Detecting fraudulent activity by analysis of information requests

US 7,984,500 B1
Filed: 10/05/2006
Issued: 07/19/2011
Est. Priority Date: 10/05/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for a computing system of an online merchant to automatically inhibit attempts by phishers to fraudulently obtain access to information about customers of the online merchant, the method comprising:

receiving a request from a Web browser of a customer of the online merchant for information that is available from a Web site of the online merchant, the request being initiated based on selection by the customer of a link on a Web page that is provided by a third-party entity unaffiliated with the online merchant, the received request including information about the Web page provided by the third-party entity, the third-party entity being a phisher providing a fraudulent Web site with one or more Web pages intended to replicate portions of the Web site of the online merchant, and wherein the phisher directs customers of the online merchant to the fraudulent Web site via electronic communications sent to the customers, wherein the Web page with the link selected by the customer is one of the one or more Web pages of the fraudulent Web site, wherein the fraudulent Web site does not replicate all of the Web site of the online merchant, and wherein the selected link indicates a Web page from the Web site of the online merchant that is not replicated on the fraudulent Web site, so that customers interacting with the fraudulent Web site may use the link to switch to interacting with the Web site of the online merchant without realizing that the fraudulent Web site is not part of the Web site of the online merchant;

automatically analyzing the information about the Web page provided by the third-party entity that is included in the request in order to determine whether inclusion of the link on that Web page is likely to reflect fraudulent activities by the third-party entity that include phishing for information about the customers of the online merchant, the analyzing including applying multiple fraud assessment tests to the included information about the Web page and computing a fraud assessment score for the Web page based on the applied fraud assessment tests;

automatically determining that the third-party entity is likely to be a phisher engaged in fraudulent activities based at least in part on the computed fraud assessment score exceeding a predetermined fraudulence threshold; and

in response to the determination that the third-party entity is likely to be a phisher, automatically taking one or more actions to inhibit additional fraudulent activities by the third-party entity.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for use in inhibiting attempts to fraudulently obtain access to confidential information about users. In some situations, the techniques involve automatically analyzing at least some requests for information that are received by a Web site or other electronic information service, such as to determine whether they likely reflect fraudulent activities by the request senders or other parties that initiate the requests. For example, if a request is being made to a Web site based on a user'"'"'s interaction with a third-party information source (e.g., another unaffiliated Web site) that is not authorized to initiate the request, the third-party information source may be a fraudulent phishing site or engaging in other types of fraudulent activity. If fraudulent activity is suspected based on analysis of one or more information requests, one or more actions may be taken to inhibit the fraudulent activity.

Citations

42 Claims

1. A method for a computing system of an online merchant to automatically inhibit attempts by phishers to fraudulently obtain access to information about customers of the online merchant, the method comprising:
- receiving a request from a Web browser of a customer of the online merchant for information that is available from a Web site of the online merchant, the request being initiated based on selection by the customer of a link on a Web page that is provided by a third-party entity unaffiliated with the online merchant, the received request including information about the Web page provided by the third-party entity, the third-party entity being a phisher providing a fraudulent Web site with one or more Web pages intended to replicate portions of the Web site of the online merchant, and wherein the phisher directs customers of the online merchant to the fraudulent Web site via electronic communications sent to the customers, wherein the Web page with the link selected by the customer is one of the one or more Web pages of the fraudulent Web site, wherein the fraudulent Web site does not replicate all of the Web site of the online merchant, and wherein the selected link indicates a Web page from the Web site of the online merchant that is not replicated on the fraudulent Web site, so that customers interacting with the fraudulent Web site may use the link to switch to interacting with the Web site of the online merchant without realizing that the fraudulent Web site is not part of the Web site of the online merchant;
  
  automatically analyzing the information about the Web page provided by the third-party entity that is included in the request in order to determine whether inclusion of the link on that Web page is likely to reflect fraudulent activities by the third-party entity that include phishing for information about the customers of the online merchant, the analyzing including applying multiple fraud assessment tests to the included information about the Web page and computing a fraud assessment score for the Web page based on the applied fraud assessment tests;
  
  automatically determining that the third-party entity is likely to be a phisher engaged in fraudulent activities based at least in part on the computed fraud assessment score exceeding a predetermined fraudulence threshold; and
  
