 may sMiulate a real human user feeding data at an appropriately slow, human typmg pace, seemmgly from multiple IP addresses with Mtervals between data string to the other. Data M a response may Mclude or be marked with for example data or codes identifiable to a central server 20 or mstiMtion 30, so that for example its use can be tracked. Furthermore, data may be marked with cryptograpMcally encoded portions. Details may be marked m a manner makmg it (for example by usMg a cryptograpMcally strong algorithms) infeasible to spot or detect, except for those ,who have a cryptograpMc key with wMch the markmg can be deciphered and or extracted from the data. An embodiment of the system and method may be designed to reduce the quality of the data obtamed by the party committing fraud during a PMsMng attack, and thus mitigate the attack's negative consequences. By diluting the data obtamed by the party committing fraud, the stolen data obtamed by the "fraudster" becomes less valuable, hence reducMg the mcentive to attack service providers who utilize the proposed system and method. Accordmg to one embodiment a limited amount of dummy responses are submitted to the fraudulent site where the responses are marked, such that the responses can be tracked at a later stage. TMs may be done M combination with sending un-marked responses. TMs way the use of the credentials provided as part of these responses can be moMtored. Whenever the system identifies an attempt to use such "marked credentials" it is possible according to one embodiment to block the access to the service from such location (typically an IP address where "bait information" was attempted to be used from), and therefore prevent attempts to use real credentials from such location. According to a different embodiment of the current mvention parties committing fraud might be located based on the marked responses. M many cases these "fraudsters" obtaM Mformation during a PMsMng attack, but do not attempt to use the data for several months. Markmg the dummy credentials submitted to the fraudster accordmg to the above embodiment may allow a server or other party to follow the credentials for a long period of time. M addition, M other embodiments hav g other uses, dummy, randomized or manufactured responses, with randomized or fake data, may be submitted to other sites or contact pomts, such as systems be g tested or debugged, or for the purpose of training. According to one embodiment of the current Mvention, a multiple-access-poMt computer network may be used to simMate responses from various pomts of presence via different network connections, such as for example Mternet connections. Parties committing fraud therefore are not able to simply "ignore" all information comMg from a smgle pomt of presence, and cannot detect that M fact fake credentials are fed. Follow g a PMsMng attack, according to one embodiment of the current Mvention the system may m responding and sendmg false data use a multiple-access-pomt computer network wMch uses several levels of design, wMch helps to ensure that dummy responses are undetectable. Responding maybe conducted usmg multiple Mternet access pomts, multiple Mtermediate networks, and/or mMtiple Mtermediate Mternet service providers. Mternet accounts used to generate the dummy responses may use dynamic network IP addresses, or use proxy servers and imitate behavior or users that pass via proxy when relevant usmg both dialup and broadband connection M order to fruther disguise the counter-measure. The dialup connections may alternate between different telephone exchanges m order to prevent sopMsticated parties committing fraud from trackmg the physical location of the source JJP addresses. - Fig. 2 illustrates a multiple-access-poMt computer network wMch may be used with an embodiment of the present Mvention. Users, computers, or other access pomts 60 may contact a party 40 wMch mtends to commit fraud via multiple ISPs or other service providers 100 and 102, possibly bemg geograpMcally distributed, possibly via network 10 (Fig. 1). Alternately, central server 20 may contact party 40 via multiple ISPs or other service providers 100 and 102. Accordmg to one embodiment of the mvention the central server 20 may use a scheduler or other system wMch may regulate the "response sending rate" M order to ensure that the dummy responses are momtored, and may thus sMiulate real responses. The scheduler may be important where large amounts of dummy responses are fed to the spoofed site m order to de-value the obtamed mformation. As with other modMes, the scheduler can be implemented M the software 26. According to another embodiment of the Mvention responses may be designed to resemble human behavior and appear to be sent from acMal recipients of the fraudulent e- mail. TMs can be done for example without limitation by usMg Robot-like software, possibly implemented M the software 22. Each response may mclude details wMch are Mternally consistent witMn the response. For example, according to one embodiment of the Mvention the system and method Mcludes an "identity generator", wMch produces phony details that appear to be legitimate (e.g., adhering to the rules of different data elements, such as user names and passwords, onhne bankmg credentials, credit card details, checks etc.). The identity generator maybe configured to match each specific company's details and rules. The