Photos: Inside the RSA cybercrime war room

Photos: Inside the RSA cybercrime war room

Summary: Behind the doors at RSA's anti-fraud centre

TOPICS: Security

 |  Image 4 of 5

  • Thumbnail 1
  • Thumbnail 2
  • Thumbnail 3
  • Thumbnail 4
  • Thumbnail 5
  • This bank of screens at the front of the centre shows all of the attacks currently being detected by the AFCC.

    Once a phishing site is detected by the AFCC, fraud analysts within the centre will begin a forensic investigation.

    They will attempt to extract useful information from the site, such as what types of personal details have been compromised or the email address where the stolen details are being sent to.

    AFCC staff also fight the fraudsters by creating dummy accounts on phishing sites and then tracking when and where fraudsters attempt to access those false accounts.

    That fraud pattern is then passed onto a network of banks, credit unions, ISPs and other companies who share a database of fraud patterns that allow organisations to spot the signs of a fraudulent transaction and block it before it goes through.

    Photo credit: Nick Heath/

  • RSA and its ISP and internet gateway partners look for evidence of Trojan attacks on malicious websites, fraudster chat rooms and by scanning emails.

    When RSA finds evidence that a Trojan is being used to steal details from one of its clients' customers, for example a customer of an online bank, it forwards a copy of that Trojan to the AFCC. Here software will attempt to match the software to a list of previously identified Trojans.

    Once detected, the Trojan is sent to the AFCC where RSA software attempts to match crimeware to previously identified Trojans.

    After it has been matched, the Trojan is sent to an RSA engineer who will reverse engineer it.

    The engineer will find out the IP address of the machines being used to host the infected websites or send out infected emails, as well as the address of the machines where stolen information is being sent to and the address of those machines being used to give additional commands or updates to the Trojan.

    RSA staff will then contact the relevant ISP or domain registrar to block access to all of these locations, preventing new machines being infected and fresh details from being stolen.

    Photo credit: Nick Heath/

  • Each person in the main AFCC control room has two virtual computers, which they access through thin client devices seen here.

    One thin client device is described as the "dirty computer", and is used to visit phishing websites or those infected with Trojans.

    The second virtual machine is used to access email, word processors and other corporate applications.

    Once a member of staff completes their shift the virtual "dirty" machine will be wiped and a new virtual machine is created to carry out inspections of other compromised sites.

    Photo credit: Nick Heath/

Topic: Security


Nick Heath is chief reporter for TechRepublic UK. He writes about the technology that IT-decision makers need to know about, and the latest happenings in the European tech scene.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories


Log in or register to start the discussion