Online fraud solution

US 9,203,648 B2
Filed: 11/23/2004
Issued: 12/01/2015
Est. Priority Date: 05/02/2004
Status: Active Grant

First Claim

Patent Images

1. A computer system for investigating a suspicious uniform resource locator to determine whether a server referenced by the uniform resource locator may be involved in fraudulent activity, the computer system comprising:

a processor device; and

a memory device coupled with the processor device, the memory having stored therein a sequence of instructions which, when executed by the processor device, cause the computer system to;

access a data source to obtain data about a suspicious activity;

obtain, by downloading, using a master computer, the data from the data source, the data about the suspicious activity;

ascertain, by parsing the obtained data, a uniform resource locator that relates to the suspicious activity, wherein the uniform resource locator is associated with an anchor, the anchor comprising a displayed address;

ascertain the displayed address indicated by the anchor;

ascertain an actual address associated with a server referenced by the uniform resource locator;

compare the displayed address with the actual address associated with the server referenced by the uniform resource locator, wherein the displayed address comprises at least one of a first domain and a first internet protocol (IP) address, and wherein the actual address associated with the server referenced by the uniform resource locator comprises at least one of a second domain and a second IP address, and further wherein the instructions cause the computer system to determine whether the displayed address is different than the actual address associated with the server referenced by the uniform resource locator by performing at least one of a comparison between the first domain and the second domain, and between the first IP address and the second IP address;

obtain, using the master computer, domain information about the displayed address;

obtain, using the master computer, WHOIS ownership information about the displayed address;

compare the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address; and

based on the comparison of the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address and the comparison of the displayed address with the actual address associated with the server referenced by the uniform resource locator, determine whether the uniform resource locator is fraudulent.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. Some embodiments function to access and/or obtain information from (and/or receive data from) a data source; the data might, for example, indicate a possible instance of online fraud. Certain embodiments, therefore, can be configured to analyze the data, e.g., to determine whether the data indicate a likely instance of online fraud. Such instances may be further investigated, and/or a response may be initiated. Data sources can include, without limitation, web pages, email messages, online chat sessions, domain zone files, newsgroups (and/or postings thereto), etc. Data obtained from the data sources can include, without limitation, suspect domain registrations, uniform resource locators, references to trademarks, advertisements, etc.

198 Citations

33 Claims

1. A computer system for investigating a suspicious uniform resource locator to determine whether a server referenced by the uniform resource locator may be involved in fraudulent activity, the computer system comprising:
- a processor device; and
  
  a memory device coupled with the processor device, the memory having stored therein a sequence of instructions which, when executed by the processor device, cause the computer system to;
  
  access a data source to obtain data about a suspicious activity;
  
  obtain, by downloading, using a master computer, the data from the data source, the data about the suspicious activity;
  
  ascertain, by parsing the obtained data, a uniform resource locator that relates to the suspicious activity, wherein the uniform resource locator is associated with an anchor, the anchor comprising a displayed address;
  
  ascertain the displayed address indicated by the anchor;
  
  ascertain an actual address associated with a server referenced by the uniform resource locator;
  
  compare the displayed address with the actual address associated with the server referenced by the uniform resource locator, wherein the displayed address comprises at least one of a first domain and a first internet protocol (IP) address, and wherein the actual address associated with the server referenced by the uniform resource locator comprises at least one of a second domain and a second IP address, and further wherein the instructions cause the computer system to determine whether the displayed address is different than the actual address associated with the server referenced by the uniform resource locator by performing at least one of a comparison between the first domain and the second domain, and between the first IP address and the second IP address;
  
  obtain, using the master computer, domain information about the displayed address;
  
  obtain, using the master computer, WHOIS ownership information about the displayed address;
  
  compare the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address; and
  
  based on the comparison of the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address and the comparison of the displayed address with the actual address associated with the server referenced by the uniform resource locator, determine whether the uniform resource locator is fraudulent.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A computer system as recited in claim 1, wherein the WHOIS information about the displayed address comprises information about an owner of the address.
  - 3. A computer system as recited in claim 1, wherein the WHOIS ownership information about the displayed address comprises information about a domain registered with respect to the address.
  - 4. A computer system as recited in claim 1, wherein the data source comprises a web page.
  - 5. A computer system as recited in claim 1, wherein the data source comprises an email message.
  - 6. A computer system as recited in claim 1, wherein the data source comprises an online chat session.
  - 7. A computer system as recited in claim 1, wherein the data source comprises a newsgroup.
  - 8. A computer system as recited in claim 1, wherein the data source comprises a domain registration zone file.
  - 9. A computer system as recited in claim 8, wherein the data about a suspicious activity comprises a domain registration.
  - 10. A computer system as recited in claim 1, wherein the data about a suspicious activity comprises an advertisement.
  - 11. A computer system as recited in claim 1, wherein the data about a suspicious activity comprises a reference to a trademark.