  in response to the determination that the third-party entity is likely to be a phisher, automatically taking one or more actions to inhibit additional fraudulent activities by the third-party entity.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the one or more Web pages of the fraudulent Web site replicate portions of the Web site of the online merchant in which customers are prompted to specify information used to obtain access to accounts of the customers with the online merchant.
  - 3. The method of claim 1 wherein, before the providing of the fraudulent Web site, the phisher makes one or more requests for information from the Web site of the online merchant in order to obtain information for use in creating the fraudulent Web site, and wherein the method further comprises automatically assessing the one or more requests from the phisher in order to determine whether the one or more requests are likely to reflect a precursor to later fraudulent activities that include phishing.
  - 4. The method of claim 1 wherein the information about the Web page provided by the third-party entity that is included in the request includes an absolute URL provided in an HTTP referer field as part of the request, the absolute URL including a domain name of the fraudulent Web site and a host path corresponding to the Web page provided by the third-party entity that includes the link, and wherein the multiple fraud assessment tests include at least one test regarding content of the domain name, at least one test regarding content of the host path, and at least one test regarding one or more keywords present in any part of the absolute URL.
  - 5. The method of claim 1 wherein the automatic analyzing of the information about the Web page provided by the third-party entity further includes determining whether the third-party entity is one of multiple predetermined authorized entities, and wherein the applying of the multiple fraud assessment tests is performed only if the third-party entity is not determined to be one of the multiple predetermined authorized entities.
  - 6. The method of claim 1 wherein the taking of the one or more actions to inhibit additional fraudulent activities by the third-party entity includes at least one of initiating a shutdown of availability of the Web page provided by the third-party entity that includes the link, of temporarily freezing the account of the customer to prevent access to confidential information that would otherwise be accessible via the account, and of notifying the customer to suspend use of any financial instruments of the customer whose information is stored with the account.
  - 7. The method of claim 1 wherein the automatic analyzing is further performed for each of multiple received requests for information from multiple customers so as to, for each of the multiple requests, analyze information about a Web page of a third-party entity from which a link is selected to initiate the request to the Web site of the online merchant, and wherein the method further comprises fulfilling the received requests for information that are not initiated by Web pages of third-party entities that are determined to be likely to be phishers.

8. A computer-implemented method for a Web site to automatically inhibit attempts to fraudulently obtain access to information about users of the Web site, the method comprising:
- receiving one or more first requests from a party that is unrelated to a provider of the Web site and that is gathering information from the Web site for use in creating an unauthorized information source that replicates at least portions of the Web site;
  
  automatically assessing the received one or more first requests to determine whether the party making the one or more other requests is suspect;
  
  after the receiving of the one or more first requests, receiving multiple requests from multiple users for information available from the Web site, at least some of the requests being from users that have accounts with the Web site, and each of the at least some requests including an indication of a third-party information source with which the user was interacting to initiate the request, and wherein the created unauthorized information source is the third-party information source for at least some of the received multiple requests; and
  
  for each of one or more of the at least some requests, assessing the request by,automatically assessing the third-party information source indicated in the request by applying multiple fraud assessment tests and by computing a fraud assessment score for the third-party information source based on the applied fraud assessment tests;
  
  automatically determining whether the third-party information source indicated in the request is suspect based at least in part on whether the computed fraud assessment score for the third-party information source exceeds a fraudulence threshold selected for the request and based in part on the automatic assessing of the received one or more first requests; and
  
