Heroes, fake identities and the Big Board: Inside a day in the life of RSA's anti-fraud lab

EMC's RSA division Anti-Fraud Command Center (AFCC) in Israel is online 24/7, fighting the constant battle against the phishers and hackers that target financial institutions.
Written by David Shamah, Contributor

If your bank hasn't been targeted by hackers yet, don't worry — it will be, probably sooner than later. Hacking, cracking and phishing is just too easy and too profitable to resist for the bad guys.

And getting into the business has never been easier, according to Daniel Cohen, director of business development and knowledge delivery at EMC's security division RSA. "The Zeus Trojan horse cost $3,000 when it came out in 2007. Now it costs $15," he said. If online larceny is your thing, it could be a bargain that's hard to resist.

Daniel Cohen
Daniel Cohen

And indeed there are many with larceny on their minds, according to the 'Big Board' at the RSA Antifraud Command Center (AFCC) in Herzliya, Israel — the company's global nerve centre for fighting the kind of phishing attacks that are carried out with Zeus and other, more sophisticated, hacking packages. The board tells the story of cybercrime as it happens, updating every few seconds with another attempt by hackers to get into a bank or financial institute website, steal funds, credit card numbers, personal details, or other valuable information.

But why bother using Zeus to build a botnet that can steal banking data yourself? In today's "underground marketplace", said Cohen, you can hire individuals or teams to do all the dirty work for you, while you sit back and watch the cash roll in. "Call it cybercrime-as-a-service," said Cohen, "and it's one of the fastest growing segments of the IT economy today. All you have to do is go to a cybercrime forum or website, assemble your team, and they'll do the rest."

During a recent tour of the AFCC — the first time the facility has been opened up to the public — the Big Board flashed attack attempt after attack attempt as hackers tried their luck getting into accounts at some of the biggest banks in the world (we were asked not to list the names of clients, but your bank is more than likely to be on the list of targets, guaranteed).

Workers at the Herzliya AFCC fend off phishing and hacking attacks. Image: EMC

Everyone is at risk, said Cohen — except for one segment of the population. "Many of these cybergangs are Russian, and Russians don't hack Russian banks."

These are the kinds of tips the 75 or so workers at the Herzliya AFCC pick up in the course of their daily work. RSA has been involved in computer security for years, and was bought by EMC in 2006 (seven months earlier, RSA had bought Israeli start-up Cyota, which pioneered security as a service for enterprise; the AFCC is the evolution of that original facility). The AFCC has been operating since 2007, said Cohen. "By the end of 2011, we had logged about 500,000 phishing attempts on our clients, but in 2012 alone there were over 200,000." The AFCC was able to stop nearly every one of those attacks, he said.

Most of the incidents are handled within 15 minutes — meaning that it takes about a quarter of an hour for the AFCC to detect a bogus login attempt (by logging multiple tries, comparing login names and passwords to lists generated by automatic password generating programs, and so on) and inform the victim's institution, which takes steps to lock out the attempted logins.

Of course, that doesn't mean the data thief has given up — they usually just reroute their login request to another IP address, often one associated with a large, well-known company or institution (on the tour, we saw a large number of fraudulent login requests coming from one large domain name merchant and several Ivy League universities; the staff also inform these organisations that their servers have been hijacked for attacks).

RSA is already replicating the approach of the Israel centre: it announced in December it was opening a second AFCC in the US. The new centre will be operated in affiliation with Purdue University, with students receiving training on how to identify and stop phishing attacks. "There's enough work to go around, unfortunately," said Cohen. "With the new centre we will have a backup for the main centre in Israel, as well as better around-the-clock coverage."

Stopping these attacks is a Sisyphean task and one that can be unforgiving: the AFCC staff often engage directly online with data thieves, participating in hacker forums and logging onto restricted hacker websites to see the latest tricks of the trade, who is selling what, and what the next major attack target is likely to be.

But it's not a task that goes uncelebrated at the centre: at the front of the room, right near the 'Big Board', is a sign that reads "Here be heroes of the internet".

Screenshot of an IRC "underground marketplace", where hackers offer services or wares
Image: EMC
Editorial standards