Abstract: Methods for protecting against malicious websites using repetitive data signatures are disclosed. Some embodiments may identify known malicious websites and known safe websites. A first dataset containing data from one or more artifacts within the known malicious websites and a second dataset containing data from the one or more artifacts within the known safe websites may be created. One or more signatures may be identified from the first dataset. A first frequency of signature repetition within the first dataset and a second frequency of signature repetition within the second dataset may be determined. A level of confidence may be determined based on the frequencies. If a rule establishment threshold for confidence is met or exceeded, a rule may be established that websites containing the one or more signatures are malicious. The rule may be applied to identify a new malicious website. A security action may also be performed.

Abstract: Methods and systems for protecting against harm caused by malicious websites are disclosed. Exemplary embodiments of the present disclosure may protect against harm caused by malicious websites by identifying malicious websites more accurately and reliably. In particular, some embodiments of the present disclosure may receive first resource data from a first web page on a website that is accessed by a first user and second resource data from a second web page on the website that is accessed by a second user. This resource data may be correlated and analyzed. Based on this analysis, a determination may be made that the website is malicious and a security action can be performed.

Abstract: Systems and methods for detecting fraudulent e-commerce websites by identifying fake review systems are disclosed. In particular, some embodiments may identify an e-commerce website and download content contained on one or more product web pages of the e-commerce website. These web pages may be analyzed to identify a product review feature that is within the one or more product web pages. Attributes of the product review feature may then be evaluated to determine that the e-commerce website is fraudulent and a security action may be performed to protect consumers from the e-commerce website.

Abstract: Location-based anomaly detection based on geotagged digital photographs. In some embodiments, a method may include identifying a completed transaction associated with a user. The method may also include determining a transaction geographic location associated with the completed transaction. The method may further include identifying a mobile device associated with the user. The method may also include identifying one or more geotagged digital photographs taken by the mobile device. The method may further include extracting one or more photograph geographic locations from the one or more geotagged digital photographs. The method may also include, in response to determining that the transaction geographic location is not within a threshold distance of any of the one or more photograph geographic locations, identifying the completed transaction as a suspicious transaction and performing a remedial action.

Abstract: Systems and methods for identifying accurate locations of in-person payment card transactions to detect location-based payment card anomalies. Some embodiments disclosed herein may enable identifying accurate locations of in-person payment card transactions to detect location-based payment card anomalies. In some embodiments, purchase data for a plurality financial transaction by a consumer that are performed in-person with a payment card may be received. The purchase data may identify merchant locations that are associated with each financial transaction. The merchant locations may be analyzed to determine whether they represent true physical locations of the financial transactions. Once a plurality of true physical locations has been identified, distances between them may be determined and a security action may be performed if the distances exceed a threshold.

Abstract: The disclosed computer-implemented method for detecting unauthorized online transactions may include correlating, by at least one processor, one or more reported financial activities to one or more online financial activities tracked in network telemetry on one or more authorized devices. The method may additionally include identifying, by the at least one processor based on the correlation, at least one of the reported financial activities that was initiated by an unauthorized device. The method may also include performing, by the at least one processor, a security action in response to the identification. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting websites that perpetrate at least one of scams or frauds may include correlating online interaction data with financial transaction data. The online interaction data may include information on suspicious websites obtained through an online interaction analysis, and the financial transaction data may include sources of suspicious financial activity obtained through a transaction trend analysis. The method may additionally include detecting at least one of online scams or frauds based on the correlation. The detection may include detecting that an online interaction is suspicious based on correlation thereof to a suspicious financial transaction, and/or detecting that a financial transaction is suspicious based on correlation thereof to a suspicious online interaction. The method may also include performing a security action in response to the detection. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for detecting fraudulent shopping websites may include (i) identifying a shopping website that advertises a plurality of allegedly available payment options for completing transactions on the shopping website, (ii) determining, based at least in part on an analysis of the plurality of allegedly available payment options that at least one of the plurality of allegedly available payment options is suspicious, (iii) calculating a trustworthiness score for the shopping website that is based at least in part on the determination that at least one of the allegedly available payment options is suspicious, and (iv) displaying an alert to a user based on the trustworthiness score of the shopping website. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Identifying and protecting against malicious apps installed on client devices. In some embodiments, a method may include (a) identifying client devices, (b) identifying apps installed on the client devices, (c) assigning each of the apps known to be a malicious app with a highest app suspicion score, (d) assigning each of the other apps as an unknown app with a lowest app suspicion score, (e) assigning each of the client devices with a device suspicion score, (f) assigning each of the unknown apps with an updated app suspicion score, (g) repeating (e), and repeating (f) with a normalization, until the device suspicion scores and the app suspicion scores converge within a convergence threshold, (h) identifying one of the unknown apps as a malicious app, and (i) protecting against the malicious app by directing performance of a remedial action to protect the client device from the malicious app.

Abstract: Protecting against an impersonation scam in a live video stream. In some embodiments, a method may include periodically extracting and storing signature features from verified video streams of verified streamers, identifying an unverified live video stream of an unverified streamer being viewed by one or more users, extracting and storing signature features from the unverified live video stream, computing overall distance scores between the signature features of the unverified live video stream and the signature features of the verified video streams, determining whether the unverified streamer is impersonating one or more of the verified streamers by determining whether one or more of the overall distance scores are less than a distance threshold, determining whether one or more text signature features of the unverified live video stream include an impersonation scam, and performing a remedial action to protect the one or more users from the impersonation scam.

