Harder times for fraudulent online shops

With online commerce on a steep rise, the potential for luring customers through false online shops is also growing. Now, however, Switzerland’s national research and education network SWITCH is working with partners to make things harder for the perpetrators. A new tool will spot patterns in the way fraudulent web shops are set up and enable fast action to delete them.

During three months of operation, a total of 90,842 new Swiss domains ending with .ch were registered. Of these, 411 were identified as fraudulent and were subsequently deleted by SWITCH.

“We would be kidding ourselves if we thought online fraud could be eliminated entirely in Switzerland, especially when we consider how easily available .ch domain names are. Nevertheless, SWITCH will continue to do everything it can to combat such abuse,” says Jakob Dhondt, security expert at SWITCH.

Criminals are refining their methods

The Swiss NREN began its efforts in 2017, looking for registration patterns that had previously appeared suspicious to an analyst. An example would be a conspicuous holder name in combination with a specific registration attribute.

“Our search would result in a list of suspicious domain names often containing thousands of entries,” Jakob Dhondt explains.

The list was then examined in more detail by a recognised authority, and domain names that were confirmed as being fraudulent were subsequently deleted by SWITCH.

Over time, the number of domain names discovered using this technique steadily decreased. This was seen as an indication of the cyber criminals becoming more refined in their methods. Consequently, SWITCH decided to develop a more advanced and automated anti-dote.

Police investigation is required

A new rule-based scoring system has been developed in collaboration with the national authorities and in close dialogue with other European registries.

The basis for the new online tool is the fact that cyber criminals provide false information about the holder when registering the domain name. The tool evaluates each new domain registration, awarding a score between 0 and 10 based on a set of criteria. For instance, the holders email address is checked against a list of suspicious domains, and the holder’s country and the registrar ID are matched against lists of countries and IDs that have been associated with fraudulent activity. These and other criteria are weighted and added up to arrive at the total score.

While in case of malware or phishing, SWITCH is authorised to block or delete domain names directly, this is not so for possibly fake online shops. Instead, the NREN will report domains that score above a specific value to the police, which will investigate further. If the police confirm the domain as fraudulent, SWITCH will be notified and instructed to block or delete the domain name.

Experimenting with machine learning

The set of criteria in the system is continuously revised in order to adapt to new methods on the attacking side. Further, new technology will be added in the near future:

“To improve the detection of fraud on the basis of false registration data, it is necessary to analyse the data in ever greater detail. The criminals are getting better and better at imitating legitimate domain registrations. Still, it is possible to find cases of misuse with the help of certain criteria, even if it does take more effort. As domains are often bulk registered by the cyber criminals, a certain degree of automation is necessary on their side. The automated processes will inevitably contain recognisable patterns. We have started experimenting with a machine learning approach: with the help of a labelled data set, a model is trained to identify patterns that are too complex to be identified using a basic rule,” Jakob Dhondt concludes.