Methods and systems for analyzing data related to possible online fraud

US 20060069697A1
Filed: 11/23/2004
Published: 03/30/2006
Est. Priority Date: 05/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:

a computer accessing a set of data related to the web site;

the computer dividing the set of data into a plurality of components;

analyzing at least some of the plurality of components;

assigning a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;

assigning a composite score to the set of data, the composite score being based on the plurality of scores; and

based on the composite score, categorizing the web site as a possibly fraudulent web site.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention provide methods, systems and software for analyzing data. In particular embodiments, for example, a set of data about a web site may be analyzed to determine whether the web site is likely to be illegitimate (e.g., to be involved in a fraudulent scheme, such as a phishing scheme, the sale of gray market goods, etc.). In an exemplary embodiment, a set of data may be divided into a plurality of components (each of which, in some cases, may be considered a separate data set). Merely by way of example, a set of data may comprise data gathered from a plurality of data sources, and/or each component may comprise data gathered from one of the plurality of data sources. As another example, a set of data may comprise a document with a plurality of sections, and each component may comprise one of the plurality of sections. Those skilled in the art will appreciate that the analysis of a particular component may comprise certain tests and/or evaluations, and that the analysis of another component may comprise different tests and/or evaluations. In other cases, the analysis of each component may comprise similar tests and/or evaluations. The variety of tests and/or evaluations generally will be implementation specific.

Citations

81 Claims

1. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:
- a computer accessing a set of data related to the web site;
  
  the computer dividing the set of data into a plurality of components;
  
  analyzing at least some of the plurality of components;
  
  assigning a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;
  
  assigning a composite score to the set of data, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorizing the web site as a possibly fraudulent web site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises a newsgroup posting.
  - 3. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises a web page.
  - 4. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises a transcript from an Internet chat session.
  - 5. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises an email message.
  - 6. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 5, wherein the plurality of components comprises:
    - a header portion of the email message;
      
      a body portion of the email message; and
      
      a uniform resource locator (“
      
      URL”
      
      ) incorporated within the body portion of the email message, the URL referring to a web site.
  - 7. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 5, wherein accessing the set of data comprises receiving the email message.
  - 8. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises data about a domain associated with the web site.
  - 9. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 8, wherein accessing the set of data comprises accessing a domain registration in a zone file.
  - 10. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 8, wherein the plurality of components comprises an Internet Protocol (“
    - IP”
      
      ) address associated with the web site; and
      
      wherein analyzing at least some of the plurality of components comprises;
      
      identifying a domain associated with the web site;
      
      identifying an Internet Protocol (“
      
      IP”
      
      ) block assigned to the domain; and
      
      comparing the IP address with the IP block assigned to the domain.
  - 11. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises a set of data about a server hosting the web site.
  - 12. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 11, wherein accessing the set of data comprises interrogating the web site.
  - 13. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 1, wherein the set of data comprises a set of data about a uniform resource locator (“
    - URL”
      
      ) referencing the web site.

14. A method of categorizing an email message, the method comprising:
- a computer dividing the email message into a plurality of components;
  
  the computer analyzing at least one of the plurality of components;
  
  based on the analysis of the at least one of the plurality of components, assigning a score to the at least one of the plurality of components; and
  
  categorizing the email message based on the score assigned to the at least one of the plurality of components
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. A method of categorizing an email message as recited in claim 14, further comprising:
    - the computer analyzing each of the plurality of components;
      
      for each of the plurality of components, the computer assigning a score to the component, the score being based on the analysis of the component; and
      
      assigning a composite score to the email message based on the scores assigned to each of the plurality of the components;
      
      wherein categorizing the email message comprises categorizing the email message based on the composite score.
  - 16. A method of categorizing an email message as recited in claim 14, wherein the email message comprises a header portion, a body portion and a uniform resource locator (“
    - URL”
      
