forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy pathweb_fraud.yml
More file actions
67 lines (62 loc) · 3.31 KB
/
web_fraud.yml
File metadata and controls
67 lines (62 loc) · 3.31 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
category:
- Abuse
channel: ESCU
creation_date: '2018-07-12'
description: Monitor your environment for activity consistent with common attack techniques
bad actors use when attempting to compromise web servers or other web-related assets.
detections:
- detection_id: 31337aaa-941d-4ada-81ac-q2a17be5bf0d
name: Web Fraud - Account Harvesting
type: splunk
- detection_id: 31337bbb-bc22-4752-b599-ef192df2dc7a
name: Web Fraud - Anomalous User Clickspeed
type: splunk
- detection_id: 31337a1a-53b9-4e05-96e9-55c934cb71d3
name: Web Fraud - Password Sharing Across Accounts
type: splunk
id: 31337aaa-bc22-4752-b599-ef112dq1dq7a
maintainers:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
modification_date: '2018-10-08'
name: Web Fraud Detection
narrative: 'The Federal Bureau of Investigations (FBI) defines Internet fraud as the
use of Internet services or software with Internet access to defraud victims or
to otherwise take advantage of them. According to the Bureau, Internet crime schemes
are used to steal millions of dollars each year from victims and continue to plague
the Internet through various methods. The agency includes phishing scams, data breaches,
Denial of Service (DOS) attacks, email account compromise, malware, spoofing, and
ransomware in this category.\
These crimes are not the fraud itself, but rather the attack techniques commonly
employed by fraudsters in their pursuit of data that enables them to commit malicious
actssuch as obtaining and using stolen credit cards. They represent a serious problem
that is steadily increasing and not likely to go away anytime soon.\
hen developing a strategy for preventing fraud in your environment, its important
to look across all of your web services for evidence that attackers are abusing
enterprise resources to enumerate systems, harvest data for secondary fraudulent
activity, or abuse terms of service.This Analytic Story looks for evidence of common
Internet attack techniques that could be indicative of web fraud in your environmentincluding
account harvesting, anomalous user clickspeed, and password sharing across accounts,
to name just a few.\
The account-harvesting search focuses on web pages used for user-account registration.
It detects the creation of a large number of user accounts using the same email
domain name, a type of activity frequently seen in advance of a fraud campaign.\
The anomalous clickspeed search looks for users who are moving through your website
at a faster-than-normal speed or with a perfect click cadence (high periodicity
or low standard deviation), which could indicate that the user is a script, not
an actual human.\
Another search detects incidents wherein a single password is used across multiple
accounts, which may indicate that a fraudster has infiltrated your environment and
embedded a common password within a script.'
original_authors:
- company: Splunk
email: Mayhem@splunk.com
name: Jim Apger
references:
- https://www.fbi.gov/scams-and-safety/common-fraud-schemes/internet-fraud
- https://www.fbi.gov/news/stories/2017-internet-crime-report-released-050718
- https://www.otalliance.org/news-events/press-releases/online-trust-alliance-reports-doubling-cyber-incidents-2017-0
spec_version: 2
usecase: Fraud Detection
version: '1.0'