RU2705774C1 - Method and system for detecting devices associated with fraudulent phishing activity - Google Patents

Abstract

FIELD: computer engineering.

SUBSTANCE: invention relates to the computer engineering. A method of detecting devices associated with fraudulent phishing activity comprises steps of determining a website to be tested; detecting website interface elements representing a form for inputting data; determining an interface region for inputting text into a form; determining type of data for input; method includes accessing a database (DB) containing tracking information required for inputting data into a form; performing automatic filling of the form with tracking data; performing registration on website with the help of tracking data; monitoring activity of using tracking data for the device; obtaining, based on monitoring, a unique hardware device identifier (UHDI); UHDI is transmitted to DB for addition to black list for further blocking.

EFFECT: improved protection of information products due to identification of scam devices associated with phishing web resources, for their subsequent blocking when trying to access information products using user data, by means of automatic filling of forms on phishing web resources with tracking information, imitating personal data of users.

14 cl, 4 dwg

Description

FIELD OF TECHNOLOGY

[0001] The claimed technical solution, in General, relates to the field of computer technology, and in particular, to a method and system for identifying devices associated with fraudulent phishing activity.

BACKGROUND

[0002] With the rapid development of IT services, more banking and financial services are provided through online access to the Internet. At the same time, there is an urgent need to implement protective mechanisms against fraudulent actions by cybercriminals that are carried out using websites aimed at phishing user data.

[0003] Phishing is a type of Internet fraud, the purpose of which is to gain access to confidential user data - logins and passwords using specially created resources on the Internet, which are disguised as the original brand that provides these or those services, and aim to capture user credentials when entering into forms posted on such websites.

[0004] A solution is known from the prior art for monitoring user suspicious activity based on a user behavior template when making financial transactions or accessing various financial resources (application US20130275195, priority date: 10/17/2013). The method is based on the formation of a reference pattern of user behavior for one or more devices and its subsequent use according to the user's identification information by comparing the current user actions with the said pattern.

[0005] An analogue of the claimed technical solution is the method of “bating” fraudulent schemes on the Internet implemented through websites (application US20140041024, priority date: 02/06/2014). The essence of the method lies in the automated analysis of information input fields on web resources and the application of the principle of data substitution, simulating the input of information identifying the user.

[0006] A disadvantage of the known solutions is the principle of identifying data that directly identifies a phishing web resource or software application for their subsequent blacklisting and blocking the processing of requests through the mentioned resources. At the same time, the device itself or a group of devices that intercept and subsequently use user data are not detected, and changing websites allows further use of scammers' hardware to intercept user data.

SUMMARY OF THE INVENTION

[0007] The claimed solution provides a solution to a technical problem or technical problem, consisting in the need to identify directly the hardware of the attackers that are associated with phishing web resources.

[0008] The technical result achieved in solving this technical problem is to increase the protection of information products by identifying fraud devices associated with phishing web resources, for their subsequent blocking when trying to access information products using user data, using automatic filling out forms on phishing web resources with tracking information that mimics the personal data of users.

[0009] The claimed technical result is achieved by implementing a method for identifying devices associated with fraudulent phishing activity, comprising the steps of using the processor of a computing device to:

a) determining the website to be scanned for phishing activity;

b) identifying website interface elements representing at least one data entry form, the website being designed to intercept user credentials related to a financial product or service;

c) determining at least one interface area for entering text into the data entry form;

d) determine the type of data to be entered into each of the identified data entry forms;

e) accessing a database containing tracking information necessary for data entry of at least one data form identified in step d);

f) each form of said form is automatically filled with said tracking data;

g) register on the website using the mentioned tracking data to access a financial service or product;

h) monitor the activity of using said tracking data for at least one device related to fraudulent activity;

i) obtain, on the basis of said monitoring, a unique hardware identifier (UAID) of said device related to fraudulent activity;

j) transfer the UAID to the database for adding to the black list for subsequent blocking of transaction operations using the corresponding hardware identifier.

[0010] In a particular embodiment of the method, elements representing a form for entering data are selected from the group: graphical interface button, text input area, frame, link to a website link.

[0011] In a particular embodiment of the method, step f) begins after the website page is fully loaded and an additional time period is set.

[0012] In a particular embodiment of the method, for each area of the text, the presence of autocomplete elements is checked.

[0013] In a particular embodiment of the method, for the autocomplete items, the number of points of the autocomplete options is determined.

[0014] In a particular embodiment of the method, a random selection of items of autofill options is performed.

