“As we head into Q4 and the busiest season for online shopping and Internet use by those considered inexperienced users, click fraud will likely run rampant as scammers seek to tap into the increased attention, experts warned.”

Click fraud (which is when affiliate sites dishonestly increase online ad traffic in order to gain unearned revenue) is one of many types of fraud becoming more common with the use of botnets. In addition to click fraud, many other types of fraud—including spam, phishing attacks, and identity theft—are gaining in prevalence with the use of botnets. The result is that consumer PCs are under siege and individuals and businesses alike bear the cost.

“The significant rise in botnet-generated click fraud lines up with recent findings of several well-known malware and online fraud tracking experts,” said Paul Pellman, CEO of Click Forensics. “Botnets perpetrating click fraud and other online schemes continue to grow in number and sophistication.”
Another post from the Kansas City Star confirms this problem as well as provides some tips for individuals to protect themselves:

Slightly more than 4.3 percent of American adults were the victims of identity theft last year, according to the 2009 Identity Fraud Survey Report, and the percentage is expected to go higher when wallets are lost and stolen in the holiday shopping season. The average fraud amount per victim was $4,849 and took about 30 hours to resolve, The Javelin Strategy & Research Center reported.

It is worth noting that the $4,849, cited above, does not take into account the significant costs that businesses suffer as a result of fraud. And with all indications pointing to an increase in online fraud as the shopping season ramps up, online businesses are currently trying to prepare. A good fraud prevention process ought to be able to recognize the following items:

• Is the credit card valid? There are a number of security checks available that can point to credit card fraud. This includes authorization checks, AVS checks, card verification (i.e. checking CVV2 number), and other card validation checks.
• Has the individual committed fraud in the past? There are a number of commercial systems and internal databases that help businesses check whether the supplied Personally Identifiable Information (PII) has been associated with fraud in the past. This kind of system essentially checks whether the information submitted by the customer matches information that has been associated with fraud in the past.
• Does this transaction have high risk characteristics? Businesses should be tracking and flagging transactions that have high risk characteristics. Contributing factors can include: the country of origin of the purchase, the kind of goods being purchased, the use of IP proxies, the time of the purchase, and many others factors. For fraud systems that work with these risk factors, often a large number of factors are taken into consideration in order to determine a risk score for each transaction. Based on that score, businesses can make a decision whether to allow, deny, or flag that transaction for review.
• Has this computer been used for fraud before? Device reputation systems are now considered a best practice for fighting online fraud. An online business should be able to understand, independent of personal information, whether or not a computer that is being used to conduct online business already has a history of fraud. The critical components of this system are: the ability to identify and re-recognize a computer and the ability to take into consideration historical fraudulent activity associated with that computer.

With these techniques in place, businesses will go a long way to stopping holiday fraud.

An article in Network World this month focuses on the importance of domain-name abuse and details the current efforts to stop it. While this problem isn’t exactly new, it is now becoming an increasingly appealing method for fraudsters to carry out attacks. In phishing attacks, for example, the use of hard-coded IP addresses has steadily declined as fraudsters are beginning to favor the use of domain names instead. According to a study done by the Anti-Phishing Working Group, in one six-month period, there were 56,959 phishing attacks occurring on 30,454 unique domain names.

Domain names play an equally important part in botnet attacks, like the highly discussed Conficker worm. Unfortunately, as the article details, disrupting Conficker’s use of domain names isn’t proving to be an easy task:

Attempts by industry to cut off criminal access to domain names is proving difficult. The first globally organized effort to attempt that — Conficker Working Group — sought to disable domains targeted by the Conficker worm for use in its command-and-control system. But after six months of trying, there’s not much to show for it.

Even with the help of many key players in the realm of domain names and internet security—including Neustar, VeriSign, Afilias, Public Internet Registry, Global Domains International, ICANN, Symantec—the Conficker worm is still at large, inhabiting millions of computers around the globe. So what makes it such a complex problem?

One of the most glaring problems is in the domain-name registration process and the lack of sufficient oversight. First, there’s the ease with which an attacker can simply use false information to register the domain—this is the same basic authentication problem that all other online businesses face. Then there’s the fact that the registration and use of domain names happens all over the world, under different rules and regulations depending on the country. Especially with the use of country-code Top Level Domains (ccTLDs such as .fr, or .uk), each individual country controls its own, meaning that in order to combat domain-name abuse, cooperation on a global scale would need to take place.

