arrow left facebook twitter linkedin medium menu play circle

How Early Detection Exposed the Mass Registrations Polluting a Fortune 100 Company’s Online Platform

Shipping-related fraud has become a critical part of the modern fraudster’s cross-platform toolkit, but contextual detection, holistic data analysis, and unsupervised machine learning can combine to stop fraud before damage happens.

By Daniel Xu 2019年7月24日

Photo of Daniel Xu

about Daniel Xu
Daniel Xu is a Tech Lead at DataVisor with 5 years of experience in Product Management and Engineering roles. He has deployed DataVisor technology to help more than 15 Chinese and U.S. companies detect fraudsters and cybercriminals across multiple domains including mass registration, anti-spam, P2P payments fraud, and more. Daniel holds a Bachelors of Science from UC Berkeley in EECS.

E-commerce sites that offer shipping services are being increasingly targeted by fraudsters who leverage mass registrations to exploit platform vulnerabilities in order to profit off of unsuspecting consumers at a massive scale, and they’re doing so in ways that are increasingly difficult for conventional detection solutions to address. 

Complexity, sophistication, and coordination are the hallmarks of modern digital fraud, and while e-commerce fraud techniques such as selling fake goods or disseminating fake reviews are quite common—and have been for some time—it’s less well known that shipping fraud has increasingly become a critical part of the modern fraudster’s cross-platform toolkit. When combined with other attack methods such as mass registrations, account takeovers, and identity theft, the growing potential for widespread damage is alarming.

In this post, we will explore a use case in which DataVisor’s unsupervised machine learning technology enabled an anti-fraud team to expose and neutralize malicious shipping accounts associated with an insidious advertising scam.

Anatomy of an Attack

In the fall of 2018, DataVisor partnered with a Fortune 100 company to detect malicious accounts across several of their online portals. In this deployment, we were able to access and analyze a wide variety of event types and profile information related to accounts, shipments, and deliveries. The examples below indicate how services intended to enhance customer service in fact contained exploitable vulnerabilities:

Customers can use an online portal to alter order details.
This service is typically used when the original order has an error; for example, when a wrong item is included in the shipment, or the destination address is incorrect. However, a malicious user could hack the account, and fraudulently modify the order to include a higher-value item, or to ship the order to a different destination.

Customers can call customer service after an order has passed fraud review.
Once an order has passed the fraud screening phase, changes can be made over the phone via customer service calls. While this is useful for customers, it’s also an opportunity for fraud, as a fraudster could call in, claim to be the customer, and request changes to shipping details, credit card details, and more.

Customers can check delivery status.
This service is used by customers to keep track of their orders. Regrettably, fraudsters can also use these services to keep track of hundreds, even thousands, of fraudulent shipping actions. 

Mass Registrations and Damaging Advertising Fraud

We can identify and expose fraudsters who utilize conventional services like shipping status trackers to perform malicious activities

When reviewing data from our client, we were able to discover instances in which clusters of fraudsters accessed the same shipping number from multiple different accounts. As this behavior is uncommon with legitimate users, this was an immediate red flag, and it effectively tied those different accounts together.

As we looked deeper into the data, we quickly found large clusters of mass registered users, which, after short incubation periods, had begun to ship large quantities of packages at high frequency. One such campaign contained almost 200 users, all of whom shared the following properties:

As it turned out, these mass registrations were part of what’s called a “car wrap scam.” In a car wrap scam, victims are promised financial compensation in exchange for allowing their cars to be “wrapped” with advertisements for a particular brand. In the case of this particular fraud, a beverage company called AMP Energy was being impersonated, as fraudsters tried to trick unknowing victims into giving away personal and financial information. It was an especially damaging scam, as victims actually lost money in the process. Here’s how it worked:

  1. Fraudsters posing as marketing managers spammed thousands of phone numbers and email addresses, seeking individuals interested in supposedly making money by pasting AMP Energy advertisements on their cars.

  2. Fraudsters collected personal information from the victims, such as first and last name, home address, monthly income target, and more.

  3. After agreeing to work for the fraudsters, victims received an “advance” for their work in the form of a check, e.g., $2,300. However, this check amount was far larger than what they were “contracted” to receive (it was also fake). The victim was told they were to keep $300 (the amount ostensibly due them), while the remaining $2000 was to be sent to another individual through wire transfer.

  4. If the victim sent the wire transfer immediately (as was usually the case, as they were typically under pressure from the fraudsters to act quickly), they would lose the $2,000, as their discovery that the initial check was fake would come too late.

The use case described above offers an excellent example of how complicated modern fraud has become, and how interconnected the various components of a fraud puzzle can be. Today’s fraudsters are many-tentacled polymaths, and they’re able to leverage a wide range of technologies to engage in a vast array of fraudulent activities at massive scale. The nature of our client’s product offering—and the types of online services they provide—made them especially vulnerable to fraudsters who were looking to hijack those services for nefarious purposes. It was only through holistic data analysis and advanced contextual detection that we were able to uncover not just evidence of fraudulent actions, but the coordination and intention behind those actions.

The Value of Early Detection

DataVisor’s unsupervised machine learning technology was able to detect thousands of malicious accounts, each of which was then assigned to automatic blocking and quarantine, or flagged for manual review. 

A significant majority of these accounts were detected at the point of registration, with the remainder caught while trying to perform a first attacking action. On average, DataVisor was able to catch fraudulent accounts approximately 30 days earlier when compared to known client labels in a cross-validated training set. Unlike other anti-fraud services which focus on behavior monitoring at the attack event level, DataVisor’s emphasis on early detection means that these malicious entities are neutralized before they can cause any damage.

In addition to providing results automatically through an API, our platform aggregates all event types and users from multiple data lakes into a single database which can then be queried in real-time during post-detection analytics. Specifically, an experienced fraud analyst can use our sophisticated bulk clustering, filtering, and labeling capabilities to derive actionable insights. These tools can be used as a standalone solution or integrated within existing manual review and remediation frameworks. 

In this manner, the dual coverage provided by automatic detection along with manual review drastically improves the capabilities of any fraud team looking to take trust and safety on their platforms to the next level.