[0015] In a particular embodiment of the method, for each text area, the presence of a text template for input is checked.

[0016] In a particular embodiment of the method, the template is checked for keywords.

[0017] In a particular embodiment of the method, the identified keywords are used to access the tracking information database to obtain data corresponding to the template for filling.

[0018] In a particular embodiment of the method, the check is performed on the DOM tree and / or using a locator of nearby elements containing text with a length of at least 3 characters.

[0019] In a particular embodiment of the method, if the template contains keywords indicating confirmation of registration by SMS, then the step of sending it to the phone number associated with tracking data is performed.

[0020] In a particular embodiment of the method, the arrival of an SMS message from to a specified phone number associated with tracking data is determined.

[0021] In a particular embodiment of the method, the determination is performed using a software module that determines the receipt of an SMS message and its transmission to the database.

[0022] In a particular embodiment of the method, the information transmitted to the database is checked by the analysis module for the availability of authorization information in the received SMS message.

[0023] The claimed solution is also implemented through a system for identifying devices associated with fraudulent phishing activity, which contains:

at least one processor;

at least one memory associated with the processor containing machine-readable instructions that, when executed by at least one processor, implement the above method.

DESCRIPTION OF DRAWINGS

[0024] The features and advantages of this technical solution will become apparent from the following detailed description and the accompanying drawings, in which:

[0025] FIG. 1 illustrates a general view of the claimed solution.

[0026] FIG. 2 illustrates a flowchart of an embodiment of the claimed method.

[0027] FIG. 3 illustrates an example solution with a form on a website with options to fill out.

[0028] FIG. 4 illustrates a general view of a computing device.

DETAILED DESCRIPTION OF THE INVENTION

[0029] In the context of the present description, unless clearly indicated otherwise, "server" means a computer program running on the appropriate equipment, which is able to receive requests (for example, from client devices) over the network and execute these requests or initiate the execution of these requests . The equipment may be one physical computer or one physical computer system, but neither one nor the other is mandatory for this technology. In the context of this technology, the use of the expression “server” does not mean that each task (for example, received instructions or requests) or any specific task will be received, completed or initiated to be executed by the same server (that is, by the same software software and / or hardware); this means that any number of software elements or hardware devices can be involved in the reception / transmission, execution or initiation of any request or the consequences of any request associated with the client device, and all this software and hardware can be one server or several servers , both options are included in the expression “at least one server”.

[0030] In the context of the present description, unless clearly indicated otherwise, "user client device" or "mobile user communication device" means a hardware device capable of working with software suitable for solving the corresponding problem. Thus, examples of client devices (among others) include personal computers (desktop computers, laptops, netbooks, etc.), smartphones, tablets, and network equipment such as routers, switches, and gateways. It should be borne in mind that a device behaving as a user device in the present context may behave like a server in relation to other client devices. The use of the expression “client device” does not exclude the possibility of using multiple client devices to receive / send, execute, or initiate the execution of any task or request, or the consequences of any task or request, or the steps of any method described above.

[0031] In the context of the present description, unless clearly indicated otherwise, the term "database" means any structured data set that is independent of the specific structure, database management software, hardware of the computer on which the data is stored, used or otherwise are available for use. The database may reside on the same hardware that runs the process that stores or uses the information stored in the database, or it may reside on separate hardware, such as a dedicated server or multiple servers.

[0032] In the context of the present description, unless clearly indicated otherwise, the term "information" includes any information that may be stored in a database. Thus, information includes, among other things, audiovisual works (images, videos, sound recordings, presentations, etc.), data (location data, digital data, etc.), text (opinions, comments, questions , messages, etc.), documents, tables, etc.

[0033] In FIG. 1 shows a General view of the presented technical solution (100). The system of interaction of solution elements includes a website (110), analyzed for phishing, associated with a website (110), one or more fraudsters (120), a server (130) that analyzes the website (110) and the necessary steps to identify fraud devices (120), and a database (140) associated with the server (130) containing data used to substitute on the website (110) for tracking phishing activity and related devices (120).

[0034] As a fraud device (120), various means may be used, for example, computers, servers, smartphones, tablets, and the like. The main specificity of device (120) in this case consists in direct access with the help of intercepted user data to financial and / or banking services, or user registration on fake web resources for subsequent tracking and interception of incoming information from the user.

[0035] The implementation of the claimed solution is carried out using a hardware-software complex implemented using a server (130) and a corresponding software application that provides website analysis (110) and identifies suspicious activity aimed at committing fraudulent actions.