Abstract: A computer system stores incident records in a database. When a user wants to resolve a particular current incident, the computer system will access the current incident record from an incident queue. The computer system also identifies historical incident records that share one or more attributes with the current incident record. The computer system creates a plurality of clusters from the current incident record and the selected historical incident records. The clusters are then arranged into a hierarchical tree. This hierarchical tree is presented in a graphical user interface. A user can select a node to access additional information for that node. The computer system generates a first suggested response to a particular current incident based on the incident records included in the selected node. The computer system presents the first suggested response to the particular current incident in a graphical user interface.

Abstract: Securing a network device by automatically identifying files belonging to an application. In one embodiment, a method may include collecting file attributes for multiple files from multiple network devices, examining a hash of file contents of each of the multiple files to identify multiple unique files in the multiple files, summarizing the file attributes for each of the multiple unique files to generate a sketch of file attributes for each of the multiple unique files, clustering the multiple unique files into multiple applications, making a security action decision for one application of the multiple applications, and performing a security action on a network device based on the security action decision.

Abstract: Encrypting and decrypting sensitive files on a network device. In one embodiment, a method may include determining that a file stored on a network device is a sensitive file, encrypting the sensitive file, sending, to an authentication server, an encryption key, initializing, at the network device, a Software Guard Extension (SGX) enclave, loading, into the SGX enclave, a retrieval application, receiving, at the retrieval application, an attestation from the authentication server that the retrieval application is authentic, receiving, at the retrieval application, the encryption key from the authentication server, receiving, at the retrieval application, a user request to decrypt the encrypted sensitive file, authenticating, at the retrieval application, the user request, decrypting, at the network device, the particular encrypted sensitive file, and providing the sensitive file to the user.

Abstract: Systems, apparatuses, methods, and computer readable mediums for modeling malicious behavior that occurs in the absence of users. A system trains an anomaly detection model using attributes associated with a first plurality of events representing system activity on one or more clean machines when users are not present. Next, the system utilizes the trained anomaly detection model to remove benign events from a second plurality of events captured from infected machines when users are not present. Then, the system utilizes malicious events, from the second plurality of events, to train a classifier. Next, the classifier identifies a first set of attributes which are able to predict if an event is caused by malware with a predictive power greater than a threshold.

Abstract: The disclosed computer-implemented method for dynamically validating remote requests within enterprise networks may include (1) receiving, on a target system within an enterprise network, a request to access a portion of the target system from a remote system within the enterprise network, (2) performing a validation operation to determine whether the remote system is trustworthy to access the portion of the target system by (A) querying an enterprise security system to authorize the request from the remote system and (B) receiving, from the enterprise security system in response to the query, a notification indicating whether the remote system is trustworthy to access the portion of the target system, and then (3) determining whether to grant the request based at least in part on the notification received from the enterprise security system as part of the validation operation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A method for providing security recommendations is described. In one embodiment, the method may include identifying a set of monitored customers. In some cases, each monitored customer may include one or more computing devices. The method may include identifying a first computing device of a monitored customer for evaluation, selecting a potential security product to install on the first computing device, and quantifying the ability of the monitored customer to detect or prevent malware incidents based at least in part on the selected potential security product.

Abstract: The disclosed computer-implemented method for dynamically validating remote requests within enterprise networks may include (1) receiving, on a target system within an enterprise network, a request to access a portion of the target system from a remote system within the enterprise network, (2) performing a validation operation to determine whether the remote system is trustworthy to access the portion of the target system by (A) querying an enterprise security system to authorize the request from the remote system and (B) receiving, from the enterprise security system in response to the query, a notification indicating whether the remote system is trustworthy to access the portion of the target system, and then (3) determining whether to grant the request based at least in part on the notification received from the enterprise security system as part of the validation operation. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for automated whitelisting of files may include (1) obtaining telemetry information that identifies files located on a set of computing systems, (2) establishing a whitelist of files for the set of computing systems by, for each file identified by the telemetry information, (A) calculating an amount by which a cost for using the whitelist will increase if the file is included in the whitelist, (B) calculating an amount by which whitelist coverage of files in the set of computing devices will increase if the file is included in the whitelist, (C) determining whether to include the file in the whitelist by balancing the increase in the cost against the increase in whitelist coverage, and (3) using the whitelist to protect the set of computing systems from undesirable files. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: The disclosed computer-implemented method for identifying suspicious singleton files using correlational predictors may include (1) identifying a set of known-clean computing devices that include no singleton files, (2) detecting at least one software component that is installed on a threshold number of the known-clean computing devices, (3) identifying an unvindicated computing device whose infection status is unknown, (4) determining that, in addition to being installed on the threshold number of known-clean computing devices, the software component is installed on the unvindicated computing device, (5) determining that the unvindicated computing device includes at least one singleton file, and then (6) classifying the singleton file as suspicious in response to determining that (A) the software component is installed on the unvindicated computing device and (B) the unvindicated computing device includes the singleton file. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: Techniques for predicting and protecting spearphishing targets are disclosed. In one particular exemplary embodiment, the techniques may be realized as a system for predicting and protecting spearphishing targets. The system may comprise one or more processors communicatively coupled to a network. The one or more processors may be configured to identify one or more potential spearphishing targets based on information from an organization, receive additional information associated with the one or more potential spearphishing targets and the organization from publicly available sources, determine a threat level of a spearphishing attack on the one or more potential spearphishing targets based on the information from the organization and the additional information, and generate a report of the one or more potential spearphishing targets and the threat level associated with the one or more potential spearphishing targets.