12. A method of investigating a suspicious uniform resource locator to determine whether a server referenced by the uniform resource locator may be involved in fraudulent activity, the method comprising:
- accessing, by a computer, a data source to obtain data about a suspicious activity;
  
  downloading, using the computer, the data from the data source;
  
  ascertaining, by using the computer to parse the obtained data, a uniform resource locator involved with the suspicious activity, wherein the uniform resource locator is associated with an anchor, the anchor comprising a displayed address;
  
  ascertaining, by the computer, the displayed address indicated by the anchor associated with the uniform resource locator;
  
  ascertaining, by the computer, an actual address associated with a server referenced by the uniform resource locator;
  
  comparing, by the computer, the displayed address with the actual address associated with the server referenced by the uniform resource locator, wherein the displayed address comprises at least one of a first domain and a first internet protocol (IP) address, and wherein the actual address associated with the server referenced by the uniform resource locator comprises at least one of a second domain and a second IP address, and further wherein comparing the displayed address with the actual address associated with the server referenced by the uniform resource locator comprises determining whether the displayed address is different than the actual address associated with the server referenced by the uniform resource locator by performing at least one of a comparison between the first domain and the second domain, and between the first IP address and the second IP address;
  
  obtaining, by the computer, domain information about the displayed address;
  
  obtaining, by the computer, WHOIS ownership information about the displayed address;
  
  comparing, by the computer, the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address; and
  
  determining, by the computer and based on the comparison of the obtained domain information about the displayed address with the WHOIS ownership information about the displayed address and the comparison of the displayed address with the actual address associated with the server referenced by the uniform resource locator, whether the uniform resource locator is fraudulent.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. A method as recited in claim 12, wherein the WHOIS ownership information about the displayed address comprises information about an owner of the displayed address.
  - 15. A method as recited in claim 12, wherein the WHOIS ownership information about the displayed address comprises information about a domain registered with respect to the displayed address.
  - 16. A method as recited in claim 12, wherein the data source comprises a web page.
  - 17. A method as recited in claim 12, wherein the data source comprises an email message.
  - 18. A method as recited in claim 12, wherein the data source comprises an online chat session.
  - 19. A method as recited in claim 12, wherein the data source comprises a newsgroup.
  - 20. A method as recited in claim 12, wherein the data source comprises a domain registration zone file.
  - 21. A method as recited in claim 20, wherein the data about a suspicious activity comprises a domain registration.
  - 22. A method as recited in claim 12, wherein the data about a suspicious activity comprises an advertisement.
  - 23. A method as recited in claim 12, wherein the data about a suspicious activity comprises a reference to a trademark.

13. A non-transitory computer-readable memory having stored thereon a sequence of instructions which, when executed by a processor, cause the processor to:
- access a data source to obtain data about a suspicious activity;
  
  obtain, by downloading, using a master computer, the data from the data source, the data about the suspicious activity;
  
  ascertain, by parsing the obtained data, a uniform resource locator that relates to the suspicious activity, wherein the uniform resource locator is associated with an anchor, the anchor comprising a displayed address;
  
  ascertain the displayed address indicated by the anchor associated with the uniform resource locator;
  
  ascertain an actual address associated with a server referenced by the uniform resource locator;
  
  compare the displayed address with the actual address associated with the server referenced by the uniform resource locator, wherein the displayed address comprises at least one of a first domain and a first interne protocol (IP) address, and wherein the actual address associated with the server referenced by the uniform resource locator comprises at least one of a second domain and a second IP address, and further wherein the instructions cause the processor to determine whether the displayed address is different than the actual address associated with the server referenced by the uniform resource locator by performing at least one of a comparison between the first domain and the second domain, and between the first IP address and the second IP address;
  
  obtain, using the master computer, domain information about the displayed address;
  
  obtain, using the master computer, WHOIS ownership information about the displayed address;
  
  compare the obtained domain information about the a displayed address with the WHOIS ownership information about the displayed address; and
  
  determine, based on the comparison of the obtained domain information about the address configured to be displayed with the WHOIS ownership information about the displayed address and the comparison of the displayed address with the actual address associated with the server referenced by the uniform resource locator, whether the uniform resource locator is fraudulent.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. A computer-readable memory as recited in claim 13, wherein the WHOIS ownership information about the displayed address comprises information about an owner of the displayed address.
  - 25. A computer-readable memory as recited in claim 13, wherein the WHOIS ownership information about the displayed address comprises information about a domain registered with respect to the displayed address.
  - 26. A computer-readable memory as recited in claim 13, wherein the data source comprises a web page.
  - 27. A computer-readable memory as recited in claim 13, wherein the data source comprises an email message.
  - 28. A computer-readable memory as recited in claim 13, wherein the data source comprises an online chat session.
  - 29. A computer-readable memory as recited in claim 13, wherein the data source comprises a newsgroup.
  - 30. A computer-readable memory as recited in claim 13, wherein the data source comprises a domain registration zone file.
  - 31. A computer-readable memory as recited in claim 30, wherein the data about a suspicious activity comprises a domain registration.
  - 32. A computer-readable memory as recited in claim 13, wherein the data about a suspicious activity comprises an advertisement.
  - 33. A computer-readable memory as recited in claim 13, wherein the data about a suspicious activity comprises a reference to a trademark.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Opsec Online Limited
Original Assignee
Thomson Reuters Global Resources
Inventors
Shraim, Ihab, Shull, Mark
Primary Examiner(s)
Hayes, John
Assistant Examiner(s)
Winter, John M

Application Number

US10/996,991
Publication Number

US 20070299777A1
Time in Patent Office

4,025 Days
Field of Search

None
US Class Current

1/1
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Online fraud solution

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

198 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Online fraud solution

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

198 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others