[ISN] Swedish bank hit by 'biggest ever' online heist

From: InfoSec News (alerts@private)
Date: Sun Jan 21 2007 - 22:26:28 PST


By Tom Espiner
19 Jan 2007

Swedish bank Nordea has told ZDNet UK that it has been stung for between 
seven and eight million Swedish krona up to 580,000 in what security 
company McAfee is describing as the "biggest ever" online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails 
containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, 
after falling victim to phishing emails containing the Trojan. According 
to McAfee, Swedish police believe Russian organised criminals are behind 
the attacks. Currently, 121 people are suspected of being involved.

The attack started by a tailormade Trojan sent in the name of the bank 
to some of its clients, according to McAfee. The sender encouraged 
clients to download a "spam fighting" application. Users who downloaded 
the attached file, called raking.zip or raking.exe, were infected by the 
Trojan, which some security companies call haxdoor.ki.

Haxdoor typically installs keyloggers to record keystrokes, and hides 
itself using a rootkit. The payload of the .ki variant of the Trojan was 
activated when users attempted to log in to the Nordea online banking 
site. According to the bank, users were redirected to a false home page, 
where they entered important log-in information, including log-in 

After the users entered the information an error message appeared, 
informed them that the site was experiencing technical difficulties. 
Criminals then used the harvested customer details on the real Nordea 
website to take money from customer accounts.

According to McAfee, Swedish police have established that the log-in 
information was sent to servers in the US, and then to Russia. Police 
believe the heist to be the work of organised criminals.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users 
affected had not been running antivirus on their computers. The bank has 
borne the brunt of the attacks, and has refunded all the affected 

Ehlin blamed successful social engineering for the heist, rather than 
any deficiencies in Nordea security procedures.

"It is more of an information rather than a security problem," said 
Ehlin. "Codes are a very important thing. Our customers have been 
cheated into giving out the keys to our security, which they gave in 
good faith."

In an effort to combat fraud, most banks have a policy of monitoring the 
behaviour of people claiming to be their customers, so that unusual 
transaction behaviour can be investigated and halted if fraudulent.

Nordea was aware that some of the attempted transactions were false 
because of the large sums involved. However, over 15 months a large 
series of small transactions enabled the criminals to successfully 
transfer a huge sum overall.

"In some cases we saw the transactions were false, and in some cases we 
didn't," said Ehlin. "We can't look at every transfer, and it looked 
like our customers had made the transfer. Most of the cases were small 
amounts that we thought were ordinary. We lost approximately seven to 
eight million krona."

Nordea has two million internet banking customers in Sweden. The police 
investigation is underway, and the bank is currently reviewing its 
security procedures.

The Metropolitan Police warned in October last year that thousands of UK 
users had been affected by a variant of the Haxdoor Trojan.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Sun Jan 21 2007 - 22:38:41 PST