http://www.nytimes.com/2007/01/25/technology/25hack.html By ANDREW E. KRAMER January 25, 2007 MOSCOW, Jan. 24 - Word has started spreading in Sweden about the discovery last week of a $1 million online banking theft traced to a Russian hacker who goes by the sobriquet the Corpse. The case opens a window into the dark world of Russian programming and underlines risks in online banking. Nordea Bank, the Scandinavian financial services company involved, emphasized that only customers whose computers were not protected by antivirus programs had become victims. The Swedish police said the virus was distributed with spam e-mail and programmed to infiltrate home computers of customers at several European and American banks. Police officers have arrested Swedish nationals and foreigners who withdrew cash from Nordea branches after making online transfers. The Corpses identity is unknown to computer virus specialists. The virus in question, a so-called Trojan horse program, surreptitiously logged keystrokes while banking customers entered their passwords. The police identified the program as a variant of the Haxdoor Trojan. The Corpse is thought to be the author of the original Haxdoor program and several iterations, under names including A311 Death and Nuclear Grabber. Those are offered for sale on a Russian Web site at prices ranging from several hundred dollars to several thousand dollars, depending on the version. The site, which displays a thumbnail image of Lenin making a rude gesture, offers to customize the software for clients for an unspecified amount. Thieves using the program in Sweden defrauded 250 customers of Nordeas online banking service over a period of 15 months. The bank has compensated its clients. The case has drawn new attention to the bizarre world of Russian hacking. Russias weak laws and a strong tradition of scientific education have combined to create a flourishing culture of computer hacking, specialists in the programming industry say. The prevalence of pornography and fraud on the Russian Internet has contributed to the countrys image as a digital Wild West of spammers and hackers. And foiling Western banking security resonates with Russian programmers, technology specialists say. Russian hackers are driven by curiosity, greed or the desire to prove they are clever, said Denis Kalinin, chief executive of Rambler, a successful Russian search engine company. This latest version of the Haxdoor Trojan program was activated when a customer typed the banks address into a browser. The rogue software then recorded keystrokes to capture passwords. Later, money was transferred to newly opened accounts and cash was withdrawn at bank branches. Its a highly advanced form of I.T. fraud, and its never happened before outside of industrial espionage, said Daniel Goldberg, a writer for Computer Sweden, a technology magazine in Stockholm that first reported the fraud, in a telephone interview Wednesday. Aleksandr Gostev, a virus researcher at Kaspersky Labs in Moscow, said the Corpse was known as a hacker who had sold programs to other hackers. That meant, Mr. Gostev said, that he might not be connected to the group that defrauded the Nordea bank customers, even if he were the author of the keystroke-logging program. In the case of Nordea bank, somebody who wanted to steal from clients ordered a customized version, Mr. Gostev said. The hacker could be from anywhere in the world. The Corpses site carries a disclaimer in rough English that the programs are to be used exclusively in the educational purposes. Questions mailed to the site were not answered on Wednesday. The Swedish police say that the Russian connection in the fraud goes beyond the source of the virus. Anders Ahlqvist, chief inspector in the cybercrime division of the Swedish National Criminal Investigations Department, said in a telephone interview that stolen passwords had been transmitted to a computer server in the United States that forwarded the information to a server in Russia. Also, some of the money was sent to the eastern shore of the Baltic Sea after the attack, he said, meaning Russia. He played down the complexity of the virus, saying the fraud depended on the carelessness of customers who downloaded it to their computers. If people used a little common sense when they received e-mails, these attacks would never appear, Mr. Ahlqvist said. This Trojan is very much alive and well in computers in Sweden today. I would be surprised if it wasnt. People are not careful enough with their machines. And Mr. Kalinin said: When you are rich and you have enough of everything, you usually dont do things harmful to other people. When thats not the case, and you have to fight for a place to work and a good life, but you are clever enough and you can show it, that is dangerous. Copyright 2007 The New York Times Company _____________________________ Subscribe to InfoSec News http://www.infosecnews.org/mailman/listinfo/isn
This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 03:50:44 PST