X

Photos: Inside the RSA cybercrime war room

Behind the doors at RSA's anti-fraud centre
By Nick Heath, Contributor
40152948-1-rsa-fraudcentre-israel2.jpg
1 of 5 Nick Heath/ZDNET

Behind the doors at RSA's anti-fraud centre

At RSA's Anti-Fraud Command Centre (AFCC) in Herzelia, Israel, more than 100 staff work to detect, dissect and block phishing sites and Trojan attacks 24 hours per day.

From the AFCC, the security firm sifts through more than 10 million emails every day, as well as domain names and fraudster chat rooms, searching for threats to its customers, which include a selection of Britain's high street banks.

The centre also gathers information on threats from Trojans using honeypots: unprotected machines that automatically trawl the web gathering malware infections for study.

Photo credit: Nick Heath/silicon.com

40152948-2-rsa-fraudcentre-israel4.jpg
2 of 5 Nick Heath/ZDNET

To date the AFCC has shut down more than 180,000 phishing attacks in more than 140 countries.

It does this with the help of ISPs, email providers and internet gateway providers, who forward emails to RSA's AFCC if they contain keywords associated with phishing emails.

Suspect links will be automatically tested by software to check if they lead to phishing sites. If the software finds they do, the links will then be double-checked by a person.

Once a phishing site is detected, RSA will immediately notify the customer whose site is being spoofed and pass details of the fraudulent site onto ISPs and browser developers, such as Microsoft and Mozilla, so they can block public access to it.

The next stop for the AFCC team, shown here, will be to speak to contacts in its network of 8,000 internet service providers, domain registrars and web hosting providers to get them to shut down and remove the phishing site.

The AFCC is able to shut down the majority of sites within five hours, according to RSA.

Photo credit: Nick Heath/silicon.com

40152948-3-rsa-fraud-israel5.jpg
3 of 5 Nick Heath/ZDNET

This bank of screens at the front of the centre shows all of the attacks currently being detected by the AFCC.

Once a phishing site is detected by the AFCC, fraud analysts within the centre will begin a forensic investigation.

They will attempt to extract useful information from the site, such as what types of personal details have been compromised or the email address where the stolen details are being sent to.

AFCC staff also fight the fraudsters by creating dummy accounts on phishing sites and then tracking when and where fraudsters attempt to access those false accounts.

That fraud pattern is then passed onto a network of banks, credit unions, ISPs and other companies who share a database of fraud patterns that allow organisations to spot the signs of a fraudulent transaction and block it before it goes through.

Photo credit: Nick Heath/silicon.com

40152948-4-rsa-fraudcentre-israel.jpg
4 of 5 Nick Heath/ZDNET

RSA and its ISP and internet gateway partners look for evidence of Trojan attacks on malicious websites, fraudster chat rooms and by scanning emails.

When RSA finds evidence that a Trojan is being used to steal details from one of its clients' customers, for example a customer of an online bank, it forwards a copy of that Trojan to the AFCC. Here software will attempt to match the software to a list of previously identified Trojans.

Once detected, the Trojan is sent to the AFCC where RSA software attempts to match crimeware to previously identified Trojans.

After it has been matched, the Trojan is sent to an RSA engineer who will reverse engineer it.

The engineer will find out the IP address of the machines being used to host the infected websites or send out infected emails, as well as the address of the machines where stolen information is being sent to and the address of those machines being used to give additional commands or updates to the Trojan.

RSA staff will then contact the relevant ISP or domain registrar to block access to all of these locations, preventing new machines being infected and fresh details from being stolen.

Photo credit: Nick Heath/silicon.com

40152948-5-israe999l.jpg
5 of 5 Nick Heath/ZDNET

Each person in the main AFCC control room has two virtual computers, which they access through thin client devices seen here.

One thin client device is described as the "dirty computer", and is used to visit phishing websites or those infected with Trojans.

The second virtual machine is used to access email, word processors and other corporate applications.

Once a member of staff completes their shift the virtual "dirty" machine will be wiped and a new virtual machine is created to carry out inspections of other compromised sites.

Photo credit: Nick Heath/silicon.com

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes
Holiday lights in Central Park background

Related Galleries

Holiday wallpaper for your phone: Christmas, Hanukkah, New Year's, and winter scenes

21 Photos
Winter backgrounds for your next virtual meeting
Wooden lodge in pine forest with heavy snow reflection on Lake O'hara at Yoho national park

Related Galleries

Winter backgrounds for your next virtual meeting

21 Photos
Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes
3D Rendering Christmas interior

Related Galleries

Holiday backgrounds for Zoom: Christmas cheer, New Year's Eve, Hanukkah and winter scenes

21 Photos
Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza
img-8825

Related Galleries

Hyundai Ioniq 5 and Kia EV6: Electric vehicle extravaganza

26 Photos
A weekend with Google's Chrome OS Flex
img-9792-2

Related Galleries

A weekend with Google's Chrome OS Flex

22 Photos
Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup
shutterstock-1024665187.jpg

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos