LoFP LoFP / as is common with many fraud-related searches, we are usually looking to attribute risk or synthesize relevant context with loosely written detections that simply detect anamolous behavior. this search will need to be customized to fit your environment—improving its fidelity by counting based on something much more specific, such as a device id that may be present in your dataset. consideration for whether the large number of registrations are occuring from a first-time seen domain may also be important. extending the search window to look further back in time, or even calculating the average per hour/day for each email domain to look for an anomalous spikes, will improve this search. you can also use shannon entropy or levenshtein distance (both courtesy of url toolbox) to consider the randomness or similarity of the email name or email domain, as the names are often machine-generated.

Sample rules

Web Fraud - Account Harvesting

Description

This search is used to identify the creation of multiple user accounts using the same email domain name.

Detection logic

`stream_http` http_content_type=text* uri="/magento2/customer/account/loginPost/" 
| rex field=cookie "form_key=(?<SessionID>\w+)" 
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)" 
| search Username=* 
| rex field=Username "@(?<email_domain>.*)" 
| stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain 
| where UniqueUsernames> 25 
| `web_fraud___account_harvesting_filter`

Web Fraud - Password Sharing Across Accounts

Description

This search is used to identify user accounts that share a common password.

Detection logic

`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*  
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)" 
| rex field=form_data "login\[password\]=(?<Password>[^&
|^$]+)" 
| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password
|where UniqueUsernames>5 
| `web_fraud___password_sharing_across_accounts_filter`

Sample rules

Web Fraud - Account Harvesting

Description

This search is used to identify the creation of multiple user accounts using the same email domain name.

Detection logic

`stream_http` http_content_type=text* uri="/magento2/customer/account/loginPost/" 
| rex field=cookie "form_key=(?<SessionID>\w+)" 
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)" 
| search Username=* 
| rex field=Username "@(?<email_domain>.*)" 
| stats dc(Username) as UniqueUsernames list(Username) as src_user by email_domain 
| where UniqueUsernames> 25 
| `web_fraud___account_harvesting_filter`

Web Fraud - Password Sharing Across Accounts

Description

This search is used to identify user accounts that share a common password.

Detection logic

`stream_http` http_content_type=text* uri=/magento2/customer/account/loginPost*  
| rex field=form_data "login\[username\]=(?<Username>[^&
|^$]+)" 
| rex field=form_data "login\[password\]=(?<Password>[^&
|^$]+)" 
| stats dc(Username) as UniqueUsernames values(Username) as user list(src_ip) as src_ip by Password
|where UniqueUsernames>5 
| `web_fraud___password_sharing_across_accounts_filter`

Web Fraud - Anomalous User Clickspeed

Description

This search is used to examine web sessions to identify those where the clicks are occurring too quickly for a human or are occurring with a near-perfect cadence (high periodicity or low standard deviation), resembling a script driven session.

Detection logic

`stream_http` http_content_type=text* 
| rex field=cookie "form_key=(?<session_id>\w+)" 
| streamstats window=2 current=1 range(_time) as TimeDelta by session_id 
| where TimeDelta>0 
|stats count stdev(TimeDelta) as ClickSpeedStdDev avg(TimeDelta) as ClickSpeedAvg by session_id 
| where count>5 AND (ClickSpeedStdDev<.5 OR ClickSpeedAvg<.5) 
| `web_fraud___anomalous_user_clickspeed_filter`