Customer-based detection of online fraud

US 20070299915A1
Filed: 11/23/2004
Published: 12/27/2007
Est. Priority Date: 05/02/2004
Status: Abandoned Application

First Claim

Patent Images

1. A device for detecting a possible online fraud, the device comprising a processor and instructions executable by the processor to:

receive an electronic message addressed to a legitimate business, the electronic message indicating that an original message could not be delivered to an intended addressee, wherein the original message purported to originate from the legitimate business; and

transfer at least a portion of the electronic message to a correlation engine for processing.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention provide devices, methods, systems and software for detecting, analyzing and/or responding to a fraudulent activity. In particular embodiments, an email message incoming to an organization may be analyzed to determine whether such messages are returned messages, which might indicate a delivery failure of an original message. Because the returned message is received by the organization, it may be likely that the original message purported to originate from the organization. If the original message did not in fact originate from the organization, that fact might indicate that the original message is part of a fraudulent activity. In such case, the fraudulent activity might be investigated, and/or a response to the fraudulent activity may be imitated and/or undertaken.

222 Citations

55 Claims

1. A device for detecting a possible online fraud, the device comprising a processor and instructions executable by the processor to:
- receive an electronic message addressed to a legitimate business, the electronic message indicating that an original message could not be delivered to an intended addressee, wherein the original message purported to originate from the legitimate business; and
  
  transfer at least a portion of the electronic message to a correlation engine for processing.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. A device as recited in claim 1, wherein the correlation engine is incorporated within the device.
  - 3. A device as recited in claim 1, wherein the device is located at the legitimate business.
  - 4. A device as recited in claim 1, wherein the device is in communication with an email system operated by the legitimate business.
  - 5. A device as recited in claim 1, wherein the original message purports to originate from the legitimate business.
  - 6. A device as recited in claim 1, wherein the electronic message comprises at least a portion of the original message.
  - 7. A device as recited in claim 6, wherein the portion of the original message comprises a uniform resource locator.
  - 8. A device as recited in claim 7, wherein the device is further configured to extract the uniform resource locator from the electronic message.
  - 9. A device as recited in claim 8, wherein the wherein the portion of the electronic message comprises the uniform resource locator.
  - 10. A device as recited in claim 1, wherein the portion of the electronic message comprises a header portion.

11. A system for detecting possible online fraud, the system comprising:
- a device comprising a processor and instructions executable by the processor to;
  
  receive an electronic message addressed to a legitimate business, the electronic message indicating that an original message could not be delivered to an intended addressee; and
  
  transfer at least a portion of the electronic message to a correlation engine for processing; and
  
  a correlation engine configured to;
  
  receive the portion of the electronic message; and
  
  analyze the portion of the electronic message to determine whether the original message comprises an attempt to engage in online fraud.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. A system for detecting possible online fraud as recited in claim 11, wherein the correlation engine is incorporated within a computer.
  - 13. A system for detecting possible online fraud as recited in claim 11, wherein the correlation engine is incorporated within the device.
  - 14. A system for detecting possible online fraud as recited in claim 11, wherein the correlation engine is operated by a security provider.
  - 15. A system for detecting possible online fraud as recited in claim 11, wherein the correlation engine is operated by the legitimate business.
  - 16. A system for detecting possible online fraud as recited in claim 11, wherein the portion of the electronic message comprises a uniform resource locator included with the original message, and wherein the correlation engine is further configured to investigate the uniform resource locator to determine whether the original message comprises an attempt to engage in online fraud.

17. A method of detecting online fraud, the method comprising:
- receiving an electronic message addressed to a legitimate business, the electronic message indicating that an original message could not be delivered to an intended addressee; and
  
  transferring at least a portion of the electronic message to a correlation engine for processing.
- View Dependent Claims (18)
- - 18. A method of detecting online fraud as recited in claim 17, the method further comprising:
    - receiving at the correlation engine the portion of the electronic message; and
      
      analyzing with the correlation engine the portion of the electronic message to determine whether the original message comprises an attempt to engage in online fraud.

