Using a blacklist to block malicious users and bots that would cause you aggravation and harm is one of the most common and oldest methods around (according to Wikipedia the first DNS based blacklist was introduced in 1997).

There are various types of blacklists available. Blacklists exist for IP addresses, domains, email addresses and user names. The majority of the time these lists will concentrate on identifying known spammers. Other lists will serve a more specific purpose, such as IP lists that help identify known proxies, TORs and VPNs or email lists of known honey pots or lists of disposable domains.

There are many different types of malicious activity that occur on the internet and there are various types of lists out there to help identify and prevent it; however, there are also various problems with lists.

The problem with Lists:

In order to first identify a malicious activity with a list, the malicious activity must first occur and then be reported and propagated. It is not uncommon for the malicious activity to stop by the time it has been reported and propagated. Not all malicious activities are reported. If you encounter the malicious activity before it is reported then you won’t be able to preemptively act on it.

IPs, Domains, Email Addresses and Usernames are dynamic and disposable. If a malicious user/bot gets blocked then they can easily switch to a different IP, domain etc.

Some lists offer warnings that blocking an IP address could affect thousands of users who depend on it in order to obtain crucial information that they would otherwise not have access to. So block responsibly.

Aggregating data to more effectively identify malicious activity:

Instead of looking at one list to perform a simple straightforward lookup, we can take advantage of multiple datasets to uncover patterns and relationships between seemingly disparate values. A simple example would be, relating user names to email addresses, email addresses to domains and domains to IP addresses, which allows us to view the activity of one value and compare it to behavior of other values. Using complex algorithms with machine learning to process large samples of data we can intelligently discern if a value is directly or indirectly related to a malicious activity.

How Service Objects keeps it simple for the user:

The DOTS IP Address Validation service currently has two flags to help its user deal with malicious IPs, ‘MaliciousIP’ and ‘PotentiallyMaliciousIP’. The ‘MaliciousIP’ flag indicates that the IP address recently displayed malicious activity and should be treated as such. The ‘PotentiallyMaliciousIP’’ flag indicates that the IP address recently displayed one or more strong relationships to a malicious activity and that it has a high likelihood of being malicious. Both flags should be treated as warnings with the ‘MalciousIP’ flag being scrutinized more severely.

The warning signs of online fraud are out there, but you need a means of discovering them. Our IP Validation service encompasses many of the identification strategies necessary to make split second decisions on would be attackers before any harm is done.

Good news – someone wants to place a large online order for one of your company’s products, shipped to their business in the United States. But in reality, this person is a scammer from some boiler room halfway around the world. They are using a spoofed phone number, an address for an anonymous drop shipment point, and a stolen credit card number that will eventually get charged back to you.

Fraudsters can leverage the anonymity of the web to do everything from transferring money to purchasing valuable goods for resale on the black market. And the growth of online commerce and card-not-present (CNP) transactions has fueled online fraud as a lucrative industry. According to an annual report from CyberSource, as of 2016 companies lose nearly one percent (0.8%) of their revenues to fraud. It occurs almost equally across companies of all sizes, and 83% of them conduct manual reviews of orders to try and combat this fraud.

It is this latter area – manual verification – that often becomes a tough choice for businesses. Do you tighten up your screening process, and risk rejecting valid orders and losing customers? Or do you become more of an easy target for criminals? Either way, this manual verification, which can take several minutes per transaction checked, represents a substantial cost on top of any losses or chargebacks you endure because of fraud.

One of the key criteria for fraudulent transactions is the location of the purchaser. Common red flags for problem transactions can include.

• A purchaser whose IP address is far from their delivery address – for example, someone in Asia orders something to be shipped to a business in Indiana
• Anonymous or so-called “dark web” IP addresses designed to mask the user’s location, including proxy servers and virtual private networks (VPNs)
• Orders from multiple locations over a short period of time

On the other hand, simple screening criteria such as rejecting orders from VPNs, proxy servers and distant locations are blunt instruments that can exclude legitimate customers, such as people traveling on business. Moreover, manual verification of these orders represents a substantial transactional cost that affects your organization’s margins.

This is where automated geolocation tools can make a real difference in fraud prevention. Using continually updated databases, and often working as an API directly from your web processes, these tools can automatically validate and cross-reference criteria such as mailing addresses, phone numbers and IP addresses for legitimacy. They can also validate the credit card itself, by using BIN number validation. More important, bundled tools for lead or order generation can perform multi-function verifications using composite criteria, returning a 0-100 quality score on the overall validity and authenticity of the customer.

Held up against the financial, merchandise and time losses associated with fraud, not to mention the potential loss of goodwill and market share among existing customers, automated geolocation tools can be an extremely cost-effective solution for a universal problem among businesses. Unfortunately fraud will always be with us, thanks to human nature, and these tools help you and your business stay one step ahead of the problem.

With the holiday season upon us, online sales surge with customers seeking to place orders with retailers. But not all orders, form submissions, and lead generation efforts are legitimate. Building fraud identification systems which can properly identify cases that are illegitimate can range from simple to complex, with the latter using such methods as tracking user behavior and performing complex authentication methods. Most, if not all, fraud identification strategies incorporate a fundamental step in identifying fraud which is through IP Validation.

IP Validation identifies the origin of an IP which is crucial for assessing whether an IP is legitimate or is considered High Risk. An IP is categorized as High Risk based on multiple factors including whether the IP origin is from a TOR Network exit node, behind an Anonymous/Elite proxy, has been blacklisted for suspicious/spam activity, or whether the IP origin is in a country that is considered High Risk for fraudulent activity.

