Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security The Internet The Almighty Buck

Largest Ever Online Robbery Hits Swedish Bank 218

ukhackster writes "A Swedish bank has fallen victim to what experts believe is the biggest online robbery ever. A Russian gang apparently used keylogging software to steal around one million dollars. It appears that most of the victims weren't running security protection. The bank is refunding everyone who lost money (even if they hadn't taken precautions) — good news for the victims, but not really an incentive to take more care in future. From the article: 'Nordea believes that 250 customers have been affected by the fraud, after falling victim to phishing emails containing the Trojan. According to McAfee, Swedish police believe Russian organised criminals are behind the attacks. Currently, 121 people are suspected of being involved. The attack started by a tailormade Trojan sent in the name of the bank to some of its clients, according to McAfee. The sender encouraged clients to download a "spam fighting" application.'"
This discussion has been archived. No new comments can be posted.

Largest Ever Online Robbery Hits Swedish Bank

Comments Filter:
  • by lixee ( 863589 ) on Friday January 19, 2007 @02:11PM (#17684886)
    In other news, Nordea is planning to relocate to Sealand.
  • Options (Score:2, Insightful)

    by MrNaz ( 730548 )
    Slashdot Option 1: Encourage stupid people by paying out when they do stupid things like believe email that reads "Dwonlaod tihs spam fihgting tool". Slashdot Option 2: Encourage banks to absorb financial responsibility of eCommerce mishaps and take the lead in system security. Can't... make... decision... brain... splitting... in... half...
    • Re: (Score:2, Insightful)

      My bank now demands additional secrets if I try to log in from an IP that is different than the usual one. A little inconvenient but i am sure it helps.
      • Re: (Score:2, Insightful)

        by Poruchik ( 1004331 )
        And how does this help if your regular computer has a trojan?
  • According to whom?! (Score:5, Interesting)

    by rumith ( 983060 ) on Friday January 19, 2007 @02:15PM (#17684956)

    According to McAfee, Swedish police have established that the log-in information was sent to servers in the US, and then to Russia.
    And what has established Swedish police according to Swedish police? Why quote McAffee? What business do they have here?
    • Ever consider that perhaps McAfee was consulted on this matter?
  • Those who are not into technology have no idea.... Look at my latest journal [slashdot.org]. You can have a PhD and fall for the simplest scam there is. Computers do seem to have this effect on people: their common sense fails because computers are somehow "Magic".

    It's tragic if you ask me.

    • Re: (Score:3, Insightful)

      So a PhD in medieval literature makes you an expert in computers and email? I am not saying that she shouldn't have known better (the SPAM indicator), but the PhD alone doesn't really matter. Besides some people are always looking for a get rich quick scheme.
    • by fbjon ( 692006 )
      This is not a simple scam. Judging from my experience with the Finnish branch and the comments below, the Swedish branch also uses a unique id for every customer and a one-time password, printed on a list. The password was captured as it was entered on the real login page, after which the trojan displayed an "error" page, supposedly from the bank, saying that the system is down for maintenance. I don't see any authentication method that could prevent this, especially if the trojan piggybacks on the browser'
      • by fbjon ( 692006 )
        Replying to myself, since I found out the difference between the Finnish and Swedish branches:


        The Finnish branch says this scam won't work in their system, because they require a separate confirmation code to complete any transaction. The Swedish branch does not, so that's why capturing login info is sufficient to steal the loot.

    • Re: (Score:3, Funny)

      by hritcu ( 871613 )
      So it was targeted towards women: "Probably the promise of 850.000,00 turned of her common sense." Makes sense.
  • Crime Doesn't Pay (Score:3, Insightful)

    by Zzesers92 ( 819281 ) on Friday January 19, 2007 @02:19PM (#17685028)
    $1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
    • Re: (Score:3, Insightful)

      by arevos ( 659374 )

      $1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime.

      Whilst this may be true in a country like the USA, it's worth noting that the difference between average incomes between western Europe and Russia make it more profitable than it might seem at first glance. The average yearly salary in Russia is around $4800, whilst the average salary in countries like the US and Sweden is about 8 times that.

      Multiplying by 8 gives $66,116, and whilst I suspect such a figure would still not be worth the risk of being caught (and with 121 people involved, there's got to be

    • by PW2 ( 410411 )
      > $1,000,000 divided by 121 people = 8264.46 per person. I'm convinced taking people's money through legitimate avenues is easier than through crime. Zzesers
       
      This is the point in time when the fun begins -- the "smarter" team members start taking out some of the others and increasing their personal stash every few days

  • LULZ (Score:5, Funny)

    by Anonymous Coward on Friday January 19, 2007 @02:21PM (#17685072)
    The biggest online robbery ever was a lousy million dollars? Oh come on, someone's gotta be able to do better than that. Get it in gear, people, it's 2007, we should be having way bigger cybercrimes by now. Someone hax0r the Gibson or something.
    • by Korin43 ( 881732 )
      Yeah seriously. All these people hyped up about "cyber terrorism" or "cyber theft" or other phrases involving computer and bad things, and the BIGGEST CYBER THEFT EVER is one million dollars? Wasn't there a movie where someone steals like 10 billion dollars from an international bank? That's way more cool..
    • Citibank, 1994, US$10 million.

