Swedish bank hit by 'biggest ever' online heist
By Tom Espiner
Special to CNET News.com
Published: January 19, 2007, 10:48 AM PST
Swedish bank Nordea has told ZDNet UK
that it has been stung for between seven and eight million Swedish krona--up to
$1.1 million--in what security company McAfee is describing as the
"biggest ever" online bank heist.
Over the last 15 months, Nordea
customers have been targeted by e-mails containing a tailor-made Trojan, said
the bank.
Nordea believes that 250 customers
have been affected by the fraud, after falling victim to phishing e-mails
containing the Trojan. According to McAfee, Swedish police believe
Russian-organized criminals are behind the attacks. Currently, 121 people are
suspected of being involved.
The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients,
according to McAfee. The sender encouraged clients to download a "spam
fighting" application. Users who downloaded the attached file, called
raking.zip or raking.exe, were infected by the Trojan, which some security
companies call haxdoor.ki.
Haxdoor typically installs keyloggers
to record keystrokes, and hides itself using a rootkit. The payload of the .ki
variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were
redirected to a false home page, where they entered important log-in
information, including log-in numbers.
After the users entered the
information an error message appeared, informing them that the site was
experiencing technical difficulties. Criminals then used the harvested customer
details on the real Nordea Web site to take money from customer accounts.
According to McAfee, Swedish police have established that the log-in
information was sent to servers in the US, and then to Russia. Police believe
the heist to be the work of organized criminals.
Nordea spokesman for Sweden, Boo
Ehlin, said that most of the home users affected had not been running antivirus
applications on their computers. The bank has borne the brunt of the attacks
and has refunded all the affected customers.
Ehlin blamed successful social
engineering for the heist, rather than any deficiencies in Nordea's security
procedures.
"It is more of an information,
rather than a security problem," said Ehlin. "Codes are a very
important thing. Our customers have been cheated into giving out the keys to
our security, which they gave in good faith."
In an effort to combat fraud, most
banks have a policy of monitoring the behavior of people claiming to be their
customers, so that unusual transaction behavior can be investigated and halted
if fraudulent.
Nordea was aware that some of the
attempted transactions were false because of the large sums involved. However,
during a period of 15 months a large series of small transactions enabled the
criminals to successfully transfer a huge sum overall.
"In some cases we saw the
transactions were false, and in some cases we didn't," said Ehlin.
"We can't look at every transfer, and it looked like our customers had made
the transfer. Most of the cases were small amounts that we thought were
ordinary. We lost approximately seven to eight million krona."
Nordea has two million Internet
banking customers in Sweden. The police investigation is underway, and the bank
is currently reviewing its security procedures.
The Metropolitan Police warned in
October last year that thousands of UK users had been affected by a variant of
the Haxdoor Trojan.
ZDNet UK staff reported from London.