Group-IB Fraud Hunting Platform
Keeping user digital identity safe
Dmitry Volkov
Group-IB CTO
It's July 2020. An employee at an unnamed bank is casually sipping iced tea and surfing the web when he suddenly finds… a well crafted phishing page mimicking his employer's remote banking system. He is shocked at first, but quickly realizes that there's no time to lose. The bank calls Group-IB for help. By that time, the bank has already reported the first compromised account.

Group-IB Fraud Hunting Platform analysts step in the game.
Group-IB Fraud Hunting Platform (FHP) is a new comprehensive system for protecting user digital identity and fraud prevention.The platform is a successor to the Secure Bank/Secure Portal product line, which
Group-IB has been developing since 2013. But Fraud Hunting Platform is used not only to simply detect and prevent fraud but also to investigate thefts and hunt criminals and their infrastructure.
Group-IB FHP team analyzed the account activity and discovered that, after visiting a phishing page, the remote banking resource was accessed from a previously unknown device that used several hosting providers to hide its activity.

Global ID is the technology leveraged by the FHP that marks devices and users across online resources around the world where Fraud Hunting Platform is running and allows to distinguish good and bad devices. In they particular case, having data on the fraudsters' device, the FHP analysts established the connections with their two other devices and six new user accounts, that the attackers had logged into recently. All information received was promptly provided to the bank, which managed to block the accounts before the money was stolen. In the meantime, Group-IB Computer Emergency Response Team (CERT-GIB) took down the phishing website.
The solution guards 130 million users daily. In the first six months of 2020, Group-IB's Fraud Hunting Platform shielded banking and eCommerce portals around the world from malware, social engineering attacks, and bot activity and saved them roughly $140 million.

Most notably, Paxful, an international peer-to-peer cryptocurrency marketplace, has managed to fight off over 220,000 requests from bad bots in just two months thanks to Group-IB's Fraud Hunting Platform.

What are the type of threats that Group-IB Fraud Hunting Platform can help protect against?

  • Social engineering attacks (phishing pages, email scams and vishing, social media fraud, SIM swapping)
  • Account takeovers (unauthorized access, multiple registrations, unauthorized actions on the user's behalf)
  • Payment fraud (theft from remote banking systems, credit card fraud, unauthorised change of payment details)
  • Use of malware (web injects, mobile Trojans, man-in-the-browser, unauthorized use of remote access tools)
  • Money laundering (withdrawal of funds via a network of affiliated companies and droppers)
  • Credit fraud (submitting multiple credit applications, use of stolen personal information)
  • Bad bot activity (web scrapping, credential stuffing, brute-force attacks, automating user action, mobile API abuse)
Unlike traditional anti-fraud solutions, Group-IB's new platform detects and stops malicious activity long before the attack is executed. Fraudsters are stopped at a point when they attempt to use compromised credentials or imitate legitimate user behavior.
Fraud Hunting Platform modus operandi
Let's take a look at credential stuffing, when credentials compromised from a third-party resource are used to gain unauthorized access to multiple personal accounts belonging to the same user. Due to its code specifics, the bot is difficult to identify by static parameters. For example, signs of using headless browsers (e.g. Selenium) are hidden.

The bot's purpose is to gain access to the user's account and detect any active reward points.
The FHP Interface contains several alerts at once, all of which indicate that this activity can be classified as a bot attack:

1. Using a particular hosting provider

2. The bot activity detected rule

3. The keystroke dynamics score behavioral biometric indicates an anomaly in keyboard typing patterns.
Let's talk in a little more details about the keystroke dynamics score, which detected that the keyboard typing pattern drastically changed due to the new authorization. The red line shows that the print speed reached 400 CPM (characters per minute) at its peak. The normal average rate is up to 200 CPM.

This kind of anomaly may indicate that a user account has been compromised.