[0036] Typically, a web resource (110) used for phishing user data contains one or more forms (111, 112) for entering user identifying information, for example, phone number, email address, full name of the user, user ID, and etc.

[0037] The algorithm of the server’s analytical module (130) analyzes the forms (111, 112) of the website (110) for the necessary information to be entered into them and to further monitor the movement of data flows to identify devices (120) participating in the chain sharing and using user data.

[0038] In FIG. 2 presents the algorithm of the claimed method (200) for identifying devices (120) scammers associated with phishing websites (110).

[0039] At the beginning of the method (200), the information of the website (110) is analyzed for its use for phishing user data (201). This check can be carried out by analyzing the IP address or domain of a website (110) with a database (140), which can store an updated list of web resources to be checked for phishing activity.

[0040] Next, at step (202), types of objects on the website page (110) are analyzed by their type attributes in the HTML markup language to identify interface elements representing data entry forms (111, 112) that are used to intercept registration User data related to a financial product or service. Elements representing the data entry form are selected from the group: graphical interface button, text input area, frame, link to the website link, etc.

[0041] Step (202) may be performed after the website page (110) is fully loaded and an additional time period is set, for example, 10 seconds. The time period is used to bypass protection from autocomplete, in which some elements of the website form (110) may not be displayed immediately, simulating the load.

[0042] After identifying one or more forms for entering text (111, 112), at step (203), an analysis is made of the areas of the interface for entering text or numerical data into the identified forms (111, 112).

[0043] At step (204), the analysis algorithm performed by the server (130) searches for text information describing the type of data to be input into the corresponding form areas (111, 112). The search can be carried out by analyzing both the area of the interface next to the form input field (111, 112) and directly inside the form field (111, 112), which can be a template of the information required to be filled in, for example, phone number format, name format and surnames, etc.

[0044] If a text or numerical example of the input information in the form field (111, 112) is detected, then the algorithm executed by the server (130) activates the keyword analysis of the symbol input example mentioned. If there is no example of the entered information, then the nearest element is searched for in the form field (111, 112) with a signature explaining what information should be entered in this field. This check can be performed by analyzing the DOM tree (Document Object Model), or by using XPath locators, nearby elements containing text, at least three characters long.

[0045] After finding the element containing the signature to the input field, the element is scrolled to the middle of the screen, after which a screenshot is taken. Then, according to the coordinates of this object, the field of interest is cut out of the screenshot, after which the resulting image is enlarged several times, for example, three times and converted to a monochrome image to increase the quality of text recognition. These actions are necessary to bypass the protection against automatic filling - often not Cyrillic characters are used, but similar in spelling, other characters, for example, Latin, etc.

[0046] Next, the received image is transmitted for recognition using the OCR (Optical Charter Recognition) module. The text recognition result is checked for the necessary keywords. If no keywords were found during the verification, then the input fields of the forms (111, 112) are filled in with the default value (for example, a random name).

[0047] At step (205), the tracking information is substituted into the text input forms (111, 112) on the website (110). Tracking information, as a rule, is contained in the database (140) associated with the server (130), and represents pre-prepared generated data that mimics the personal information of users. For each data base (140) also contains a phone number for the purpose of registering with phishing resources (110).

[0048] The tracking information is filled in the identified forms (111, 112) on the website (110) using an algorithm implemented by the server (130). Tracking information is requested from the database (140) in accordance with certain types of necessary data to be entered into forms (111, 112) on the website (110) and entered into the mentioned forms (111, 112). At the same time, in the process of autocomplete forms (111, 112) on the website (110) using the server (130), information is also analyzed and identifies the website (110), in particular, the IP address, domain name, URL etc.

[0049] After the tracking data has been entered (206) on the website (110), the registration procedure on the phishing resource (110) is performed. Tracking data, as a rule, is transmitted to one or several fraudsters (120) for their subsequent use.

[0050] The website (110) may also contain a request to confirm the registration process using two-factor verification, in particular, by entering a confirmation code from an SMS message that is sent to the user's mobile phone number or email address. In this case, for records of tracking information in the database (140) one or more phone numbers are stored, used to obtain a confirmation code, or email addresses. After analyzing the website (110) for the need to enter an authorization confirmation code, the server algorithm (130) monitors the receipt of the code according to the indicated tracking data, and when the necessary confirmation code is received in an SMS message or e-mail, it is entered into the corresponding web form website (110).

