Abstract: There are provided systems and methods for a sentence based automated Turing test for detecting scripted computing attacks. A computing may request access to a service or data from a service provider, where the service provider may be required to determine that the device is used by a user and not a bot executing a scripted or automated process/attack against the service provider. To authenticate that the device is used by a user, the service provider may determine and output a challenge that queries the user to fill in one or more missing words from a sentence. Acceptable answers may be based on past messages and internal data that is specific to the service provider, as well as an external corpus of documents. The service provider may also further authenticate the user based on the user's response and a likely user response for that user.

Abstract: Images related to one or more attacks to a service provider system may be analyzed to improve the security of the service provider system. Each of the images may be segmented into multiple segments. Each of the segments is analyzed independently to determine whether the segment includes obfuscated data and if so, which one of the data obfuscation techniques was used to generate the obfuscated data. Additional information regarding the obfuscated data may be derived from other segments that include unobfuscated data and from the metadata of the image. A data restoration algorithm may be configured accordingly to restore the obfuscated data. The restored data, as well as a context derived for the image, may be used to adjust one or more security parameters of the service provider system to improve the security of the service provider system.

Abstract: Methods and systems are presented for providing enriched technical security data to a risk engine of an online service provider, and for adjusting security settings based on the enriched data. The enriched security data may be generated by recursively deriving additional security information from an initial security data input. The initial security data input may be associated with a risk source, such as a person or a device that submits an electronic request to the online service provider. Based on the initial security data input, the risk engine may recursively derive additional security information that enriches the initial security data input. The risk engine may then use the derived security information as well as the initial security data input to assess a risk level of the risk source, and then adjust a security setting of the online service provider based on the assessed risk level of the risk source.

Abstract: Methods and systems are presented for dynamically adjusting a risk classification of a risk source based on classifications of one or more other risk sources. The risk engine may first classify a first risk source as a first risk type based on an initial analysis of the first risk source. Subsequent to classifying the first risk source as the first risk type, the risk engine may determine that a second risk source is associated with a second risk type. Based on the determination that the second risk source is associated with the second risk type, the risk engine may re-classify the first risk source as the second risk type. The risk engine may then use the reclassification of the first risk source to improve network security of an online service provider.

Abstract: Methods and systems for implementing keyboard linked authentication challenges are described. A visual representation of a first string of characters is provided for display on a client computing device. In response to the providing the visual representation for display, several keystrokes on the client computing device that produces a second string of characters are received. A determination that the second string of characters matches the first string of characters is made. A determination that no unauthorized keystrokes are included in the detected plurality of keystrokes is further made. Access is provided to the client computing device upon determining that the second string of characters matches the first string of characters, and determining that no unauthorized keystrokes are included in the detected plurality of keystrokes.

Abstract: Methods, systems, and computer program products for providing anonymized account security services are disclosed. For example, a computer-implemented method may include an anonymous account security exchange for receiving anonymized user account information for a first user account identified as a security risk from a first organization associated with the first user account, receiving anonymized user account information for a second user account from a second organization associated with the second user account, determining that the anonymized account identifier associated with the first user account matches the anonymized account identifier associated with the second user account, and providing a notification to the second organization indicating that the second user account is associated with a different user account identified as a security risk by another organization.

Abstract: A computer system determines that authentication information has been requested from a user device by a requesting device. In response to determining that authentication information has been requested by the requesting device, the computer system identifies information corresponding to the requesting device and determines if one or more risk indications correspond to the identified information corresponding to the requesting device. In response to determining that one or more risk indications correspond to the identified information corresponding to the requesting device, the computer system implements one or more security measures.

Abstract: A computer system detects an action corresponding to a resource page being rendered within a web view of an application. In response to the detecting the action corresponding to a resource page being rendered within the web view of the application, the computer system identifies information associated with the resource page and determines if one or more risk indications correspond to the identified information. In response to determining that one or more risk indications correspond to the identified information, the computer system implements one or more security measures.

Abstract: Methods, systems, and computer program products for performing passive and active identity verification in association with online communications. For example, a computer-implemented method may include receiving one or more electronic messages associated with a user account, analyzing the electronic messages based on a plurality of identity verification profiles associated with the user account, generating an identity trust score associated with the electronic messages based on the analyzing, determining whether to issue a security challenge in response to the electronic messages based on the generated identity trust score, and issuing the security challenge in response to the electronic messages based on the determining.

Abstract: Methods and systems for detecting webpages that share malicious content are presented. A first set of webpages that hosts a web account checker is identified. A baseline page structure score and a baseline language score are calculated based on the identified first set of webpages. Content from a second set of webpages is collected and analyzed based on the calculated baseline page structure and the calculated baseline language scores. One or more of the second set of webpages is flagged as malicious based on the analyzing of the content collected from the second set of webpages.

Abstract: Methods, systems, and computer program products for eliminating abuse caused by password reuse in different computer systems are disclosed. For example, a computer-implemented method may include receiving a security request comprising an anonymized version of authentication data from a first computer system of a first organization, analyzing the security request to determine a second computer system of a second organization to contact for detecting reuse of the authentication data, generating a second security request comprising the anonymized authentication data for the second computer system, sending the second security request to the second computer system of the second organization, analyzing a response to the second security request from the second computer system to determine whether the anonymized authentication data associated was detected, and providing a response to the first security request indicating whether the second computer system detected reuse of the authentication data.

