Online businesses are facing new threats. Hackers and fraudsters continue to devise new techniques to break into online applications, trick legitimate online customers and disguise the computers and systems being used to launch their nefarious fraud schemes. Any organization that conducts business online, including banks and credit unions, online brokerages, online merchants that take payments over the web, payment processors and others, needs to understand the new threats it faces and adopt the tools and best practices that protect itself and its customers from web fraud.

This paper describes the newest means fraudsters and hackers are using to mask their true location, identity and the systems they use. It also introduces ThreatMetrix™ VPN Detection and Phishing Detection, the latest innovations from ThreatMetrix™ that allow online businesses to prevent fraud attempts initiated by malicious elements.

The Problem

Fraudsters are innovating increasingly clever methods to trick online users and to hide their own tracks while they execute their fraudulent activities. A key technique in the arsenal of fraudsters is to mask their true location and computer characteristics. The machine being used by the fraudster typically has many of its features masked – for example the browser being used may be Firefox but may be reported as IE9, the operating system may be Linux but may be reported as Windows, and very importantly the IP address may be misrepresented, hiding the true location of the fraudster. Online services, websites and applications typically rely heavily on IP location information to function – e.g. a business may provide general information over the web, but completely deny online service requests from locations where it does not have a presence.

Fraudsters have previously relied on the use of proxies to hide their IP addresses, and hence their true locations. There are a number of proxies and anonymizer services that web users can use to hide their online activity and conceal their actual IP address from web sites they visit, applications they access and web services they consume. These anonymizers are used by fraudsters to hide their true location and hence identity when they commit fraud. However, as proxy piercing technologies that discover the true IP signature of proxied machines have become more common, hackers and fraudsters have started to rely on VPN servers instead. Connections from behind VPN servers are extremely difficult to detect, and this technique has allowed fraudsters to continue to operate unfettered.

Hackers and fraudsters have also escalated their attacks on online consumers. Hacking attempts continue to target web users while the users are accessing their various accounts, email addresses and social networks with the goal of stealing these credentials. Phishing is an ever increasing threat that targets online customer credentials, and typically occurs away from the target account website – e.g. banking credentials, or online merchant accounts passwords are compromised to malicious websites hosted thousands of miles away. While organizations realize the importance of protecting their customers’ online credentials, many organizations are not sure of how to do so.

Finally, malicious software living on customer desktops, laptops and mobile devices is also a major component of the fraud network. Many kinds of malware are able to infect an end-user’s device, allowing hackers to collect critical information from legitimate users as well as to fully control any Internet sessions initiated from the end-user’s device. Trojans, man-in-the-browser (MitB) software, key-loggers and other malware compromise the user sessions initiated by good customers without their knowledge and are responsible for millions of dollars in fraud annually.

ThreatMetrix latest set of solutions combine innovative technologies with a vast network of fraud intelligence to help businesses fight fraud, including preventing fraudulent transactions and chargebacks, ensuring only legitimate users may login to sensitive applications, and protecting malicious software from compromising customer accounts. In addition, these solutions facilitate compliance with fraud prevention mandates from the FFIEC and other agencies.

ThreatMetrix Global Fraud Intelligence

ThreatMetrix leverages Global Fraud Intelligence to distinguish between normal and anomalous activity before the access attempt or web transaction is initiated. ThreatMetrix has a global repository of laptops, desktops and mobile devices with actual web transaction records associated with each device. ThreatMetrix has compiled this repository by profiling up to 40 million devices every day from the hundreds of customers and thousands of websites for which we provide fraud prevention solutions.

Legacy security and fraud prevention systems rely on log analysis, alerts and after-the-fact reporting – and suffer from very high false positive rates. The cost to respond to any incident is also very high if the response occurs later in the post-incident analysis process. ThreatMetrix Digital Identity Network relies on fact-based predictive analytics to stop fraud occurring before the incident. This approach requires the extensive transaction and web request history that ThreatMetrix has built, and can determine whether a web request coming from a particular device and user is risky based on across-the-globe information available on that device.

For example, if a particular user has exhibited fraudulent, risky behavior across the network in the past and then makes a new application request (or financial transaction attempt) with a new e-retailer, ThreatMetrix will associate a high risk score with that request even if the user has never previously visited this e-retailer. In another scenario, a profile is built up for any user that has conducted web activity across the network, and any web transaction request that deviates significantly from that profile will also result in a high risk score. Each individual customer and web transaction benefits from the collective knowledge across the Digital Identity Network, and every additional transaction adds to the network. This collective intelligence reduces fraud occurrences by up to 75 percent.

Ground-Breaking Technologies From ThreatMetrix

ThreatMetrix has introduced some innovative technologies to combat the increasing sophisticated techniques being used by fraudsters. ThreatMetrix VPN Detection gives security and fraud analysts visibility into a key masking technique used by fraudsters. ThreatMetrix Phishing Detection helps organizations protect their customers, and themselves, from fraud by proactively alerting fraud analysts to potentially compromised customer accounts.