  if it is determined that the third-party information source indicated in the request is suspect, taking one or more actions to inhibit fraudulent activities by the third-party information source.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 9. The method of claim 8 wherein the Web site is a first site, and wherein, for one of the one or more requests, the third-party information source is a second third-party Web site with which the user for the one request was interacting to initiate the one request, the interacting including selecting a link on a Web page of the second Web site that directs a Web browser of the user to request indicated information from the first Web site as part of the one request.
  - 10. The method of claim 9 wherein the second Web site is a fraudulent site that resembles the first Web site in order to attempt to obtain information about users that have accounts with the first Web site.
  - 11. The method of claim 10 wherein the second Web site includes one or more Web pages to prompt users to enter login information corresponding to accounts on the first Web site.
  - 12. The method of claim 10 wherein the second Web site includes one or more Web pages to prompt users to access information corresponding to accounts on the first Web site.
  - 13. The method of claim 9 wherein the second Web site includes one or more Web pages to prompt users to enter confidential information predicated on trust of the users in the first Web site.
  - 14. The method of claim 9 wherein the second Web site includes one or more Web pages to prompt users to enter information about financial accounts of the users.
  - 15. The method of claim 9 wherein the indication of the third-party information source for the one request is an indication sent by the Web browser of the user to the first Web site that includes a domain name of the second Web site.
  - 16. The method of claim 15 wherein the indication sent by the Web browser of the user to the first Web site further includes an absolute URL specific to the Web page of the second Web site.
  - 17. The method of claim 15 wherein the indication sent by the Web browser of the user to the first Web site is part of an HTTP referer field.
  - 18. The method of claim 8 wherein the Web site is a first site, wherein the third-party information source for one of the one or more requests provides a second third-party Web site with which the user for the one request was interacting to initiate the one request, the second Web site including one or more Web pages that fraudulently mimic at least portions of the first Web site in order to deceive the user for the one request into believing that the user was interacting with the first Web site, and wherein the third-party information source is automatically determined to be suspect for the one request.
  - 19. The method of claim 8 wherein the Web site is a first site, wherein the third-party information source for one of the one or more requests includes a Web page with which the user for the one request was interacting by selecting a link on the Web page that directs a Web browser of the user to request indicated information from the first Web site as part of the one request, wherein the third-party information source is not authorized to include the link on the Web page, and wherein the third-party information source is automatically determined to be suspect for the one request.
  - 20. The method of claim 8 further comprising selecting the one or more of the at least some requests to be automatically assessed based on information specific to those one or more requests.
  - 21. The method of claim 20 wherein the selecting of the one or more requests includes excluding some of the at least some requests from the assessing of the one or more requests based on the third-party information sources indicated for those excluded requests being previously determined to be authorized to perform those excluded requests.
  - 22. The method of claim 8 wherein, for one of the one or more requests, the applying of at least some of the multiple fraud assessment tests to assess the third-party information source indicated in the one request includes analyzing information related to the one request other than the indication of the third-party information source included in the one request.
  - 23. The method of claim 8 wherein, for one of the one or more requests, the applying of at least some of the multiple fraud assessment tests to assess the third-party information source indicated in the one request includes analyzing the indication of the third-party information source included in the one request.
  - 24. The method of claim 23 wherein the indication of the third-party information source for the one source includes multiple portions, and wherein the multiple fraud assessment tests applied to assess the third-party information source indicated in the one request include at least one fraud assessment test to assess each of multiple of the portions of the third-party information source indication for the one source.
  - 25. The method of claim 8 wherein, for one of the one or more requests, the computing of the fraud assessment score for the third-party information source indicated in the one request is performed in a weighted manner so as to reflect a weight for each of the fraud assessment tests.
  - 26. The method of claim 8 wherein, for one of the one or more requests, the fraudulence threshold selected for the request is a predetermined threshold used for other of the one or more requests.
  - 27. The method of claim 8 wherein, for each at least one of the one or more requests, the applying of the multiple fraud assessment tests for the third-party information source indicated in the request is performed in such a manner as to reflect previous applications of fraud assessment tests for other third-party information sources.
  - 28. The method of claim 8 wherein, for one of the one or more requests, the automatic assessing of the third-party information source indicated in the one request includes identifying multiple requests from multiple users that each indicate the third-party information source and performing the assessing of the third-party information source for the one request based at least in part on the multiple requests.
  - 29. The method of claim 8 wherein, for one of the one or more requests, the automatic assessing of the third-party information source indicated in the one request includes identifying multiple other requests that each indicate a third-party information source similar to the third-party information source indicated in the one request and performing the assessing of the third-party information source for the one request based at least in part on a pattern identified for the multiple requests.
  - 30. The method of claim 8 wherein, for one of the one or more requests, the automatic assessing of the third-party information source indicated in the one request includes automatically gathering additional information about that third-party information source and performing the assessing of the third-party information source for the one request based at least in part on the gathered additional information.
  - 31. The method of claim 8 wherein, for one of the one or more requests, the third-party information source indicated in the one request is determined to be suspect, and the taking of the one or more actions to inhibit fraudulent activities by the third-party information source indicated in the one request includes initiating a shutdown of the third-party information source.
  - 32. The method of claim 8 wherein, for one of the one or more requests, the third-party information source indicated in the one request is determined to be suspect, and the taking of the one or more actions to inhibit fraudulent activities by the third-party information source indicated in the one request includes suspending use of the account for the user from whom the one request was received.
  - 33. The method of claim 8 wherein, for one of the one or more requests, the third-party information source indicated in the one request is determined to be suspect, and the taking of the one or more actions to inhibit fraudulent activities by the third-party information source indicated in the one request includes notifying the user from whom the one request was received that confidential information regarding the user may no longer be secure.
  - 34. The method of claim 8 wherein, for one of the one or more requests, the third-party information source indicated in the one request is determined to be suspect, and the taking of the one or more actions to inhibit fraudulent activities by the third-party information source indicated in the one request includes providing information about the third-party information source for further manual review.