Abstract: Systems and methods for providing a threat intelligence system include a system provider device that downloads, through communication over a network and from one or more targeted websites, a plurality of images of a first environment. Based on an OCR process, the system provider device may extract a set of textual data corresponding to a subset of images of the plurality of images, where the subset of images depict text. The system provider device stores the set of textual data in an indexed and searchable database. The system provider device assigns a threat assessment score to each image based on the set of textual data, and the threat assessment score may be updated based on comparison of the set of textual data with other sets of textual data. Based on the threat assessment score being greater than a threshold value, the system provider device may generate a security alert.

Abstract: Methods, systems, and computer program products for predicting an account takeover tsunami using dump quakes are disclosed. A computer-implemented method may include analyzing activity for a plurality of user accounts based on detecting an abnormal increase in system activity, determining the abnormal increase in the system activity is associated with account validation attacks performed by an unauthorized party, identifying attributes of a plurality of user accounts associated with the account validation attacks, searching online locations using the identified attributes of the user accounts to find a data breach source, monitoring the online locations periodically based on the identified attributes of the user accounts to detect future publication of a dump of private user data, sending a notification to another organization in advance of the publication of the dump of private user data to allow the other organization to adjust security of one or more other systems in advance.

Abstract: Methods, systems, and computer program products for eliminating abuse caused by password reuse in different computer systems are disclosed. For example, a computer-implemented method may include receiving a security request comprising an anonymized version of authentication data from a first computer system of a first organization, analyzing the security request to determine a second computer system of a second organization to contact for detecting reuse of the authentication data, generating a second security request comprising the anonymized authentication data for the second computer system, sending the second security request to the second computer system of the second organization, analyzing a response to the second security request from the second computer system to determine whether the anonymized authentication data associated was detected, and providing a response to the first security request indicating whether the second computer system detected reuse of the authentication data.

Abstract: Methods, systems, and computer program products for online content referral are provided. A computer-implemented method may include receiving a request from an application, issuing a challenge to the application to determine a capability of the application, analyzing a result of the challenge to associate the application with an application type, determining whether the activity performed by the application is scripted, and classifying the activity as automated or semi-automated when it is determined that the activity is scripted.

Abstract: Methods, systems, and computer program products for providing high-yielding detection of remote abusive content are disclosed. A computer-implemented method may include generating a graphical user interface allowing users to submit a web link for analysis to determine whether the web link is associated with malicious content, receiving the web link from the user via the graphical user interface, sending the web link to a plurality of distributed server machines to allow each of the distributed server machines to test the web link, generating a plurality of test user profiles to test the web link, testing the web link by each of the distributed server machines using one or more of the test user profiles, receiving a test result for the web link from each of the distributed server machines, and displaying a report comprising the test results for the web link to the user via the graphical user interface.

Abstract: Methods, systems, and computer program products for providing transaction verification through enhanced authentication are provided. A method performed by a computer system may include receiving an application programming interface (API) request from a client, detecting a change associated with the API request as compared to a prior use of the API by the client, generating an encrypted challenge to authenticate the API request based on detecting the change, and issuing the encrypted challenge to the client to authenticate the API request.

Abstract: Methods, systems, and computer program products for predicting an account takeover tsunami using dump quakes are disclosed. A computer-implemented method may include analyzing activity for a plurality of user accounts based on detecting an abnormal increase in system activity, determining the abnormal increase in the system activity is associated with account validation attacks performed by an unauthorized party, identifying attributes of a plurality of user accounts associated with the account validation attacks, searching online locations using the identified attributes of the user accounts to find a data breach source, monitoring the online locations periodically based on the identified attributes of the user accounts to detect future publication of a dump of private user data, sending a notification to another organization in advance of the publication of the dump of private user data to allow the other organization to adjust security of one or more other systems in advance.

Abstract: Methods, systems, and computer program products for providing high-yielding detection of remote abusive content are disclosed. A computer-implemented method may include generating a graphical user interface allowing users to submit a web link for analysis to determine whether the web link is associated with malicious content, receiving the web link from the user via the graphical user interface, sending the web link to a plurality of distributed server machines to allow each of the distributed server machines to test the web link, generating a plurality of test user profiles to test the web link, testing the web link by each of the distributed server machines using one or more of the test user profiles, receiving a test result for the web link from each of the distributed server machines, and displaying a report comprising the test results for the web link to the user via the graphical user interface.

Abstract: Methods, systems, and computer program products for providing anonymized account security services are disclosed. For example, a computer-implemented method may include an anonymous account security exchange for receiving anonymized user account information for a first user account identified as a security risk from a first organization associated with the first user account, receiving anonymized user account information for a second user account from a second organization associated with the second user account, determining that the anonymized account identifier associated with the first user account matches the anonymized account identifier associated with the second user account, and providing a notification to the second organization indicating that the second user account is associated with a different user account identified as a security risk by another organization.