Operator Procedures

Since each digital platform has its own special needs, the approaches to the console utilization for the information analysis may vary.

The main goal of this chapter is to provide an overview of several common (elementary and more advanced) techniques and give advice on how to use them for building a daily operator’s routine from scratch. With time, the described methods can be adapted more precisely to the observable needs of a platform.

From this perspective, we discern two major groups of techniques an operator can employ while putting gathered intelligence under scrutiny. That is:

1. User score review

2. Supplemental investigation

   • Rules review

   • IP address signals

All the techniques in these groups mostly differ in the initially observed signals. At the subsequent stages of the inspection, they tend to intertwine, such that an attentive tracing of any signal may lead to uncovering illicit pathways across different entities.

However, we generally recommend starting an operator’s daily routine with the first group of techniques and using the second group (more specifically, rules review) for further investigation of particular use cases.

User Score Review

On a day-to-day basis, we suggest beginning an operator’s session by proceeding to the Review queue page of a console. This page displays users with the lowest trust scores. Here, inspecting data in each row of the queue table, an operator has a choice of either:

• Setting user status right in the table’s row.

• First opening a page with more detailed user information by clicking on a user email.

In the latter case, on a user page, note the matched rules, warning signals, and the overall activity of a user. The more abnormalities an operator discovers, the higher the chance this is a fraudulent account. The status can be set on this page (see the upper-right corner) without getting back to the queue.

To set the status of a user, click the Not reviewed button and then choose an applicable action: Whitelist or Blacklist. Both actions remove a user from the review queue. Additionally, clicking the Blacklist button triggers the move of all tracked user identities onto a blacklist.

A similar sequence of actions can be performed starting from the Users page. This page gives access to all the users, not just the ones with low trust scores, which can sometimes be a preferred approach for getting a bigger picture of the user base.

Supplemental Investigation

A supplemental investigation implies an analysis of the additional warning signals. And since any characteristic that looks even vaguely unusual can be interpreted as a warning signal, in this section we specify the things to focus on in the first place.

Predominantly, an operator may undertake this part of the analysis by concentrating on such straightforward signals such as:

• Risky email addresses.

• Blacklisted entities.

• TOR network usage.

• VPN detection.

• Shared entities.

We look at each in greater detail in the ensuing subsections.

Rules Review

We advise beginning a supplemental investigation with the rules review.

The foundational instructions on the rules engine utilization are laid out in the Rules section. In the context of the supplemental investigation, use the second of the described methods. Namely,

1. Trigger rules manually to get a list of matching users.

2. Proceed with scrutinizing the user’s identities and activity.

Alternatively, open the Users page. On the page, note the rules filter at the top part of the Users table. This filter enables the selection of users with matching rules, thus easing access to the records that require an operator’s attention.

Below, see efficient rules that proved to be useful in common practice.

Email Address Rules

E13 New email domain

It is unconventional for ordinary users to have a recently registered email’s domain name.

R02 Email is on a blacklist

Being put on a blacklist is a high-alert signal.

E01 Invalid email format

An email address has an invalid format. An expected format is username@example.com.

E02 New domain, no profiles, no breaches

A higher risk is signalled due to a lack of an email address authenticity. The lack of authenticity is identified by three factors:

• An email address belongs to a recently created domain.

• Online profiles associated with an email were not found.

• The address does not appear in data breaches. (Unfortunately, it is quite typical for authentic email addresses to be compromised.)

E11 Disposable email

Malicious accounts are often created through the use of throwaway mailboxes.

E14 No MX record

An email’s domain name has no MX record, which means this domain cannot have any mailboxes. It is a sign of a fake mailbox.

E17 Free email and spam

An email address is on a spam list and is registered by a provider that offers free accounts. This signals a higher risk of spamming.

E19 Multiple emails changed

Changing email addresses associated with an account is a marker of a suspicious behaviour.

IP Address Rules

IP address analysis provides many opportunities for fraud detection. Commonly, we suggest running the following rules:

R01 IP is on a blacklist

An IP address on a blacklist is a high-alert signal.

I01 IP belongs to TOR

An IP address is assigned to The Onion Router network (TOR). TOR is used by a limited number of people for anonymisation purposes.

I03 IP appears on a spam list

An IP address is found on a spam list. This signals a possible adversarial activity (such as sending spam).

I04 Shared IP

Detection of several users with the same IP address indicates a high risk of multi-accounting.

VPN Usage Rules

A Virtual Private Network (VPN) usage marks an attempt to hide a real identity, including for fraudulent purposes. To detect VPN usage, trigger the following rules:

I05 IP belongs to a commercial VPN

A user prefers to conceal their location or bypass regional blocking.

I06 IP belongs to a datacenter

This may indicate VPN usage for anonymisation, but it can also be a marker of a bot (a script that performs pre-programmed actions with varying goals).

IP Address Signals

Rules review is not the only type of supplemental investigation. In this subsection, we describe one more way to begin the examination.

Open the Dashboard page. Here, have a look at the bottom row of the widgets. Observe the following indications:

Shared IP addresses

Several users with the same IP address can be a sign of a cyber-threat.

IP belongs to TOR

TOR is a tool that enables users to establish anonymous communication with digital platforms. Since the TOR network makes it more difficult to trace a user’s activity, it might be used to cover felonious actions.

Multiple IP addresses

It is typical for cybercriminals to hide their actual location and identity behind different IP addresses. The higher the number of IP addresses used, the more attention should be given to the examination of the corresponding user behaviour.

Procedures Outline

Consider the below action plan as the foundation of an operator’s routine.

1. User score review

   1. Open the Review queue page.

      • Either assign a fitting status to each user in the queue table.

      • Or open a user page by clicking on an email address.

        • Examine information presented on the page.

        • Set user status in the upper-right corner.

   2. Alternatively, open the Users page.

      • Apply the steps in 1.A. to the rows marked as Not reviewed.

2. Supplemental investigation

   1. Open the Rules page.

      • Click Action button to get a list of users matching the rule.

      • Open each matched user page for inspection.

        • Examine information presented on the page.

        • Set user status in the upper-right corner.

   2. Open the Dashboard page.

      • Set a time period in the upper-right corner of the page.

      • Scrutinize entities in the top rows of the following widgets:

        • Shared IP addresses

        • IP belongs to TOR

        • Multiple IP addresses