Photos: Inside the RSA cybercrime war room

Photos: Inside the RSA cybercrime war room

Summary: Behind the doors at RSA's anti-fraud centre

TOPICS: Security

 |  Image 3 of 5

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • To date the AFCC has shut down more than 180,000 phishing attacks in more than 140 countries.

    It does this with the help of ISPs, email providers and internet gateway providers, who forward emails to RSA's AFCC if they contain keywords associated with phishing emails.

    Suspect links will be automatically tested by software to check if they lead to phishing sites. If the software finds they do, the links will then be double-checked by a person.

    Once a phishing site is detected, RSA will immediately notify the customer whose site is being spoofed and pass details of the fraudulent site onto ISPs and browser developers, such as Microsoft and Mozilla, so they can block public access to it.

    The next stop for the AFCC team, shown here, will be to speak to contacts in its network of 8,000 internet service providers, domain registrars and web hosting providers to get them to shut down and remove the phishing site.

    The AFCC is able to shut down the majority of sites within five hours, according to RSA.

    Photo credit: Nick Heath/

  • This bank of screens at the front of the centre shows all of the attacks currently being detected by the AFCC.

    Once a phishing site is detected by the AFCC, fraud analysts within the centre will begin a forensic investigation.

    They will attempt to extract useful information from the site, such as what types of personal details have been compromised or the email address where the stolen details are being sent to.

    AFCC staff also fight the fraudsters by creating dummy accounts on phishing sites and then tracking when and where fraudsters attempt to access those false accounts.

    That fraud pattern is then passed onto a network of banks, credit unions, ISPs and other companies who share a database of fraud patterns that allow organisations to spot the signs of a fraudulent transaction and block it before it goes through.

    Photo credit: Nick Heath/

  • RSA and its ISP and internet gateway partners look for evidence of Trojan attacks on malicious websites, fraudster chat rooms and by scanning emails.

    When RSA finds evidence that a Trojan is being used to steal details from one of its clients' customers, for example a customer of an online bank, it forwards a copy of that Trojan to the AFCC. Here software will attempt to match the software to a list of previously identified Trojans.

    Once detected, the Trojan is sent to the AFCC where RSA software attempts to match crimeware to previously identified Trojans.

    After it has been matched, the Trojan is sent to an RSA engineer who will reverse engineer it.

    The engineer will find out the IP address of the machines being used to host the infected websites or send out infected emails, as well as the address of the machines where stolen information is being sent to and the address of those machines being used to give additional commands or updates to the Trojan.

    RSA staff will then contact the relevant ISP or domain registrar to block access to all of these locations, preventing new machines being infected and fresh details from being stolen.

    Photo credit: Nick Heath/

Topic: Security


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories


Log in or register to start the discussion