Group-IB Fraud Hunting Platform analyzes every session and user behavior in real time, both on the web resource and in the mobile app. The product creates a unique digital fingerprint of the users' devices, thereby helping identify suspicious activities and block fraudulent ones.
Group-IB Fraud Hunting Platform architecture
Group-IB's new solution includes several function modules. When the first page of the web resource is loaded or the mobile app is launched, Web Snippet or Mobile SDK start collecting behavioral metrics for the user and the environment in which the mobile or web app is running. Next, the data is transferred to the system server side - the Processing Hub. In response, the Processing Hub generates a new server cookie and issues a verdict on whether, for example, bot activity has been identified. When requests are sent from a mobile or web application, Mobile SDK or Web Snippet additionally generate a client cookie based on the server cookie and then transmit it.

Embedding Web Snippet into Internet portals and Mobile SDK into mobile apps used by banks, payment systems, e-commerce companies, or government portals makes it possible to collect anonymous parameters of end-user devices used for access user behavior. It also helps detect indicators of compromise and other non-confidential data for profiling sessions. The data collected is transferred to the Processing Hub (server side of the Fraud Hunting Platform), where it is processed and correlated in real time using machine learning algorithms and fraud detection rules.

Preventive Proxy checks requests from the user's device for cookies and determines whether they are correct and unique. Based on the findings, Preventive Proxy decides whether bot activity has been identified.
Preventive Proxy is a key function module of the new solution and is designed to detect and block malware in real time.

Group-IB Fraud Hunting Platform uses the following techniques:

  • Behavioral analysis:
    • Individual user behavioral profile
    • Indirect identification by user behavior
    • Comparative analysis of legitimate user vs fraudsters' behaviour
    • Detecting behavioral anomalies
  • Device analysis:
    • Unique device profile
    • Device fingerprinting
    • Checking if device emulators are used or user parameters substituted
    • Security analysis
  • Agentless detection of malicious code:
    • Detecting web injections
    • Detecting mobile Trojans through behavioral and signature techniques
    • Detecting unauthorized remote access
  • Correlation & Investigation :
    • Detecting cross-channel and cross-platform fraud
    • Global ID for devices
    • Establishing account-device links
    • Connections visualization
  • Identifying and blocking bot activity:
    • Identifying and blocking direct requests to web or mobile API
    • Identifying and blocking smart bots
    • Marking and blocking bots upon individual request or at session level
  • Fraud hunting rules and models:
    • Flexible language for constructing rules
    • Individual customer rules and models
    • Option to provide feedback for adjusting models
  • Integration with Group-IB Threat Intelligence (TI):
    • Malware indicators
    • Compromised accounts
    • Compromised payment cards
    • IP Intelligence: TOR, proxy servers, hosting providers
    • Phishing and malicious domains
Fraud Hunting Platform helps solve the following problems:

Analysis of user-device connection

Group-IB's new solution identifies when compromised accounts and devices are used. For each parameter characterizing a user's interaction with the protected resource, there are other related parameters fixed by the platform. Based on these parameters and the link analysis, it is possible to detect the following:

• Multi-device access to the application via a single account

• Single device access to the application via multiple accounts

• Use of stolen/compromised accounts

• Connected devices used in fraudulent activities in other applications

Agentless malware detection

Fraud Hunting Platform "catches" banking Trojans, detects unauthorized remote access, web injections, cross-channel attacks, and personal data collection. Group-IB's solution implements patented algorithms that help detect infected devices without the client's involvement and without the need to install additional software.

Group-IB Threat Intelligence data

Fraud Hunting Platform detects the latest fraud techniques, phishing preparation, and other types of attacks. The platform integrates data from Group-IB's attribution-based TI system. Exclusive information about cybercriminals, malware, adversary IP addresses, and compromised data (logins, passwords, bank cards) helps develop antifraud systems and cybersecurity teams, which allows the latter to identify intruders and their actions.

Global ID

Group-IB's new solution detects new account fraud, money laundering, and social engineering. By analyzing anonymized information from various sources, Group-IB Fraud Hunting Platform creates a global user profile embracing all online channels. Understanding the connections between users, accounts and devices helps distinguish legitimate customers from fraudsters, while the combination of Group-IB Fraud Hunting Platform with unique Threat Intelligence data makes it possible to identify hidden threats and suspicious connections.