19. A method of detecting online fraud, the method comprising:
- accessing, with a monitoring appliance, an electronic message received by an organization;
  
  identifying the electronic message as a return message indicating that an original message purportedly sent by the organization could not be delivered to an intended recipient of the original message;
  
  transferring the electronic message from the monitoring appliance to a correlation engine for analysis; and
  
  analyzing the electronic message with the correlation engine to determine whether the original message is part of an attempted online fraud.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- - 20. A method of detecting online fraud as recited in claim 19, wherein accessing the electronic message comprises the monitoring appliance receiving an electronic message forwarded from an email system associated with the organization.
  - 21. A method of detecting online fraud as recited in claim 19, wherein accessing the electronic message comprises the monitoring appliance accessing a mail store maintained by an email system associated with the organization.
  - 22. A method of detecting online fraud as recited in claim 21, wherein the monitoring appliance is incorporated within the email system associated with the organization.
  - 23. A method of detecting online fraud as recited in claim 21, wherein the monitoring appliance is located at the organization.
  - 24. A method of detecting online fraud as recited in claim 19, wherein the correlation engine is incorporated within the monitoring appliance.
  - 25. A method of detecting online fraud as recited in claim 19, wherein the correlation engine is incorporated within a separate fraud prevention system maintained by a security provider.
  - 26. A method of detecting online fraud as recited in claim 19, wherein identifying the electronic message as a return message comprises analyzing a set of header information associated with the electronic message.
  - 27. A method of detecting online fraud as recited in claim 19, wherein identifying the electronic message as a return message comprises determining that the original message was not sent by the organization.
  - 28. A method of detecting online fraud as recited in claim 19, the method further comprising:
    - identifying the intended recipient of the original message; and
      
      obtaining an email address associated with the intended recipient of the original message.
  - 29. A method of detecting online fraud as recited in claim 28, the method further comprising:
    - planting the obtained email address in a location likely to generate unsolicited email messages.
  - 30. A method of detecting online fraud as recited in claim 19, the method further comprising:
    - accessing a log associated with an email system associated with the organization; and
      
      transferring a log entry to the correlation system for analysis.
  - 31. A method of detecting online fraud as recited in claim 30, wherein the log entry comprises the electronic message.
  - 32. A method of detecting online fraud as recited in claim 30, wherein accessing a log comprises receiving at the monitoring appliance a log entry forwarded from the email system.
  - 33. A method of detecting online fraud as recited in claim 19, wherein the electronic message is a plurality of electronic messages.
  - 34. A method of detecting online fraud as recited in claim 33, wherein the method further comprises compiling a summary message, the summary message comprising at least one relevant portion of each of the plurality of electronic messages;
    - wherein transferring the electronic message to a correlation engine for analysis comprises transferring the summary message to the correlation engine for analysis.
  - 35. A method of detecting online fraud as recited in claim 19, the method further comprising:
    - extracting at least one relevant portion of the electronic message;
      
      wherein transferring the electronic message to a correlation engine for analysis comprises transferring the at least one relevant portion of the electronic message to the correlation engine for analysis.
  - 36. A method of detecting online fraud as recited in claim 35, wherein the at least one relevant portion of the electronic message comprises a set of header information associated with the electronic message.
  - 37. A method of detecting online fraud as recited in claim 35, wherein the electronic message comprises at least a portion of the original message, and wherein the at least one relevant portion of the electronic message comprises the at least a portion of the original message.
  - 38. A method of detecting online fraud as recited in claim 37, wherein the at least a portion of the original message comprises a set of header information associated with the original message and a body portion of the original message, and wherein the body portion of the original message comprises a uniform resource locator (“
    - URL”
      