[0051] Next, the server operation algorithm (130) monitors the use of the entered tracking data (207). Fraudsters, as a rule, carry out registration actions with financial products or services using user data obtained via the website (110). Registration is performed using a fraud device (120) to perform future operations, for example, attempts to gain access to a user's financial account or related financial services.

[0052] At the time of applying tracking data using fraudsters (120) at step (208), their unique hardware identifiers (UAIDs) are received, which are subsequently blacklisted to block the execution of activities related to financial services (209). Blocking the actions of devices (120) is performed by comparing their UAID with information blacklisted. UAID also allows you to track a group of devices (120) that participate in a fraudulent scheme, which implements the ability to block several devices trying to access services using user data.

[0053] The UAID device (120) is determined based on the monitoring logs of the process of applying tracking data to financial products or services. As an example, cybercriminals who obtained user data via the website (110) may try to register in financial products such as mobile banking (Sberbank Online), loyalty programs (for example, Sberbank Thank you), etc. to conduct financial transactions or operations on information obtained through the phishing website (110). UAID when registering using devices (120) according to the tracking data of the server (130) can be defined as a hash from concatenating the settings of the phone’s operating system environment, screen resolution, set of installed software, software settings on the phone and other characteristics of the fraudster’s device (120). Concatenation is the operation of combining linear structure objects, for example, data strings, characters, values, etc.

[0054] An example will be provided of obtaining UAID by hash from concatenating data from a fraud device (120) from tracking data.

PHONE_PARAMETERS_STRING:

pm_fposp = & pm_fpacn = Mozilla & BROWSER = mozilla / 5.0 + (windows + nt + 6.1; + wow64) + applewebkit / 537.36 + (khtml, + like + gecko) + chrome / 43.0.2357.132 + safari / 537.36 | 5.0+ (Windows + NT +6.1; WOW64) + AppleWebKit / 537.36 + (KHTML, + like + Gecko) + Chrome / 43.0.2357.132 + Safari / 537.36 | Win32 & EXTERNAL_TIMEOUT = & BROWSER_TYPE = Chrome & SUPPRESSED = false & LANGUAGE = lang% 3Dang | .0.0_2 & BROWSER_MAJOR_VERSION = 43 & pm_fpspd = 24 & pm_fpsaw = 1440 & LANGUAGE_BROWSER = en & DISPLAY = 24 | 1440 | 900 | 860 & JAVA = 1 & OS = Windows & COOKIE = 1 & SOFTWARE = & pm_fpup = true & pm_fpup = q & pm_fpup = true & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpf = true & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpup = & pm_fpf = true & pm_fpf = q% 3D0.6, en; q% 3D0.4 & pm_fpsfse = & pm_fpslx = & pm_fpsly = & TIMEZONE = 4 & pm_fpan = Netscape & pm_fpasw = widevinecdmadapter-mnjjf-internal-& | & pm_fpsdy = & INTERNAL_TIMEOUT = DEVICE_ID = sha256 (PHONE_PARAMETERS_STRING) = ad83f8280f66ae603b4e1ab58795bba63bb7ca62d7b971fabe10b040825868a8.

[0055] In FIG. Figure 3 presents an example of a special case of form analysis for entering information (113) at step (203). Some types of forms (113) may contain autocomplete elements (1131, 1132, 1133) that are selected when interacting with the website (110). In this case, the server algorithm (130) analyzes the information presented in the elements (1131, 1132, 1133) of the autofill form (113). The number of items in each list of forms (113) is checked and the items (elements) (1131, 1132, 1133) of the form are randomly selected. After selecting elements for auto-completion of the form (113), the algorithm continues its work on the analysis of the website (110) for the form fields for entering user information for registration on the website (110).

[0056] In FIG. 4 shows a general view of a computing device (300). Based on the device (300), a fraudulent device (120), a server (130), and other non-represented devices can be implemented, but which can participate in the general information architecture (100) of the claimed solution.

[0057] In general, a computing device (300) comprises one or more processors (301) connected by a common data bus, memory means such as RAM (302) and ROM (303), input / output interfaces (304), devices input / output (305), and a device for network interaction (306).

[0058] A processor (301) (or multiple processors, a multi-core processor) may be selected from a variety of currently widely used devices, for example, Intel ™, AMD ™, Apple ™, Samsung Exynos ™, MediaTEK ™, Qualcomm Snapdragon ™, and etc.

[0059] RAM (302) is a random access memory and is intended to store machine-readable instructions executed by the processor (301) to perform the necessary operations for logical data processing. RAM (302), as a rule, contains executable instructions of the operating system and corresponding software components (applications, program modules, etc.).