      ) referencing a web site, the method further comprising;
      
      analyzing the header portion; and
      
      assigning a score to the header portion.
  - 17. A method of categorizing an email message as recited in claim 16, the method further comprising:
    - analyzing the body portion; and
      
      assigning a score to the body portion.
  - 18. A method of categorizing an email message as recited in claim 17, wherein the steps of analyzing the body portion and assigning a score to the body portion are performed only if the score assigned to the header portion exceeds a certain threshold score.
  - 19. A method of categorizing an email message as recited in claim 17, the method further comprising:
    - analyzing the URL; and
      
      assigning a score to the URL.
  - 20. A method of categorizing an email message as recited in claim 19, wherein the steps of analyzing the URL and assigning a score to the URL are performed only if the score assigned to the body portion exceeds a certain threshold score.
  - 21. A method of categorizing an email message as recited in claim 19, wherein analyzing the URL comprises interrogating a server hosting a web site referenced by the URL.
  - 22. A method of categorizing an email message as recited in claim 19, the method further comprising:
    - assigning a combined score to the header portion and the body portion, the combined score being based on the score assigned to the header portion and the score assigned to the body portion;
      
      wherein the steps of analyzing the URL and assigning a score to the URL are performed only if the combined score assigned to the body portion exceeds a certain threshold score.
  - 23. A method of categorizing an email message as recited in claim 19, the method further comprising:
    - assigning a composite score to the email message, the composite score being based on the score assigned to the header portion, the score assigned to the body portion and the score assigned to the URL; and
      
      categorizing the message based on the composite score.
  - 24. A method of categorizing an email message as recited in claim 14, categorizing the email message comprises categorizing the email message as being involved in a phishing scam.
  - 25. A method of categorizing an email message as recited in claim 14, categorizing the email message comprises categorizing the email message categorizing the email message as improperly using a trademark

26. A method of categorizing a web site, the method comprising:
- a computer performing a plurality of tests on the web site;
  
  the computer assigning a score based on each of the plurality of tests;
  
  the computer assigning a composite score to the web site based on the scores for each of the plurality of tests; and
  
  the computer categorizing the web site based on the composite score.
- View Dependent Claims (27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 27. A method of categorizing a web site as recited in claim 26, wherein at least one of the plurality of tests relates to a uniform resource locator referencing the web site.
  - 28. A method of categorizing a web site as recited in claim 26, wherein at least one of the plurality of tests relates to the content of the web site.
  - 29. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - analyzing a set of WHOIS information for a domain associated with the web site.
  - 30. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - searching a source of anti-abuse information for information about the web site.
  - 31. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - determining the geographical location of a server hosting the web site.
  - 32. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - assessing whether a server hosting the web site implements secured protocols.
  - 33. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - verifying a set of active ports on a server hosting the web site.
  - 34. A method of categorizing a web site as recited in claim 26, wherein performing a plurality of tests comprises:
    - downloading a web page from the web site.
  - 35. A method of categorizing a web site as recited in claim 34, wherein performing a plurality of tests comprises:
    - analyzing the web page to determine whether the web page implements an online form.
  - 36. A method of categorizing a web site as recited in claim 35, wherein performing a plurality of tests comprises:
    - analyzing an online form to determine whether the online form requests personal information from a user.
  - 37. A method of categorizing a web site as recited in claim 34, wherein performing a plurality of tests comprises:
    - analyzing the web page for errors in spelling or grammar.
  - 38. A method of categorizing a web site as recited in claim 34, wherein performing a plurality of tests comprises:
    - identifying a uniform resource locator (“
      
      URL”
      
      ) on the web page; and
      
      analyzing the identified URL to determine whether the identified URL references resources external to the web site.
  - 39. A method of categorizing a web site as recited in claim 38, wherein the resources external to the web site comprise a resource selected from a group consisting of an image hosted by a legitimate web site and a web page hosted by a legitimate web site.
  - 40. A method of categorizing a web site as recited in claim 34, wherein performing a plurality of tests comprises:
    - generating a representation of the web page.
  - 41. A method of categorizing a web site as recited in claim 40, wherein performing a plurality of tests comprises:
    - comparing the representation of the web page with a stored representation of a web page.
  - 42. A method of categorizing a web site as recited in claim 40, wherein the representation of the web site comprises a hash value calculated from the web page.
  - 43. A method of categorizing a web site as recited in claim 40, wherein the representation of the web site comprises a checksum calculated from the web page.