      ) referencing a web site.
  - 39. A method of detecting online fraud as recited in claim 38, wherein analyzing the electronic message with the correlation engine comprises:
    - parsing the portion of the original message to identify a header portion of the original message, a body portion of the original message, and a uniform resource locator portion of the original message;
      
      analyzing the header portion of the original message;
      
      analyzing the body portion of the original message;
      
      analyzing the uniform resource locator portion of the original message; and
      
      categorize the original message as a possibly fraudulent email message.
  - 40. A method of detecting online fraud as recited in claim 38, the method further comprising:
    - investigating the URL to determine whether the web site referenced by the URL is engaged in a fraudulent activity.
  - 41. A method of detecting online fraud as recited in claim 40, wherein investigating the URL comprises interrogating a server associated with the web site referenced by the URL.
  - 42. A method of detecting online fraud as recited in claim 41, wherein interrogating a server comprises:
    - downloading at least one web page from the server; and
      
      analyzing the at least one web page to determine whether the at least one web page comprises a field for allowing a user to provide personal information to the web site.
  - 43. A method of detecting online fraud as recited in claim 40, wherein investigating the URL comprises:
    - ascertaining an address associated with the web site;
      
      obtaining information about an address the URL appears to reference; and
      
      comparing the ascertained address associated with the information about the address the URL appears to reference.
  - 44. A method of detecting online fraud as recited in claim 40, wherein investigating the URL comprises:
    - investigating a domain associated with the web site.
  - 45. A method of detecting online fraud as recited in claim 44, wherein investigating a domain associated with the web site comprises:
    - obtaining (a) information about the domain associated with the web site;
      
      obtaining (b) information about an IP address hosting the web site; and
      
      comparing (a) with (b).
  - 46. A method of detecting online fraud as recited in claim 38, the method further comprising:
    - initiating a response against a web site referenced by the URL.

47. A system for detecting online fraud, the system comprising:
- a monitoring appliance configured to;
  
  access an electronic message received by an organization;
  
  identify the electronic message as a return message indicating that an original message purportedly sent by the organization could not be delivered to an intended recipient of the original message; and
  
  transfer the electronic message from the monitoring appliance to a correlation engine for analysis; and
  
  a correlation engine configured to analyze the electronic message with the correlation engine to determine whether the original message is part of an attempted online fraud.
- View Dependent Claims (48, 49, 50, 51, 52)
- - 48. A system for detecting online fraud as recited in claim 47, wherein the correlation engine is incorporated within the monitoring appliance.
  - 49. A system for detecting online fraud as recited in claim 47, wherein the correlation engine is incorporated within a fraud prevention system operated by a security provider.
  - 50. A system for detecting online fraud as recited in claim 49, wherein the electronic message comprises at least a portion original message, the portion of the original message comprising a uniform resource locator (“
    - URL”
      
      ) referencing a web site, and wherein of the fraud prevention system is further configured to investigate the URL.
  - 51. A system for detecting online fraud as recited in claim 47, wherein the monitoring appliance is incorporated within an email system associated with the organization.
  - 52. A system for detecting online fraud as recited in claim 47, wherein the monitoring appliance is located at the organization.

53. A monitoring appliance for detecting online fraud, the monitoring appliance comprising a processor and instructions executable by the processor to:
- access an electronic message received by an organization;
  
  identify the electronic message as a return message indicating that an original message purportedly sent by the organization could not be delivered to an intended recipient of the original message; and
  
  transfer the electronic message from the monitoring appliance to a correlation engine for analysis.

54. A software program embodied on a computer readable medium, the software program comprising instructions executable by one or more computers to:
- access an electronic message received by an organization;
  
  identify the electronic message as a return message indicating that an original message purportedly sent by the organization could not be delivered to an intended recipient of the original message;
  
  transfer the electronic message from the monitoring appliance to a correlation engine for analysis; and
  
  analyze the electronic message to determine whether the original message is part of an attempted online fraud.

55. A system comprising:
- means for accessing an electronic message an electronic message received by an organization;
  
  means for identifying the electronic message as a return message indicating that an original message purportedly sent by the organization could not be delivered to an intended recipient of the original message;
  
  means for transferring the electronic message from the monitoring appliance to a correlation means for analysis; and
  
  correlation means for analyzing the electronic message to determine whether the original message is part of an attempted online fraud.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
MarkMonitor Inc.
Original Assignee
MarkMonitor Inc.
Inventors
Shull, Mark, Shraim, Ihab

Application Number

US10/996,990
Publication Number

US 20070299915A1
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Customer-based detection of online fraud

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

222 Citations

55 Claims

Specification

Solutions

Use Cases

Quick Links

Customer-based detection of online fraud

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

222 Citations

55 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links