35. A computer-readable storage medium whose contents include instructions that when executed configure a computing device to automatically inhibit attempts to obtain unauthorized access to information about users, by performing a method comprising:
- receiving a request from a user for information available from an electronic information service, the user having stored confidential information that is available from the electronic information service, the request including an indication of a third-party information source that facilitated the request;
  
  automatically assessing the received request based at least in part on the indication of the third-party information source, the assessing including generating an assessment of whether the received request reflects activities of a party other than the user to obtain unauthorized access to information about users of the electronic information service, and wherein the other party provides the third-party information source and is performing fraudulent activities to acquire information about the user so that the acquired information will allow the other party to obtain the unauthorized access to the stored confidential information available from the electronic information service; and
  
  if the assessment of the received request is that the request reflects activities of the other party to obtain unauthorized access to information about users of the electronic information service, providing information about the other party and/or the third-party information source for use in one or more activities to inhibit the other party from obtaining the unauthorized access to the information about the users of the electronic information service.
- View Dependent Claims (36, 37, 38, 39)
- - 36. The computer-readable storage medium of claim 35 wherein the user is one of multiple users of the electronic information service, wherein the performed fraudulent activities are phishing activities, and wherein the providing of the information about the other party and/or the third-party information source includes initiating the one or more activities to inhibit the other party from obtaining the unauthorized access to the information about the users of the electronic information service.
  - 37. The computer-readable storage medium of claim 36 wherein the electronic information source includes a first group of one or more Web pages, wherein the third-party information source includes a distinct second group of one or more other Web pages provided by the other party to fraudulently mimic at least one Web page of the first group, and wherein the indication of the third-party information source includes an indication of a URL associated with at least one of the other Web pages of the second group.
  - 38. The computer-readable storage medium of claim 35 wherein the automatically assessing of the received request includes applying one or more fraud assessment tests and generating a fraud assessment score for the third-party information source based at least in part on the applied fraud assessment tests.
  - 39. The computer-readable storage medium of claim 35 wherein the computer-readable medium is a memory of the computing device.

40. A computing device configured to automatically inhibit attempts to obtain unauthorized access to information about users, comprising:
- a memory; and
  
  a fraudulent activity detector system configured to analyze multiple requests that each are for available information from an information service on behalf of a user and that each indicate a third-party information source that facilitated the request by, for each of the multiple requests,automatically assessing the third-party information source indicated in the received request so as to determine whether the third-party information source is engaged in fraudulent activities to obtain unauthorized access to information about the user on whose behalf the request is made, the assessing including applying at least one fraud assessment test; and
  
  if the assessment of the third-party information source indicates that the third-party information source is sufficiently likely to be engaged in the fraudulent activities, initiating one or more actions to inhibit the fraudulent activities by the third-party information source,and wherein, for at least some of the multiple requests, the user on whose behalf the request is made is one of multiple users that have stored confidential information available from the information service, the third-party information source indicated in the request is engaged in phishing to fraudulently acquire information about the user, and the indication of the third-party information source in the request includes an electronic address associated with the third-party information source.
- View Dependent Claims (41, 42)
- - 41. The computing device of claim 40 wherein the fraudulent activity detector system includes instructions for execution in memory of the computing device.
  - 42. The computing device of claim 40 wherein the fraudulent activity detector system consists of a means for analyzing multiple requests that each are for available information from an information service on behalf of a user and that each indicate a third-party information source that facilitated the request by, for each of the multiple requests,automatically assessing the third-party information source indicated in the received request so as to determine whether the third-party information source is engaged in fraudulent activities to obtain unauthorized access to information about the user on whose behalf the request is made, the assessing including applying at least one fraud assessment test;
    - andif the assessment of the third-party information source indicates that the third-party information source is sufficiently likely to be engaged in the fraudulent activities, initiating one or more actions to inhibit the fraudulent activities by the third-party information source.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Harding, Sean C., Khanna, Richendra
Primary Examiner(s)
Arani; Taghi T
Assistant Examiner(s)
LANE, GREGORY A

Application Number

US11/539,076
Time in Patent Office

1,748 Days
Field of Search

713/183, 709/225, 705/64, 726/22
US Class Current

726/22
CPC Class Codes

G06F 21/552   involving long-term monitor...

G06F 21/60   Protecting data

H04L 63/101   Access control lists [ACL]

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

Detecting fraudulent activity by analysis of information requests

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting fraudulent activity by analysis of information requests

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links