In last week’s blog article, ‘Using referral logs to detect attacks’, we talked about the benefits of using referrer logs to pre-empt a phishing attack. In this article we will highlight exactly how FraudWatch International can help you take advantage of these benefits.
The task of analysing Referrer Logs typically falls to the IT team, who need to liaise with the security team to put this in place. Typically they will run a report every day and, depending on how often your website is being hit, the referrer logs can contain either a few log entries or thousands of log entries. The issue then becomes how often can the logs be reviewed; who will review them? (It needs to be someone with the system knowledge); how much time and effort will be dedicated to reviewing the logs; and what analysis will be done on the data? It can be a huge task.
There are a multitude of Log Management Tools out there (both free and premium level), but these systems only collate and present the referrer log entries for printing and analysis. Some of the more sophisticated tools will allow you to categorise the entries, for example, a category based on the geography of the IP address. However, none of these tools do any analysis of the logs to detect possible phishing attacks. This still has to be done manually, using human effort.
An extremely important aspect of analysing referrer logs, is how quickly you can find fraudulent activity in the entries. We explained in our previous blog article, that all hackers have to do a test of their phishing sites before they launch a malicious attack. This will create a referrer log entry which, if picked up by analysis straight away, can be used to intercept and take-down the planned attack.
But, realistically, how quickly can the log entry go from Collection -> Analysis -> Detection? It could take hours or even days for someone to detect a potential threat, and by then, it may be too late.
FraudWatch International has developed a tool called “Log Monitor”, which is an extension of the Proprietary Technology we use to detect fraudulent activity for our clients. Log Monitor provides real-time identification of compromised User IPs.
There are currently no other tools like it. It uses true “Machine to Machine” technology – the machine does the work, with no human intervention and operates 24x7x365.
The Log Monitor server receives ALL referrer logs from the Client Server, takes out any noise (non-relevant entries), focuses on the remaining relevant entries and determines if they are fraudulent or not. The logs are sent from the client’s web servers through the Log Monitor appliance on a real-time basis, this whole process is automatic and seamless and provides the quickest possible detection of a phishing attack that is generating logs on the client’s servers. This gives the best chance to mitigate a phishing attack before it even has the chance to take place.
Analysing Referral Logs is a mundane and repetitive task, which can tie up many man hours. There is a definite benefit in outsourcing this effort, and freeing up internal staff to take on other important in-house activities.