Swedish bank hit by 'biggest ever' online heist

Swedish bank hit by 'biggest ever' online heist

Summary: Swedish police suspect Russian organised criminals to be behind a heist that has cost Nordea up to £580,000

TOPICS: Security

Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona — up to £580,000 — in what security company McAfee is describing as the "biggest ever" online bank heist.

Over the last 15 months, Nordea customers have been targeted by emails containing a tailormade Trojan, said the bank.

Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved.

The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.

Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.

After the users entered the information an error message appeared, informed them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea website to take money from customer accounts.

According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia. Police believe the heist to be the work of organised criminals.

Nordea spokesman for Sweden, Boo Ehlin, said that most of the home users affected had not been running antivirus on their computers. The bank has borne the brunt of the attacks, and has refunded all the affected customers.

Ehlin blamed successful social engineering for the heist, rather than any deficiencies in Nordea security procedures.

"It is more of an information rather than a security problem," said Ehlin. "Codes are a very important thing. Our customers have been cheated into giving out the keys to our security, which they gave in good faith."

In an effort to combat fraud, most banks have a policy of monitoring the behaviour of people claiming to be their customers, so that unusual transaction behaviour can be investigated and halted if fraudulent.

Nordea was aware that some of the attempted transactions were false because of the large sums involved. However, over 15 months a large series of small transactions enabled the criminals to successfully transfer a huge sum overall.

"In some cases we saw the transactions were false, and in some cases we didn't," said Ehlin. "We can't look at every transfer, and it looked like our customers had made the transfer. Most of the cases were small amounts that we thought were ordinary. We lost approximately seven to eight million krona."

Nordea has two million internet banking customers in Sweden. The police investigation is underway, and the bank is currently reviewing its security procedures.

The Metropolitan Police warned in October last year that thousands of UK users had been affected by a variant of the Haxdoor Trojan.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for ZDNet.com. He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Phishing

    with millions of dollars spent on anti phishing campaigns in the US it makes me wonder, if the Swedes could have done the same, as with most computer users they are dumb as a box of rocks

    one of the industry mags i get said 2 days ago, (yes i am in ths high end computing and server business) that the US servers involved were anynomizers adn were redirecting the information through 4-5 anyonomizers so no actual people in the US were involved by choice, but changes have been made, i feel my blocking anything from japan (including the pacific rim), russia, and several other countries, they try and send anthing via email, it hits the bitbucket and is dumped every 2 hours, i catch 50,000 bogus emails a day that way, anf frankly i dont care what it is, if a client has an issue i can add in an exception for them, considering 80%+ of all spam is from the pacific rim, block them, they will go away probably to another country but block them too, my clients are higher up the food chain that spammers in my company

    another thing the russian mob is known for being violet and brutal in theis quest to make money, it is doubtful any charges will be filed, let alone any legal action for fear of getting their whole family killed, including their dog an cat, which the russian mob is good for doing, so they will continue without issues
  • Biggest ever?

    I keep seeing this story referred to as the "biggest ever online heist." Does anybody actually know who decided it was the "biggest ever," and what they're comparing it to?

    I'm not sure, but my gut reaction is that banks have been taken for more than 1.2mil before. Anybody know if that's true?
  • Email is not the only way rootkits get distributed

    Rootkits can be imbedded in webpages, any microsoft document, adobe acrobat etc, and the the most worrying part; they have microsoft authorized digital signatures attached, meaning that they do not raise any red flags, when downloaded, as Microsoft explains in this tech bulletin, http://www.microsoft.com/technet/sysinternals/utilities/RootkitRevealer.mspx
    they cannot protect windows against rootkits, even using whitelisting(comparing offline scan sumcheck to online sumcheck), which also means they are saying there is no software solution either.
    Even Vista allows authorized signatures into its Kernel.
    Bottom line? use online banking at your own peril.