X

Swedish bank hit by 'biggest ever' online heist

Phishing e-mails encouraged at least 250 customers to download antivirus application containing a Trojan.

Tom Espiner Special to CNET News
3 min read

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona--up to $1.1 million--in what security company McAfee is describing as the "biggest ever" online bank heist.

Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing e-mails containing the Trojan. According to McAfee, Swedish police believe Russian-organized criminals are behind the attacks. Currently, 121 people are suspected of being involved.

The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

After the users entered the information an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea Web site to take money from customer accounts.

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia. Police believe the heist to be the work of organized criminals.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus applications on their computers. The bank has borne the brunt of the attacks and has refunded all the affected customers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea's security procedures.

"It is more of an information, rather than a security problem," said Ehlin. "Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith."

In an effort to combat fraud, most banks have a policy of monitoring the behavior of people claiming to be their customers, so that unusual transaction behavior can be investigated and halted if fraudulent.

Nordea was aware that some of the attempted transactions were false because of the large sums involved. However, during a period of 15 months a large series of small transactions enabled the criminals to successfully transfer a huge sum overall.

"In some cases we saw the transactions were false, and in some cases we didn't," said Ehlin. "We can't look at every transfer, and it looked like our customers had made the transfer. Most of the cases were small amounts that we thought were ordinary. We lost approximately seven to eight million krona."

Nordea has two million Internet banking customers in Sweden. The police investigation is underway, and the bank is currently reviewing its security procedures.

The Metropolitan Police warned in October last year that thousands of UK users had been affected by a variant of the Haxdoor Trojan.

ZDNet UK staff reported from London.