No matter what form fraud takes—credit card, banking, or insurance fraud—no one is immune to the threat. You may remember Abraham Abdallah, the busboy who hacked into the bank and credit card accounts of personalities in 2001. Among his victims were Warren Buffett, Oprah Winfrey, Michael Bloomberg, Steven Spielberg, and Michael Eisner. Fast forward to almost two decades later, and credit card and banking fraud is still on the rise.
Every year, millions of users report fraudulent transactions, a quarter of which result in financial loss. In 2018, consumers lost a total of US$1.48 billion to fraud. It doesn’t even matter that the majority of the victims still possessed their credit cards as card-not-present fraud has become prevalent, thanks to the Internet.
Companies should, therefore, stop treating fraud detection as an IT or a legal problem, but as a business problem. Protecting users should be one of the many goals of security operations centers (SOCs), and fraud detection is one of the first steps toward reaching that.
Examining WHOIS Records to Combat Fraud
Contents
As fraudulent transactions culminate online mostly through phishing activities, one of the first things to look at in fraud detection is a suspect’s domain WHOIS record. To access this record, you usually need to input a domain name to know its owner’s registration details, including his name and contact information.
But that may not always be enough where legitimate domains are used to conduct fraud as an example in the next section will show. In that case, you may still be able to learn something relevant by querying, say, an email address to begin your cybercrime investigation with a reverse WHOIS lookup.
How to Use Reverse WHOIS Search to Detect Fraud
Let’s take the example of services@apple[.]com. Though the email address contains the domain name apple[.]com and would be considered safe by many, it has been used to conduct PayPal fraud where employees are alerted that their company’s PayPal account has been limited.
Running the suspicious email address on a reverse domain name lookup tool helps reveal associated domain names in the sense that the same details are used in different WHOIS records. In this case, our reverse WHOIS lookup found five domains that contain services@apple[.]com in their WHOIS records, namely:
- china-services-apple[.]com
- id-services-apple[.]com
- idmsa-accounts-services-apple[.]com
- services-apple[.]com
- product-services-apple[.]com
These domain names are not necessarily active, but since they turned up during the reverse domain name lookup, it means that at one point in time, they had the email address in question in their WHOIS records. Reverse WHOIS Search also examines a domain name’s historical WHOIS records.
Given these domain names, SOCs have something more to work with. They could use a threat intelligence platform to dig deeper into the domains. As it turns out, all five domains associated with the suspicious email address in our example are known malware hosts. That is a red flag for fraud as threat actors may use malware to steal victims’ credit card and banking information.
Takeaways
Cybercrime investigation and fraud detection are no easy tasks for SOCs, but they are also critical business processes. Failing to curb fraud would ultimately lead to the loss of customer trust. Aside from customers, business partners and even its employees would look at the organization in a bad light, especially if the incident is preventable.
As such, SOCs must take advantage of every tool available to enhance the effectiveness of fraud detection. While there are still some steps in the process that require manual effort, SOCs can automate reverse domain lookups by integrating programs like Reverse WHOIS API into threat intelligence platforms or security information and event management (SIEM) systems.