Do you bank online...

[Target]

Swedish bank hit by 'biggest ever' online heist

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona--up to $1.1 million--in what security company McAfee is describing as the "biggest ever" online bank heist.

Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing e-mails containing the Trojan. According to McAfee, Swedish police believe Russian-organized criminals are behind the attacks. Currently, 121 people are suspected of being involved.

The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

After the users entered the information an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea Web site to take money from customer accounts.

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia. Police believe the heist to be the work of organized criminals.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus applications on their computers. The bank has borne the brunt of the attacks and has refunded all the affected customers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea's security procedures.

"It is more of an information, rather than a security problem," said Ehlin. "Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith."

In an effort to combat fraud, most banks have a policy of monitoring the behavior of people claiming to be their customers, so that unusual transaction behavior can be investigated and halted if fraudulent.

Nordea was aware that some of the attempted transactions were false because of the large sums involved. However, during a period of 15 months a large series of small transactions enabled the criminals to successfully transfer a huge sum overall.

"In some cases we saw the transactions were false, and in some cases we didn't," said Ehlin. "We can't look at every transfer, and it looked like our customers had made the transfer. Most of the cases were small amounts that we thought were ordinary. We lost approximately seven to eight million krona."

Nordea has two million Internet banking customers in Sweden. The police investigation is underway, and the bank is currently reviewing its security procedures.

The Metropolitan Police warned in October last year that thousands of UK users had been affected by a variant of the Haxdoor Trojan.

ZDNet UK staff reported from London

[ZFR]

So they downloaded a .exe attachment?

It's good such people exist. Thanks to them I don't have to work hard for my online banking security to be above average.

[johnny]

I do all my banking online nowadays, the only business i have with real life banking is when i have to use an ATM, i'm still waiting for the day they invent PC's that have such an option.

We've had warnings about similar stuff happening here as well, you're only in danger when you click on the exe, and that's something i never ever do, not even from friends, unless i'm expecting something from them.

[Olorin]

That was not even as sneaky as some emails I've gotten claiming to be from a bank that ask me to log in to confirm my security information or what not. In those, all you have to do is click a link that appears to be for your bank to be taken to a lookalike site and have your passwords stolen.

I amuse myself by hovering my mouse over the links in those emails to see where they are really directing you to.

[johnny]

Probably www.hoodlum.rus