“There are many language and jurisdictional legal issues that make tackling domain-name abuse problems extremely hard,” says Ram Mohan, CTO at Dublin-based registry services provider Afilias and a liaison for the ICANN Security and Stability Advisory Committee (SSAC) on the ICANN Board of Directors… “Some rules in ICANN are just broken,” Mohan says. The overall domain-name registration system “was created at a time of a benign Internet. Today we have no burden of validation and that can be fixed.” He also says it might be a wise move to require some sort of security audit of the registrars and registries.

In the article, GoDaddy was used as an example of a domain-name registrar with one of the better anti-fraud practices. But not without effort: in order to responsibly oversee the 36 million domain names that GoDaddy manages, its fraud team is constantly at work. Once a domain name is identified as being used maliciously, it is shut down. Unfortunately, like many businesses, shutting down bad accounts is an inherently cyclical process when the underlying problem often consists of one criminal opening endless accounts using false information.

It will undoubtedly take a global effort to develop a sufficient system of regulation and oversight, but individual registrars can bear a certain amount of the burden by implementing more thorough security measures. Techniques that complement their existing efforts, like device reputation and stronger authentication, would allow them to put a large dent in this illegal activity and set a standard for their peers in the industry.

Botnet and malware based reputation. There are device reputation services that derive online reputation for devices or IP addresses through detection of malware infection or botnet characteristics. A good example of a service like this is Cisco’s Ironport Senderbase service. Here this reputation is used to fight spam, phishing, and malware propagation. The question for online businesses is how relevant is this data when used to combat fraudulent purchases or bogus account setup. In evaluating this question it is helpful to look at the various uses of botnets. There is a good submission on botnets in Wikipedia that describes the various uses of botnets. The top uses of botnets in this article are as follows:

1. Botnets are used to propagate denial of service attacks.
2. They are used for spam and phishing distribution. This use of botnets is so prevalent that they call them spambots.
3. Finally, they are used to harvest data usually either account information, personal information, or credit data.

While botnets can have correlation to online fraud, a large collection of computers that have been associated with an infection or malware is not the same thing as an online fraud reputation database. Think of botnets as the miners of the raw materials to commit online fraud. Typically that data is sent off the compromised PC to a central location where the identity data is collected and resold on the Internet. The actual fraud occurs on different PCs.

Fraud and abuse based device reputation. These reputation services, like iovation’s, track actual histories of fraud and abuse that are associated with a given device by its device fingerprint. iovation tracks over 30 types of online fraud and abuse ranging from credit card fraud to affiliate fraud and customer harassment. Tracking the actual abuses reported for a given device gives our customer actionable information with a very low false positive rate and information that is specifically relevant to their business. iovation has profiled well over 1 billion devices and tracks the unique reputation of over 120 million online devices allowing us to provide unique insight that is unmatched by other services.

Botnet and malware based reputation services are no doubt valuable at combating enterprise security exploitations, but their value simply doesn’t extend to protecting online businesses in the same way. If you are thinking about evaluating a device fingerprinting or device reputation service, be sure to ask the following questions:

1. How many devices do you profile on a daily basis and how many have you profiled in the past year?  This will give an important sense of the scale of the organization.
2. Do you track device reputations, or are you entirely risk based? Device reputation is distinct from device risk in that it identifies a device and its fraudulent history with certainty instead of assigning a likelihood that it is fraudulent.
3. If you say you have identified a fraudulent device, what type of fraudulent activity have you verified? Is this a history of an actual fraud, i.e. a credit card chargeback, or is it simply an infected PC?
4. Can you provide granularity to the reputation that is specifically relevant to my business? Is your fraud reputation one-size-fit all or do you track specific categories of fraud?

Many businesses are looking at this new category of device reputation and seeing how it can help their business. It is important to consider how that reputation is built and how effective it will be in stopping online fraud and abuse.

This is a good of an example of the way that Fraud as a Service is enabled which I talked about in my previous blog post. Now that Conficker has established a botnet, it can be used for a variety of ends. Here are a few to consider:

• Spam distribution – many of this morning’s articles have focused on the first use of this botnet to distribute spam. Spam can be for illegal services or can also be links to phishing sites.
• Identity theft – any botnet or trojan horse can simply be used to steal and transmit personal information. The way it generally works is that the user’s online web activity is monitored to capture user IDs and passwords from targeted sites like online banks, massively-multiplayer online games (MMOs), or commerce sites. That stolen data is then transmitted back to the scammer’s database.
• Hosting phishing websites or download sites – Many times individual’s PCs can be turned into hosting sites for phishing websites or illegal data download sites.

Botnets continue to be a big problem and are an important part of online criminal activity. Certainly individuals need to ensure their anti-virus software is up to date, and the industry needs to take steps to make account takeover more difficult, through more common use of authentication tokens and personal information less valuable online through the use of other fraud detection techniques like device fingerprinting and device reputation.