Anonymous Proxies

A typical http request includes necessary header information which describes the origin of the request to return information to. Requests which emanate from an anonymous proxy hide the origin IP and only include the proxy IP. Anonymous proxies are available through either SOCKS or HTTP protocol. HTTP protocol is used for general HTTP/HTTPS requests as well as FTP in some cases, while SOCKS proxy provides support for any type of network protocol.

TOR Network

While detecting whether an http request was issued from behind a proxy may be detectable based on header information, this is not the case with a request emanating from a TOR client. TOR networks route requests through a series of participating nodes anonymizing where the origin of the request came from.

VPN Service

VPN or Virtual Private Network offers another method for fraudsters to conceal their identity. A VPN service provides a secure tunnel for users to connect to another host machine and execute requests appearing as though the requests are emanating from the VPN host machine.   VPN adds the additional security of encrypting traffic between the user and VPN host.

IP Blacklist

IP Reputation services and DNS-based blacklists track and monitor suspicious and spamming activities. Users which violate website /domain owner’s terms of service can have their IP blacklisted which terminates future activity from that IP. Website owners will check their own provided IP to ensure their website has not been used in spamming attacks or suspicious activities which could restrict their ability to operate. Accepting messages from an IP which has been blacklisted should be considered high risk.

BotNet

A Botnet is another method fraudsters can use to conceal identity. A botnet is a network of machines that are under control by the attacker. Hackers frequently use botnets for large scale attacks where a high number of concurrent requests are issued to take down a system. Botnets can originate from any network connected device. This was evidenced by a recent attack on a major DNS system provider which was executed by a network of connected home devices.

How to Protect Yourself

With all of the different methods of concealing identity available to fraudsters, the picture becomes much larger of the task to thwart would-be thieves from disrupting your systems. Thankfully DOTS IP Validation encompasses many of the identification strategies necessary to make split second decisions on would be attackers before any harm is done. From IP origin to Proxy/ TOR node detection, DOTS IP Validation has you covered.

Have you ever been in a business with a sign that says, “We reserve the right to refuse service”? When doing business in person, merchants may be able to detect warning signs of potential fraud. Perhaps the name on a credit card is not the same as the name on the customer’s ID card. Maybe the customer appears overly nervous. Maybe the customer’s one hundred dollar bills seem too new or out of place. In order to protect themselves from fraud, these merchants may invoke that right and refuse to proceed with the transaction.

Though the warning signs of fraud are different when doing business online, you can protect your business by using IP validation.

What is IP Validation?

The DOTS IP Validation service is one of many tools to help prevent fraud. It does so by validating the IP address of online customers. IP addresses can reveal the general location of users. For example, if you use an Internet service provider (ISP) in Los Angeles, California, your IP address will indicate that you are in the Los Angeles area. This information is transmitted to websites as you use the Internet.

Most people have no reason to hide their IP addresses. In fact, most are unaware that they even have one.

How IP Validation Helps Prevent Fraud

Now, suppose you have an online customer who says that he is located in Los Angeles but is actually located in New Delhi, India — wouldn’t you want to know about this deceit?

With IP validation, you can compare the customer’s IP address with the address claimed. In the example above, you’d immediately discover a mismatch between New Delhi and Los Angeles — a sign of potential fraud. Since IP validation takes place in real time, you can immediately invoke your right to refuse service. In other words, the transaction can be halted before fraud can take place.

Ah, but fraudsters and malicious users know about IP validation, too — and they’re tricky. To escape detection, they often attempt to hide their true location from merchants by using network proxies.

The term proxy is defined as an entity that is used to represent the value of something else. Proxies are like substitutes, surrogates, or stand-ins. With these definitions in mind, a network proxy serves as a substitute for a user’s actual network IP address. It’s a fake.

Network proxy services are readily available around the world. While there are many legitimate reasons to use network proxies including corporate networking, access control, and security and privacy concerns, bad guys often use network proxies to obscure their locations.

Let’s revisit the user in New Delhi who claims to be in Los Angeles. He’s gotten smarter and is now hiding behind a proxy. His IP address no longer provides you with the crucial clue you need to detect the user’s actual location. Thus, IP validation won’t work — or will it?

DOTS IP Validation service can detect when an IP address is a part of a proxy network. Though the IP address and the claimed location may match, the fact that the customer is using a proxy is a red flag. It’s telling you that the user may be a fraudster or a malicious user and that caution is warranted.

While the user may or may not have a valid reason to use a proxy, wouldn’t you want to be alerted that something is awry before you do business?

Help protect your online business from potential fraud by using IP validation. The warning signs of online fraud are out there, but you need a means of discovering them. IP validation is one of those means.

Last week our DOTS IP Address Validation web service received an exciting new feature enhancement – the ability to detect Tor network users within the anonymous proxy warning.

Using the Tor Network or similar anonymous proxies to hide one’s IP address allows fraudsters to easily conceal their true geographic location, enabling them to create potentially bogus transactions. Orders made with stolen credit cards create havoc for retailers, especially during the crucial holiday shopping season.

Customers using IP address validation can now uncover real-time location and network information about the IP address linked to the user, warning them of contacts utilizing anonymous and public proxies. This information empowers companies to make informed decisions about the risks associated with these types of online transactions.

The addition of this enhanced anonymous proxy feature has produced an interesting, and somewhat controversial conversation on Slashdot. Find out what others are saying here.

For more information about DOTS IP Address Validation and how to defend against online fraud, click here.