44. A method of categorizing a domain as a possibly illegitimate domain, the method comprising:
- a computer accessing a domain registration record associated with the domain;
  
  performing a plurality of tests with respect to the domain;
  
  for each of the plurality of tests, assigning a score to the domain, such that a plurality of scores are assigned to the domain;
  
  assigning a composite score to the domain, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorizing the domain as a possibly illegitimate domain.
- View Dependent Claims (45, 46, 47, 48, 49, 50, 51)
- - 45. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests comprises performing at least one test on a server hosting a web site associated with the domain.
  - 46. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests comprises:
    - identifying a web site associated with the domain;
      
      identifying an Internet Protocol (“
      
      IP”
      
      ) address associated with the web site;
      
      identifying an IP block assigned to the domain; and
      
      comparing the IP address with the IP block assigned to the domain.
  - 47. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests with respect to the domain comprises evaluating an owner of the domain.
  - 48. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 47, wherein performing a plurality of tests with respect to the domain comprises comparing an owner of the domain with an owner of a trademark similar to a name of the domain.
  - 49. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests with respect to the domain comprises evaluating a set of WHOIS information associated with the domain.
  - 50. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests with respect to the domain comprises evaluating a set of domain name system (“
    - DNS”
      
      ) information associated with the domain.
  - 51. A method of categorizing a domain as a possibly illegitimate domain as recited in claim 44, wherein performing a plurality of tests with respect to the domain comprises analyzing a web site associated with the domain.

52. A method of categorizing a web site as a possibly fraudulent web site, the method comprising:
- identifying a uniform resource locator (“
  
  URL”
  
  ) referencing a web site;
  
  (a) a computer verifying that the web site referenced by the URL is active;
  
  (b) a computer analyzing information about a domain referenced by the URL;
  
  (c) a computer analyzing the format of the URL; and
  
  based on a result of each of (a), (b) and (c), categorizing the web site referenced by the URL as a possibly fraudulent web site.
- View Dependent Claims (53, 54, 55, 56, 57, 58)
- - 53. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, wherein analyzing information about a domain referenced by the URL comprises:
    - accessing a set of domain name system (“
      
      DNS”
      
      ) information about the domain; and
      
      analyzing the set of DNS information.
  - 54. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, wherein analyzing information about a domain referenced by the URL comprises:
    - accessing a set of WHOIS information about the domain; and
      
      analyzing the set of WHOIS information.
  - 55. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, wherein the URL comprises a directory path, and wherein analyzing the format of the URL comprises:
    - evaluating the directory path.
  - 56. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, wherein analyzing the format of the URL comprises:
    - evaluating an encoding format of the URL.
  - 57. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, the method further comprising:
    - determining a geographical location of a server hosting the web site referenced by the URL.
  - 58. A method of categorizing a web site as a possibly fraudulent web site as recited in claim 52, wherein categorizing the web site referenced by the URL as a possibly fraudulent web site comprises:
    - assigning a first score to the URL based on a result of (a);
      
      assigning a second score to the URL based on a result of (b);
      
      assigning a third score to the URL based on a result of (c);
      
      assigning a composite score to the URL based on the first score, the second score and the third score; and
      
      categorizing the web site referenced by the URL based on the composite score.