identity generator may create dummy or fake identities usmg a large database (e.g., part of database 22) of names, local addresses, e-mail domams, and more. Such fake identities may be part of database 22. The dummy identity may be coherent or consistent, meaning different pieces of information do not contradict each other, and also may match the external conditions (such as for example ternet connection). Thus M one embodiment, the details witMn a response mcludes a set of details consistent with an Mternet service provider to be used for the response. A phone number that may be part of the details may match the address as well as the telephone exchange used for a dial-up connection used to transmit the response. M addition the e-mail address may match the ISP used and so on. Other sets of details maybe used. the case of onhne credential fraud, the central server 20 may randomly generate usernames and passwords that match the company's rules as well as an e-mail address wMch appears to match the username etc. According to one embodiment of the mvention a system that responds to PMsMng attacks by generating random credentials and feeding them to web-forms, could serve additional purposes such as test g services, debuggmg services as well as for the sake of demonstrating various scenarios. M such an embodiment, a website or other contact poMt to be demonstrated, tested, etc. can be contacted multiple times to, for example, enter data, fill m a web-form, etc. with a set of data. Each set of data can Mclude, for example, a set of details, the set of details McludMg a set of false personal information. The contacts or filling of data on for example the web-form can Mclude transmittmg information at a speed designed to mimic a human entering data. The timing of the contacting can be set to resemble that of a set of unrelated users. Each contact or response may Mclude a set of details that are Mternalry consistent. For such a method, or any of the methods described hereM, a database may be created, McludMg a set of false or manufactured data wMch may be for example organized Mto identities, each false identity McMdMg a set of data wMch is consistent witMn the set. For example such a database may be stored M database(s) 22. Credentials generated and used as part of Me service may be created usmg a cryptograpMc key, such that Me markMg of the credentials could not be detected without Me key. Real data may be used, so that Me party committing fraud will acMally perform true transactions, and coMd more easily be tracked. In other embodiments, a system and meMod that creates and/or transmits manufactured data, as described herem, may have oMer uses, for example, training, testing, developmg, demonstrating, etc. For example, responses or other sets of manufactured or fake personal data may be sent to one or more contact pomts, wherem, Me data is used to tram people, such as customer support representatives, sales representatives, etc., Mteracting wiM the system. BoM the system or server generating Me data and the system receivMg Me data may be witMn the same organization or the same system. An automated or semi-automated system for deahng with large numbers of people can be designed, demonstrated, or tested usmg such a system and meMod. Responses or sets of false or manufactured data may be sent to demonstrate, debug, test or develop a system wMch may deal with sensitive personal information, so Mat real data is not revealed to Me viewers. A system and meMod Mat creates and/or transmits fake or manufactured data, as described hereM, may for example be used agamst software such as "Trojan horses", or oMer software, where, for stance, malicious software Mstalls itself on a user's system (e.g., a workstation, a personal computer, etc.) M stealM mode. The piece of software may listen to McomMg and outgoMg commumcations of Me chent's system via for example the Mternet, and may momtor browser events and user puts (e.g. keyboard loggMg). When such a piece of software tercepts a log activity M wMch the user logs M to a designated web site or system (or to any site), Me logM credentials may be collected mrough the keyboard loggmg facility and covertly transmitted to a site m control of the party committing fraud. Such transmission can occur over a multiphcity of protocols, such as e-mail (e.g., SMTP), the Mternet (e.g., HTTP HTTPS), FTP, and oMers. M one embodMient of , the mvention a system and method may generate and/or transmit, for example a set of responses or transmissions McludMg fake data, rrrimickMg Me behavior of "Trojan horses", or oMer malicious software Mat may be designed to be Mstalled on a user's systems. As described hereM, such responses may be sent at a pace Mat mhmcs a set of responses from a set of geograpMcally dispersed users usMg different computer and commuMcations systems, and may Mclude fake data as described hereM. M such embodMient, the dilution or responses may work directly agamst Me party's contact po t, usmg the protocol chosen by Me party, and imitating the behavior Me software would assume. WMle certaM features of Me Mvention have been illustrated and described hereM, many moMfications, substitutions, changes, and eq valents will now occur to Mose of ordMary skill M Me art. It is, Merefore, to be understood that Me appended clahns are tended to cover all such modifications and changes as fall wit n the spirit of the Mvention.

