Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona–up to $1.1 million–in what security company McAfee is describing as the “biggest ever” online bank heist.
Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank.
Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing e-mails containing the Trojan. According to McAfee, Swedish police believe Russian-organized criminals are behind the attacks. Currently, 121 people are suspected of being involved.
The attack started by a tailor-made Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a “spam fighting” application. Users who downloaded the attached file, called raking.zip or raking.exe, were infected by the Trojan, which some security companies call haxdoor.ki.
Haxdoor typically installs keyloggers to record keystrokes, and hides itself using a rootkit. The payload of the .ki variant of the Trojan was activated when users attempted to log in to the Nordea online banking site. According to the bank, users were redirected to a false home page, where they entered important log-in information, including log-in numbers.
After the users entered the information an error message appeared, informing them that the site was experiencing technical difficulties. Criminals then used the harvested customer details on the real Nordea Web site to take money from customer accounts.