59. A method of categorizing a web site as a possibly fraudulent web site, wherein the web site comprises a web page, the method comprising:
- a computer analyzing a uniform resource locator (“
  
  URL”
  
  ) referencing the web site;
  
  a computer analyzing a server hosting the web site;
  
  analyzing the web page; and
  
  based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorizing the web site as a possibly fraudulent web site.
- View Dependent Claims (60, 61, 62, 63)
- - 60. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 59, wherein analyzing a URL referencing the web site comprises:
    - verifying that the web site referenced by the URL is active;
      
      analyzing information about a domain referenced by the URL; and
      
      analyzing the format of the URL.
  - 61. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 59, wherein analyzing a server hosting the web site comprises at least one of:
    - analyzing a set of WHOIS information for a domain associated with the web site;
      
      determining the geographical location of a server hosting the web site;
      
      assessing whether a server hosting the web site implements secured protocols; and
      
      verifying a set of active ports on a server hosting the web site.
  - 62. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 59, wherein analyzing the web page comprises:
    - downloading the web page.
  - 63. A method of categorizing a web site as a possibly fraudulent web site, as recited in claim 62, wherein analyzing the web page further comprises at least one of:
    - analyzing the web page to determine whether the web page implements an online form;
      
      analyzing an online form incorporated in the web page to determine whether the online form requests personal information from a user;
      
      analyzing the web page for errors in spelling or grammar;
      
      analyzing a uniform resource locator (“
      
      URL”
      
      ) incorporated in the web page to determine whether the identified URL references resources external to the web site; and
      
      comparing a representation of the web page with a stored representation of a web page.

64. A computer system for categorizing a web site as a possibly fraudulent web site, the computer system comprising a processor and instructions executable by the processor to:
- access a set of data related to the web site;
  
  divide the set of data into a plurality of components;
  
  analyze at least some of the plurality of components;
  
  assign a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;
  
  assign a composite score to the set of data, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorize the web site as a possibly fraudulent web site.

65. A computer system for categorizing an email message, the computer system comprising a processor and instructions executable by the processor to:
- divide the email message into a plurality of components;
  
  analyze at least one of the plurality of components;
  
  based on the analysis of the at least one of the plurality of components, assign a score to the at least one of the plurality of components; and
  
  categorize the email message based on the score assigned to the at least one of the plurality of components.

66. A computer system for categorizing a web site, the computer system comprising a processor and instructions executable by the processor to:
- perform a plurality of tests on the web site;
  
  assign a score to each of the plurality of tests;
  
  assign a composite score to the web site based on the scores for each of the plurality of tests; and
  
  categorize the web site based on the composite score.

67. A computer system for categorizing a domain as a possibly illegitimate domain, the computer system comprising a processor and instructions executable by the processor to:
- access a domain registration;
  
  perform a plurality of tests with respect to the domain;
  
  for each of the plurality of tests, assign a score to the domain, such that a plurality of scores are assigned to the domain;
  
  assign a composite score to the domain, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorize the domain as a possibly illegitimate domain.

68. A computer system for categorizing a web site as a possibly fraudulent web site, the computer system comprising a processor and instructions executable by the processor to:
- identify a uniform resource locator (“
  
  URL”
  
  ) referencing a web site;
  
  (a) verify that the web site referenced by the URL is active;
  
  (b) analyze information about a domain referenced by the URL;
  
  (c) analyze the format of the URL; and
  
  based on a result of each of (a), (b) and (c), categorize the web site referenced by the URL as a possibly fraudulent web site.

69. A computer system for categorizing a web site as a possibly fraudulent web site, wherein the web site comprises a web page, the computer system comprising a processor and instructions executable by the processor to:
- analyze a uniform resource locator (“
  
  URL”
  
  ) referencing the web site;
  
  analyze a server hosting the web site;
  
  analyze the web page; and
  
  based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorize the web site as a possibly fraudulent web site.

70. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- access a set of data related to a web site;
  
  divide the set of data into a plurality of components;
  
  analyze at least some of the plurality of components;
  
  assign a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;
  
  assign a composite score to the set of data, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorize the web site as a possibly fraudulent web site.

71. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- divide an email message into a plurality of components;
  
  analyze at least one of the plurality of components;
  
  based on the analysis of the at least one of the plurality of components, assign a score to the at least one of the plurality of components; and
  
  categorize the email message based on the score assigned to the at least one of the plurality of components.

72. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- perform a plurality of tests on a web site;
  
  assign a score to each of the plurality of tests;
  
  assign a composite score to the web site based on the scores for each of the plurality of tests; and
  
  categorize the web site based on the composite score.

73. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- access a domain registration;
  
  perform a plurality of tests with respect to a domain associated with the domain registration;
  
  for each of the plurality of tests, assign a score to the domain, such that a plurality of scores are assigned to the domain;
  
  assign a composite score to the domain, the composite score being based on the plurality of scores; and
  
  based on the composite score, categorize the domain as a possibly illegitimate domain.

74. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- identify a uniform resource locator (“
  
  URL”
  
  ) referencing a web site;
  
  (a) verify that the web site referenced by the URL is active;
  
  (b) analyze information about a domain referenced by the URL;
  
  (c) analyze the format of the URL; and
  
  based on a result of each of (a), (b) and (c), categorize the web site referenced by the URL as a possibly fraudulent web site.

75. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- analyze a uniform resource locator (“
  
  URL”
  
  ) referencing a web site, wherein the web site comprises a web page;
  
  analyze a server hosting the web site;
  
  analyze the web page; and
  
  based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, categorize the web site as a possibly fraudulent web site.

76. A system, comprising:
- means for accessing a set of data related to a web site;
  
  means for dividing the set of data into a plurality of components;
  
  means for analyzing at least some of the plurality of components;
  
  means for assigning a score to each of the analyzed components, the score being based on an analysis of each of the analyzed components, such that a plurality of scores are assigned;
  
  means for assigning a composite score to the set of data, the composite score being based on the plurality of scores; and
  
  based on the composite score, means for categorizing the web site as a possibly fraudulent web site.

77. A system, comprising:
- means for dividing an email message into a plurality of components;
  
  means for analyzing at least one of the plurality of components;
  
  based on the analysis of the at least one of the plurality of components, means for assigning a score to the at least one of the plurality of components; and
  
  means for categorizing the email message based on the score assigned to the at least one of the plurality of components.

78. A system, comprising:
- means for performing a plurality of tests on a web site;
  
  means for assigning a score to each of the plurality of tests;
  
  means for assigning a composite score to the web site based on the scores for each of the plurality of tests; and
  
  means for categorizing the web site based on the composite score.

79. A system, comprising:
- means for accessing a domain registration;
  
  means for performing a plurality of tests with respect to a domain associated with the domain registration;
  
  for each of the plurality of tests, means for assigning a score to the domain, such that a plurality of scores are assigned to the domain;
  
  means for assigning a composite score to the domain, the composite score being based on the plurality of scores; and
  
  based on the composite score, means for categorizing the domain as a possibly illegitimate domain.

80. A system, comprising:
- means for identify a uniform resource locator (“
  
  URL”
  
  ) referencing a web site;
  
  means for (a) verifying that the web site referenced by the URL is active;
  
  means for (b) analyzing information about a domain referenced by the URL;
  
  means for (c) analyzing the format of the URL; and
  
  based on a result of each of (a), (b) and (c), means for categorizing the web site referenced by the URL as a possibly fraudulent web site.

81. A system, comprising:
- means for analyzing a uniform resource locator (“
  
  URL”
  
  ) referencing a web site, wherein the web site comprises a web page;
  
  means for analyzing a server hosting the web site;
  
  means for analyzing the web page; and
  
  based on the analysis of the URL referencing the web site, the analysis of the server hosting the web site, and the analysis of the web page, means for categorizing the web site as a possibly fraudulent web site.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Opsec Online Limited
Original Assignee
MarkMonitor Inc.
Inventors
Shull, Mark, Shraim, Ihab

Granted Patent

US 7,457,823 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/1813   for computer conferences, e...

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99948   Application of database or ...

Methods and systems for analyzing data related to possible online fraud

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

81 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for analyzing data related to possible online fraud

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

81 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links