TrustDefender™ ID VPN Detection

TrustDefender ID introduces VPN Detection technology that, for the first time, allows fraud analysts to detect fraudsters trying to hide their identity and true location by using a VPN server. TrustDefender ID exposes additional TCP/IP packet header attributes, allowing analysis of the network connection type from an originating device. Further, additional attributes can be evaluated to determine other connection methods, such as Ethernet, 3G, 4G and WiFi. This capability is extremely important with the growing trend of fraud attempts targeted to online application users, and particularly mobile users. By incorporating VPN detection, any attempt to mask the connection type from the typical fraudster’s machine will immediately be uncovered.

This VPN detection capability is seamlessly incorporated into and leverages the various functions provided by the rest of the ThreatMetrix Cybercrime Defender Platform. VPN detection can be translated into Rules and Alerts for automated reporting and enforcement of non-compliant or anomalous connections to your website.

TrustDefender™ ID Phishing Detection

TrustDefender ID also incorporates the ability to detect if a customer may have been the target of a successful phishing attack. When a phishing attack is detected and a user’s credentials have been compromised, the organization housing the account can execute a number of fraud prevention tactics to proactively mitigate the risk of fraudulent activity occurring on that customer account. These tactics may include notifying the customer, verifying that the customer still has control of the account, forcing a reset of the credentials, putting the account on a high-risk watchlist or even suspending the account. ThreatMetrix Phishing Detection ensures that the organization has the visibility into potentially compromised accounts, and the necessary fraud mitigation steps are taken before any fraudulent activity actually occurs.

The Phishing Detection technology works by exposing the referrer URL to the ThreatMetrix rules engine to detect if a device is connecting to the organization’s website via unknown, suspicious or non-affiliated sources. The detection of these referrers can be translated into rules and alerts for automated reporting and enforcement of non-compliant or anomalous connections to your website.

TrustDefender™ Cloud Page Fingerprinting and MitB Detection

With this release, ThreatMetrix completes the integration of TrustDefender ID and TrustDefender Cloud, bringing device identification and malware detection together from a monitoring and administrative perspective.

TrustDefender Cloud mitigates the risk of undetected Trojans or hidden malware compromising your customers or visitors when they connect with your site. TrustDefender Cloud is a real-time service that identifies and alerts you to all malware, MitB and Trojan attacks targeting your website.

Unlike first generation signature-based methods, the patent-pending TrustDefender Cloud technology detects existing and new MitB injection attacks automatically and transparently to the end customer. It monitors web transactions with your business and alerts you to signs of theft or fraud. It delivers true MitB protection that works easily, quickly and reliably, without any client download or registration.

Using TrustDefender Cloud, online businesses and organizations can:

  • Detect hidden malware compromising authenticated sessions to steal data, identities or money
  • Identify mobile transactions with potentially insecure devices
  • Add another layer of device information to website security and fraud prevention measures

The TrustDefender Cloud solution has been fully integrated with the existing TrustDefender ID Portal web application, providing the following benefits:

  • Single interface to administer both TrustDefender ID and TrustDefender Cloud
  • Shared rules engine between TrustDefender ID and TrustDefender Cloud
  • Shared reporting interface between TrustDefender ID and TrustDefender Cloud
  • Single API call for both TrustDefender ID and TrustDefender Cloud
  • No changes to customer page tags required to implement TrustDefender Cloud
  • TrustDefender Cloud functionality can easily be enabled for customers via our integrated licensing system

With this integration completed, ThreatMetrix customers can now enable both device ID and malware protection using a single set of tags for their website, and are able to monitor and administer the implementation through a single ThreatMetrix portal.

ThreatMetrix and Mobile Platforms

The ThreatMetrix Cybercrime Defender Platform also extends to mobile devices and transactions coming from mobile browsers. As mobile handhelds are of particular concern, this section highlights a few important technical details in regards to mobile browsers.

TrustDefender ID and Cloud use only minimal client resources and therefore work well on any mobile browser that implements JavaScript at least in part. TrustDefender Cloud has been tested with the most common mobile operating systems including BlackBerry, Symbian, iOS and Android. The page fingerprint algorithm works exactly the same way, hence all the features of TrustDefender Cloud are available to their full extent on these mobile devices.


Businesses that operate online, and their customers are increasingly at risk of fraud by motivated hackers who apply sophisticated fraud techniques to commit fraud. VPN servers are successfully used by fraudsters to circumvent legacy device identification methods. Phishing is a common technique utilized by fraudsters to fool online customers into giving up valuable account information and opening the door to various kinds of fraud.

ThreatMetrix introduces key patented technologies that arm banks, online merchants and businesses with web facing applications with a way to uncover fraudsters trying to hide behind VPN servers, and notify organizations of potential account takeovers. ThreatMetrix Digital Identity Network completes the fraud prevention solution, providing a holistic, layered approach to tackling web-application and transaction breaches in a cost-effective way without creating any false positives.

ThreatMetrix Digital Identity Network and TrustDefender products come together in a comprehensive security solution that integrates predictive analytics, device identification and malware detection to protect online transactions and identities.

close btn