[0060] The ROM (303) is one or more permanent storage devices, for example, a hard disk drive (HDD), a solid state drive (SSD), flash memory (EEPROM, NAND, etc.), optical storage media ( CD-R / RW, DVD-R / RW, BlueRay Disc, MD), etc.

[0061] Various types of I / O interfaces (304) are used to organize the operation of the components of the device (300) and organize the operation of external connected devices. The choice of appropriate interfaces depends on the particular computing device, which can be, but not limited to: PCI, AGP, PS / 2, IrDa, FireWire, LPT, COM, SATA, IDE, Lightning, USB (2.0, 3.0, 3.1, micro, mini, type C), TRS / Audio jack (2.5, 3.5, 6.35), HDMI, DVI, VGA, Display Port, RJ45, RS232, etc.

[0062] Various means (305) of I / O information, for example, a keyboard, a display (monitor), a touch screen, a touch pad, a joystick, a mouse, a light pen, a stylus, are used to provide user interaction with a computing device (300), touch panel, trackball, speakers, microphone, augmented reality, optical sensors, tablet, light indicators, projector, camera, biometric identification tools (retina scanner, fingerprint scanner, voice recognition module), etc.

[0063] The network interaction tool (306) enables data transfer by the device (300) via an internal or external computer network, for example, an Intranet, the Internet, a LAN, and the like. As one or more means (306) may be used, but not limited to: Ethernet card, GSM modem, GPRS modem, LTE modem, 5G modem, satellite communications module, NFC module, Bluetooth and / or BLE module, Wi-Fi module and other

[0064] Additionally, satellite navigation means as part of the device (300), for example, GPS, GLONASS, BeiDou, Galileo, can also be used.

[0065] The submitted application materials disclose preferred examples of the implementation of the technical solution and should not be construed as limiting other, specific examples of its implementation, not going beyond the scope of the requested legal protection, which are obvious to specialists in the relevant field of technology.

Claims (27)

1. A method for identifying devices associated with fraudulent phishing activity, comprising stages in which: carried out using a processor of a computing device a) determining the website to be scanned for phishing activity; b) identifying website interface elements representing at least one data entry form, the website being designed to intercept user credentials related to a financial product or service; c) determining at least one interface area for entering text into the data entry form; d) determine the type of data to be entered into each of the identified data entry forms; e) they access a database containing tracking information that mimics the personal information of users necessary to enter data into at least one data form identified in step d); f) each form of said form is automatically filled with said tracking data, the form filling process being carried out after the website page is fully loaded and the additional time interval is set; g) register on the website using the mentioned tracking data to access a financial service or product; h) monitor the activity of using said tracking data for at least one device related to fraudulent activity; i) obtain, on the basis of said monitoring, a unique hardware identifier (UAID) of said device related to fraudulent activity; and j) transfer the UAID to the database for adding to the black list for subsequent blocking of transaction operations using the corresponding hardware identifier. 2. The method according to p. 1, characterized in that the elements representing the form for entering data are selected from the group: graphic interface button, text input area, frame, link to the website link. 3. The method according to claim 1, characterized in that for each area of the text the presence of auto-complete elements is checked. 4. The method according to p. 3, characterized in that for the elements of autocomplete is determined by the number of points of options for autocomplete. 5. The method according to claim 4, characterized in that a random selection of items of autofill options is performed. 6. The method according to p. 1, characterized in that for each area of the text is checked for the presence of a text template for input. 7. The method according to p. 6, characterized in that the template is checked for keywords. 8. The method according to p. 7, characterized in that the identified keywords are accessed to the database of tracking information to obtain data corresponding to the template for filling. 9. The method according to claim 7, characterized in that the check is performed on the DOM tree and / or using a locator of nearby elements containing text with a length of at least three characters. 10. The method according to claim 7, characterized in that if the template contains keywords indicating confirmation of registration by SMS, then the step of sending it to the phone number associated with tracking data is performed. 11. The method according to p. 10, characterized in that they determine the receipt of SMS messages from the specified phone number associated with tracking data. 12. The method according to p. 11, characterized in that the determination is performed using a software module that determines the receipt of an SMS message and its transmission to the database. 13. The method according to p. 12, characterized in that the information transmitted to the database is checked by the analysis module for the availability of information for authorization in the received SMS message. 14. A system for identifying devices associated with fraudulent phishing activity, containing: at least one processor at least one memory associated with the processor containing machine-readable instructions that, when executed by at least one processor, implement the method according to any one of claims. 1-13.

Images