Cross-channel protection

Fraud Hunting Platform detects and blocks cross-channel attacks as well as card-not-present fraud (CNP). Web Snippet and Mobile SDK correlate data on user behavior on their devices when working through various channels of interaction with the bank and identify a wide range of cross-channel attacks, including attacks on third-party platforms that are most vulnerable to CNP attacks, such as online shopping platforms. Group-IB's Fraud Hunting Platform script can be embedded into the 3-D Secure system code to detect cashing from cards stolen by scammers or using phishing payment sites.

Group-IB Fraud Hunting Platform reduces costs thanks to:

  • Alternative to Captcha to improve conversion
  • Adaptive authentication and no unnecessary checks when logging in
  • Adaptive confirmation of transactions
  • Lower cost of sending SMS messages and other means of two-factor authentication
  • Fewer calls to customers to confirm transactions
  • No unnecessary steps during user authentication
  • Higher operations limit
Implementing Group-IB's Fraud Hunting Platform
To enable protection against bots, Web Snippet (for web portals) or Mobile SDK (for mobile apps) must be implemented as part of Group-IB Fraud Hunting Platform.

Preventive Proxy can be deployed within the application infrastructure or the Group-IB cloud. Proxying requests can be configured through Preventive Proxy or the auth-request module in NGINX.

Delivery options:

  • Docker container
  • Binary executable file
  • Group-IB cloud
Traffic can be processed by:

  • Proxying requests through Preventive Proxy
  • Marking up with auth-request in NGINX
Proxying requests through Preventive Proxy

Preventive Proxy can be integrated into the application infrastructure as a loop on the load balancer. In such cases, the Preventive Proxy will receive the entire user requests (headers and body) from the balancer and send the verdict back in response.

It can also be integrated using the gap between the load balancer and the application backend. In such cases, the Preventive Proxy verdict will be processed on the application backend. For static content, filtering and redirection can be configured to the application backend. For a load of 20,000 to 30,000 requests per second (excluding static content), the following minimum server resources are required:

  • CPU 4 cores, 2 threads per core
  • RAM 8 GB
Fraud Hunting Platform licensing

  • Portal protection (web and mobile channels): based on the number of unique users per year
  • P2P: based on the number of transactions
  • 3DS: based on the number of transactions
Preventive Proxy licensing based on the number of sessions per month.

Fraud Hunting Platform deployment solutions:

A) Cloud solution: Flexible and fast integration with cloud infrastructure in the customer's country (SaaS).

B) Standalone FHP solution in the customer's infrastructure (on-premises): Monitoring will be done by Group-IB (SecaaS).

C) Hybrid solution: Customized implementation according to specific client requirements.
For example, Preventive Proxy is deployed on premises, and Processing Hub is deployed in the Group-IB cloud.
Conclusions:
Group-IB Fraud Hunting Platform analyzes each session and user behavior in real time, both on the web and in the mobile app. A system based on behavioral analysis and machine learning algorithms creates a unique digital fingerprint of the devices, thereby connecting them with the users and their accounts. It helps accurately distinguish user actions from those of scammers, even if the scammers are in possession of the user's cellphone or payment data.

At the same time, a unified information environment for all Group-IB products means that the Fraud Hunting Platform system uses exclusive TI data, which helps identify hidden threats and suspicious connections and then use this information in an investigation. It also helps "hunt" for intruders by reaching out to those involved in the incident.

Fraud Hunting Platform can operate under a high load, processing tens of millions of requests to Internet resources and mobile apps while simultaneously blocking malicious activity on them. The new system has evolved from Group-IB's online fraud protection product line. It is highly performant and easy to integrate. What's more, it uses patented technologies to detect attacks before they are carried out. The global mission of Fraud Hunting Platform is not only threat hunting, but also identifying actors behind attacks.

It's up to users to decide what solution will be most convenient for them in terms of technical capabilities, user friendliness, and work objectives.

Learn more about Group-IB Fraud Hunting Platform and request a demo here.