Claims

Claims:

1. A method comprisMg: respondMg to a contact poMt created by a party committing fraud, the response McludMg a set of details, Me set of details McludMg a set of false personal information.

2. The meMod of ckum 1 , comprisMg respond g a plurality of times, each response McludMg a different set of details.

3. The meMod of claim 1, wherem Me contact pomt is an mternet address referring to a web site.

4. The method of claim 1, whereM Me contact poMt is an e-mail address.

5. The meMod of claim 1, wherem respondMg comprises transmitting mformation at a speed designed to mimic a human entering data.

6. The method of claim 1 , comprisMg setting Me timmg of the responses to resemble Mat of a set of users responding to a PMs ng attack.

7. The meMod of claim 1, whereM each response Mcludes a set of details Mat are Mternally consistent.

8. The meMod of clahn 1 , comprisMg creating a database McludMg a set of false identities, each false identity McludMg a set of data wMch is consistent wit n Me set.

9. The method of claim 1, whereM each response Mcludes a set of details consistent with an Mternet service provider used to respond.

10. The method of claim 1 , whereM Me respondMg is M response to a PMsMng attack.

11. The method of claim 1 , whereM Me respondMg is conducted usMg a plurality of Mternet access poMts.

12. The meMod of claMi 1, wherem Me respondMg is conducted usMg a plurality of Mtermediate networks.

13. The meMod of claim 1, whereM Me respondMg is conducted usMg a plurality of mtermediate Mternet service providers.

14. The meMod of claim 1, whereM Me data in a response is marked, Me method compris g momtoring an MstiMtion for the use of marked data M an attempted transaction.

15. The method of claMi 1, whereM Me number of responses is m proportion to a size of an attack m response to wMch the responses are sent.

16. The meMod of claim 1 , whereM respondMg comprises entering data Mto a web-form.

17. The meMod of claim 1, comprisMg markMg a response usmg a cryptograpMc algorithm, such Mat Me markMg is detectable only wiM a suitable cryptograpMc key.

18. The method of claim 1 , whereM Me details and the timing of Me sending of Me data rnimic Me behavior of automated client software.

19. A method comprisMg: contacting a plurality of times a website and, with each contact, fi hg M a web-form with a set data, each set of data McludMg a set of details, Me set of details McludMg a set of false personal information.

20. The meMod of claMi 19, whereM filhng M the web-form comprises fransmitting information at a speed designed to mimic a human entering data.

21. The meMod of claim 19, comprisMg setting Me timing of the contacting to resemble Mat of a set of unrelated users.

22. The meMod of claim 19, whereM each contact Mcludes a set of details that are Mternally consistent.

23. The method of claim 19, comprisMg creating a database McludMg a set of false identities, each false identity McludMg a set of data wMch is consistent within the set.

24. A system compris g: a controller to: respond to a contact poMt created by a party committing fraud, the response McludMg a set of details, Me set of details McludMg a set of false personal information.

25. The system of claim 24, whereM Me contact pomt is an Mternet adMess referring to a web site.

26. The system of claim 24, whereM Me contact pomt is an e-mail address.

27. The system of claim 24, whereM respondMg comprises transmitting Mformation at a speed designed to mimic a human entering data.

28. The system of clahn 24, whereM Me timing of Me responses is to resemble that of a set of users respondMg to a PMsMng attack.

29. The system of claim 24, whereM each response Mcludes a set of details that are Mternally consistent.

30. The system of claim 24, comprisMg a database McludMg a set of false identities, each false identity McludMg a set of data wMch is consistent withM the set.

31. The system of claMi 24, whereM Me respondMg is conducted usmg a plurahty of Mtermediate networks.

32. A system comprisMg: a controller to contact a plurahty of times a website and, wiM each contact, enter a set of data, each set of data McludMg a set of details, Me set of details McludMg a set of false personal Mformation.

33. The system of claim 32, comprisMg a database McludMg a set of false identities.

34. The system of claim 32, whereM entering Me data comprises fransmitting information at a speed designed to mimic a human entering data.