Blog article
See all stories »

Unlucky 100,000

In light of the festive season I decided not to post anything about new threats and emerging headaches. Instead, I decided to shed some light on the work of the good guys. To the good guys!

The post below is based on true events.

* * *

It was early afternoon time at the large, aquarium-shaped room. The set of huge LCD screens at the front of the Command Center kept rolling down lists of targets under a live threat. Outside, an August sun blazed high in the sky, slowly preparing for its daily descent into the hazy waves to the west.

Erica (a made up name) just returned from a late lunch, and stretched in her chair. A year and a half after being promoted to a full time analyst, she was used to catching a quick bite before the long afternoon working incoming traffic.

Speaking her native south-American accented Spanish as well as fluent French, she was sometimes assigned to cases requiring her special linguistic skills. She thought of studying Italian next; the command center offered plenty of opportunities to practice, and knowing three European languages at the age of twenty four should be quite useful. 

The desktop computer chirped, a new entry popping up and demanding her attention. Erica examined the alert, which came from one of the most reliable feeds – an anti spam vendor running custom made filters to catch specific keywords for incriminating content. An automatic crawler has already conducted an initial verification of the alert, assessing it as a real attack.

Following procedure, she clicked on the URL and looked at the page that opened. This one was in English; the page was the exact replica of a very familiar online banking site belonging to one of the major UK banks.

Next was examining the host – a major ISP in South Korea. A high-tech country rich in broadband Internet connections and private PCs to hijack, the country's botnet infrastructure was growing on a daily basis, making it one of the top candidates to host an attack outside the US and the European Union. The owner of the private computer on which the attack was hosted was probably unaware of it being rented to criminal elements and containing a spitting image of a European bank's website. 

Erica afforded a side glance at a wide LCD screen known as The Globe. A creeping shadow was already covering East Asia, and the local time in Korea was showing 8 PM. Well out of business hours. 

Fortunately, this particular ISP was one of the most cooperative, as long as you followed some simple guidelines. Send a clear, concise message; use a certain format in the email subject; don't call or nudge, or risk having your query go to the bottom of the priority list. Play it right, and within a few hours the private account will get disconnected from the net, instantly terminating the attack. Play it wrong, and the attack could go on for days.

"Catch you later, little phish", said Erica to no one in particular, and stretched again in her seat.

* * *

This little phish, as it happened, ended up being the 100,000th shut-down of the RSA Anti Fraud Command Center – and made a small history.

It was a very close call, as over one hundred attacks targeting the AFCC customers are live at any given point of time: it could have been any other attack that got the exciting title of being Unlucky Number 100,000.

Interestingly, the first-ever shut down conducted by the AFCC over four years ago also targeted a major UK bank. It's fascinating to see how things changed between now and then: for a full account of the four-year trends, see the image below.

But if you're curious how this particular phish ended, here it is:

The attack was terminated less than two and a half hours after its initial detection; a pretty decent result considering the after business hour at the hosting provider. Later on an official confirmation was received from the Korean ISP.

One less phish in the online crime pond.

* * *

Phishing has been with us for years, and will continue to do so for a long while – diversifying to new targets and employing new social engineering tricks all the time. While the last few months have seen a dramatic population explosion of dangerous Trojans, Phishing is still a mainstream tool in the fraud arsenal.

With this I'd like to wish all of you happy holidays. To the fraudsters, know that good people are working day and night to foil your schemes. To the good guys, just keep up the good work. Merry Christmas!

Shut downs by RSA Anti Fraud Command Center

Comments: (2)

A Finextra member
A Finextra member 18 December, 2008, 04:32Be the first to give this comment the thumbs up 0 likes

Hi Uri, congratulations! It was great to shut down the very first attacks all those years ago too! Look forward to speaking with you soon.


Uri Rivner
Uri Rivner - Refine Intelligence - Tel Aviv 18 December, 2008, 15:09Be the first to give this comment the thumbs up 0 likes

Just one small note: the 2004 bar in the chart looks empty, but in fact it includes a little over 100 distinct shut-downs of attacks targeting several financial institutions. Back then it looked like a big number...

Stuart - to you and all the good guys who didn't sleep all night during the early days of phishing attacks!

Uri Rivner

Uri Rivner

CEO and Co-Founder

Refine Intelligence

Member since

14 Apr 2008


Tel Aviv

Blog posts




This post is from a series of posts in the group:

Online Banking

This community is for discussion of developments in the e-banking world, including mobile banking. This can include all the functional, business, technical, marketing, web site design, security and other related topics of Internet Banking segment, including public websites of the banks and financial institutions across the globe.

See all

Now hiring