Swedish bank hit by 'biggest ever' online heist

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona--up to $1.1 million--in what security company McAfee is describing as the "biggest ever" online bank heist.

Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing e-mails containing the Trojan. According to McAfee, Swedish police believe Russian-organized criminals are behind the attacks. Currently, 121 people are suspected of being involved.

The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

After the users entered the information an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea Web site to take money from customer accounts.

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia. Police believe the heist to be the work of organized criminals.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus applications on their computers. The bank has borne the brunt of the attacks and has refunded all the affected customers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea's security procedures.

"It is more of an information, rather than a security problem," said Ehlin. "Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith."

In an effort to combat fraud, most banks have a policy of monitoring the behavior of people claiming to be their customers, so that unusual transaction behavior can be investigated and halted if fraudulent.

Nordea was aware that some of the attempted transactions were false because of the large sums involved. However, during a period of 15 months a large series of small transactions enabled the criminals to successfully transfer a huge sum overall.

"In some cases we saw the transactions were false, and in some cases we didn't," said Ehlin. "We can't look at every transfer, and it looked like our customers had made the transfer. Most of the cases were small amounts that we thought were ordinary. We lost approximately seven to eight million krona."

Nordea has two million Internet banking customers in Sweden. The police investigation is underway, and the bank is currently reviewing its security procedures.

The Metropolitan Police warned in October last year that thousands of UK users had been affected by a variant of the Haxdoor Trojan.

ZDNet UK staff reported from London.

[rbeier]

You're all Wrong

Pointing the finger at either the customer or the bank is incorrect. The play worked because both sides failed. The banks should step it up a bit, but you can't put the blame solely on them. The customer should be more prudent. It's not only geeks who should be aware of security, but anyone who touches a computer. Because even if we had "fobs" they will never be 100% secure and anyone who thinks so will be the next target. Does this mean banks shouldn't use them? No, but the end user will still need to be smart about their own personal online security and not believe "It could never happen to me."

[LaRoacha]

agree,,,,,somewhat

I agree with your assessment, but also stick by the fact that 90% of the people who use computer banking know about as much about computers as they do their DVD player, and that amounts to stuffing the disk in and navigating to "PLAY". They don't want to know more and they shouldn't be required to know more to feel safe from scumbags stealing their stuff. If banks feel they need to offer online banking to get more customers i.e. more money,,,,,,,then they need to make security a non issue. I can go rob a bank right now,,,and if the money I get away with was deposited by you 10 min. before I got there,,,,,,,are they gonna hold you responsible for that money? Are they gonna try to come off as good guy's by giving you that money back? I don't think so,,,,they got robbed because of their own security shortcomings,,,,not yours.

[chuck_whealton]

I hope they nail 'em

Just another one of a million incidents per day to take away credibility from the Internet.

I hope they nail the living heck out of whoever did it and they get REAL time in a REAL prison.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com

[Marcus Westrup]

Can we trust Banks anymore?

Failure of banks and credit agencies to protect their clients has gotten way out of hand. You would think the risk of losing so much money would be all the reason needed to get tough on security. And worse, they then try to blame the customer for not taking precautions: Up to about three years ago, it was generally assumed that mistakes were only made by the public, and had nothing to do with internal security.

I also have to object to the line, "most of the home users affected had not been running antivirus applications on their computers.", because it is irrelevant. This was a tailor-made attack of a kind that very few (if any) anti-spyware applications could detect, because antivirus companies wouldn?t have a sample of the Trojan to work with.

[J_Satch]

Confused

How are the banks supposed to toughen up on customers entering their login credentials?

[BusinessHut]

Customers at Fault

The banks cannot be held entirely accountable here. The customers did not protect themselves from viruses, nor were they aware of phishing tactics. So...Is it the bank's fault the customer got duped into divulging their account information? I don't think so, but the bank has to pay for it. There's no reason to be angry with the banks in this situation. They're the only ones that lost on the heist.

[mechman29]

Are you kidding me?

Did you even read what the story was about?

How in the world did this have to do with the bank? The customer downloaded a virus, went to a spoof page, and entered her information....now; the bank could have prevented the customer from giving out this information....

They couldn't.

It still amazes me, how after so many news reports, articles, magazine articles, TV shows, etc have told people NOT to do this kind of thing that it still happens!!

Personally, the people who had this done to them, well, too bad. After this, it should be lesson learned.

[danxy]

Problem is MS Windows viruses, not Banks

The problem is Microsoft Windows software that allows viruses. The banks had nothing to do with customers running MS Windows with virsues.

Other operating systems, such as Apple OSx and Linux do not have this problem in any real way, and MS Windows can be fixed to stop all this external virus software from installing itself on PCs.

[chuck_whealton]

I hope they nail 'em

Just another one of a million incidents per day to take away credibility from the Internet.

I hope they nail the living heck out of whoever did it and they get REAL time in a REAL prison.

Charles R. Whealton
Charles Whealton @ pleasedontspam.com