Monitoring Site Traffic for Fraud Prevention

Tuesday, January 25, 2011

Richard Stiennon

924ce315203c17e05d9e04b59648a942

Most website owners spend a little time looking at their “web logs”, the list of page hits to their site. 

A free tool included with most websites is AWStats which allows you to determine how many hits per day you are getting, most popular post, hits by country, even the most frequent visitor (usually the website owner).

Often you will see signs of suspicious activity: lots of hits to undefined URLs,  unusual volume from a particular country. You can easily postulate that if your site is going to be hacked you will be forewarned by reading the logs. 

Business logic

One new company that is leveraging that concept is Silver Stream Systems.  Their sophisticated solution is meant for banks, stock trading sites and similar high value transaction sites.  I am adding them to my list of cool companies to watch for 2011 (to be posted soon).  

Web attacks take various forms. In 2002 I had a conversation with a large data provider who had opened up their proprietary database to subscribers for only $250/month.  It did not take long for someone to use a stolen credit card to get access and run scripts against the database to suck down as much as they could. 

When IT-Harvest first launched our security vendor data base we allowed anyone to run simple searches on it.  That first day a vendor in Canada (you know who you are) ran a script against it to suck down the whole database.

Another time tested attack is web scraping: a technique that riled the airlines who did not like their prices posted on comparison sites.  And phishers sped a lot of time hitting a site in preparation for mimicking it so they can lure people into giving up their identities. 

Once an attacker has user access they can engage in sophisticated pump and dump schemes where they liquidate the user's holding and invest in some penny stock they have already taken a position in. The attacker sells their own stock when it pops up in reaction to the unusual buy activity. The account holder is left holding worthless stock after it drops back down again.

The most critical step transaction sites can take is to ensure they do not contain vulnerabilities that expose them to hacks.   Brian Krebs lambastes the site administrators for .gov sites that are particularly lax in this manner. 

Although deploying web application firewalls from Imperva or AppSec Inc. is the best way to defend against these attacks, more sophisticated attacks may take advantage of yet undiscovered vulnerabilities or use the very structure of the site to engage in fraudulent practices, often as authenticated users. 

That is where Silver Tail Systems comes in.  They monitor all traffic to the main site and third party sites and look for indications of malfeasance. Alerts are generated when the normal business logic is subverted and allows the site owner to investigate and correct controls.  This is much better than waiting for the call from an irate customer who finds his funds have vaporized!

You can hear more on my thoughts on web attacks and fraud as well as hear directly from Silver Tail Systems in a webinar this Thursday, the 27th of January at 1-2 PM Eastern (GMT -5).  Registration is now open.

Cross-posted from ThreatChaos

Possibly Related Articles:
5173
Network->General
fraud Application Security Attacks websites Imperva web scraping
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.