[ISN] Online Nordic Banking Theft Stirs Talk of Russian Hacker

From: InfoSec News (alerts@private)
Date: Wed Jan 24 2007 - 23:28:27 PST


January 25, 2007

MOSCOW, Jan. 24 - Word has started spreading in Sweden about the 
discovery last week of a $1 million online banking theft traced to a 
Russian hacker who goes by the sobriquet the Corpse.

The case opens a window into the dark world of Russian programming and 
underlines risks in online banking. Nordea Bank, the Scandinavian 
financial services company involved, emphasized that only customers 
whose computers were not protected by antivirus programs had become 

The Swedish police said the virus was distributed with spam e-mail and 
programmed to infiltrate home computers of customers at several European 
and American banks. Police officers have arrested Swedish nationals and 
foreigners who withdrew cash from Nordea branches after making online 

The Corpses identity is unknown to computer virus specialists. The virus 
in question, a so-called Trojan horse program, surreptitiously logged 
keystrokes while banking customers entered their passwords.

The police identified the program as a variant of the Haxdoor Trojan. 
The Corpse is thought to be the author of the original Haxdoor program 
and several iterations, under names including A311 Death and Nuclear 
Grabber. Those are offered for sale on a Russian Web site at prices 
ranging from several hundred dollars to several thousand dollars, 
depending on the version.

The site, which displays a thumbnail image of Lenin making a rude 
gesture, offers to customize the software for clients for an unspecified 

Thieves using the program in Sweden defrauded 250 customers of Nordeas 
online banking service over a period of 15 months. The bank has 
compensated its clients.

The case has drawn new attention to the bizarre world of Russian 
hacking. Russias weak laws and a strong tradition of scientific 
education have combined to create a flourishing culture of computer 
hacking, specialists in the programming industry say.

The prevalence of pornography and fraud on the Russian Internet has 
contributed to the countrys image as a digital Wild West of spammers and 
hackers. And foiling Western banking security resonates with Russian 
programmers, technology specialists say. Russian hackers are driven by 
curiosity, greed or the desire to prove they are clever, said Denis 
Kalinin, chief executive of Rambler, a successful Russian search engine 

This latest version of the Haxdoor Trojan program was activated when a 
customer typed the banks address into a browser. The rogue software then 
recorded keystrokes to capture passwords. Later, money was transferred 
to newly opened accounts and cash was withdrawn at bank branches.

Its a highly advanced form of I.T. fraud, and its never happened before 
outside of industrial espionage, said Daniel Goldberg, a writer for 
Computer Sweden, a technology magazine in Stockholm that first reported 
the fraud, in a telephone interview Wednesday.

Aleksandr Gostev, a virus researcher at Kaspersky Labs in Moscow, said 
the Corpse was known as a hacker who had sold programs to other hackers. 
That meant, Mr. Gostev said, that he might not be connected to the group 
that defrauded the Nordea bank customers, even if he were the author of 
the keystroke-logging program.

In the case of Nordea bank, somebody who wanted to steal from clients 
ordered a customized version, Mr. Gostev said. The hacker could be from 
anywhere in the world.

The Corpses site carries a disclaimer in rough English that the programs 
are to be used exclusively in the educational purposes. Questions mailed 
to the site were not answered on Wednesday.

The Swedish police say that the Russian connection in the fraud goes 
beyond the source of the virus.

Anders Ahlqvist, chief inspector in the cybercrime division of the 
Swedish National Criminal Investigations Department, said in a telephone 
interview that stolen passwords had been transmitted to a computer 
server in the United States that forwarded the information to a server 
in Russia.

Also, some of the money was sent to the eastern shore of the Baltic Sea 
after the attack, he said, meaning Russia.

He played down the complexity of the virus, saying the fraud depended on 
the carelessness of customers who downloaded it to their computers. If 
people used a little common sense when they received e-mails, these 
attacks would never appear, Mr. Ahlqvist said. This Trojan is very much 
alive and well in computers in Sweden today. I would be surprised if it 
wasnt. People are not careful enough with their machines.

And Mr. Kalinin said: When you are rich and you have enough of 
everything, you usually dont do things harmful to other people. When 
thats not the case, and you have to fight for a place to work and a good 
life, but you are clever enough and you can show it, that is dangerous.

Copyright 2007 The New York Times Company

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Thu Jan 25 2007 - 03:50:44 PST