      Security Pacific, 1974, about the same amount from someone who eavesdropped and social engineered his way past te security measures on the wire room.
  • the hard part (Score:4, Interesting)

    by Lord Ender ( 156273 ) on Friday January 19, 2007 @02:21PM (#17685076) Homepage
    Stealing passwords is trivially easy. Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.

    The trick is getting cash transfered from someone's bank once you have their credentials.
    • Even with two-factor authentication (SecurID), someone can MITM you if they own your PC.
      You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.
      • by FallLine ( 12211 ) *

        You don't keep "something you have" (keys, tokens, etc) or "something you are" (retina, fingers, etc) in your computer. Therefore, MITM (man in the middle) would not work even if someone pwns your computer. That is the whole point of two factor auth.

        Not quite. SecurID and similar schemes makes it a lot harder, but there's no reason why someone couldn't perform a man in the middle attack while the victim is attempting to log-into the service. Once the victim types in the key, they could simply cancel/kill

      • Re: (Score:3, Informative)

        by dgatwood ( 11270 )

        Two-factor auth is really not that useful. Indeed, n-factor is not better than single factor. What is required for a transaction to be secure are the following:

        • A known secure endpoint (a computer without spyware)
        • A secure communication channel between the two (https)

        Without BOTH of those, no additional factors will help.

        Here's a short description of how the basic attack works. Your second factor is a SecurID or CryptoCard token. You key in your pin number and the value currently shown on that to

        • Re: (Score:3, Insightful)

          by dgatwood ( 11270 )

          Or possibly not a DNS lookup. Possibly just delaying ACKs and stuff on the outbound TCP connection to make the connection open more slowly and delay any useful receipt of data... or inserting bogus NAKs or... could be anything. The point is that an attacker would do something to delay the connection.

          These sorts of flaws have been talked about for a while now. Man-in-the-middle attacks are hard to protect against, and impossible if one endpoint is the untrusted man in the middle. In this way, it is bas

      • Re: (Score:3, Informative)

        by Lord Ender ( 156273 )
        Like so many things in life, something you (know|have|are){2,} is an oversimplification. It's a lossy compression (if you will) of the much-more-complex science of authentication. This is why you misunderstand the subject.

        Think it through: I have a keystroke logger on your PC. You type in your username (something you know) and your SecurID code (something you think you have :-). I then log in to your online bank app using the stuff you just typed and start transferring money.

        For these purposes, the SecurID
        • You're using a flawed implementation to illustrate your point. The idea of two factor auth does what it is intended to do: make it more difficult to access resources for those it is not intended. Perfect security is an illusion. The point is to make it more difficult, not 100% guaranteed.
    • Maybe you'd have to carry a cellphone and they'd autodial you with a message asking you to confirm the transaction ("Please press 1 to confirm $500 to Alxei in Moscow, Press 2 to inform the police..."). Hopefully the transactions don't all occur at 3AM. Now if the crooks have your account info AND your cellphone then you are probably more concerned about how you are going to escape from your kidnappers.

      My credit card company has called me to confirm heavy activity or big purchases that veer from my normal
    • Yup, it is the bank's fault for allowing transfers to unaudited destinations. If someone would get into my bank account, all they can do is pay my existing bills with a handful of large corporations and financial institutions. The system doesn't allow transfers to random accounts.

      Schtooopidddttt bank. I hope the Swedes do a run on it and put it out of business/misery.
  • by Anonymous Coward on Friday January 19, 2007 @02:22PM (#17685102)
    The sender encouraged clients to download a "spam fighting" application.


    the 'spam fighting' app almost did exactly what it was deceptively claiming to do;

    bankrupt the people, force them to sell their technological idolatry, bam-- no more spam.
  • Victims (Score:5, Insightful)

    by Sloppy ( 14984 ) on Friday January 19, 2007 @02:23PM (#17685122) Homepage Journal
    The bank is refunding everyone who lost money (even if they hadn't taken precautions) - good news for the victims

    No, that merely changes who the victims are. There is no such thing as "good news for the victims" unless the stolen money is recovered.

    • by rm999 ( 775449 )
      It seems to me that the only victim is the bank itself (at least if Swedish banks compete with each other, like in the USA). In that case, they are not "victims" because they gave up the money by choice, presumably to make their customers feel safer.

  • FDIC? (Score:5, Informative)

    by Thansal ( 999464 ) on Friday January 19, 2007 @02:24PM (#17685138)
    If this was to happen in the US, would the FDIC cover these types of things?

    And yes, I think that it is good that the bank is reimbursing the idiots that fell for the scam, however I hope they now include somethign that say "if it was your fault some one else gained your PW, then it sucks to be you", AND they provide much better security (virtual key pads, multiple randomly selected questions) AND make them mandetory!

    For those of you who have an ING account you know what their security is like. Nothing much that will hamper a real customer, but things that should stop non-customers.
    • >> If this was to happen in the US, would the FDIC cover these types of things?

      I don't think so. The FDIC is more of a surerty for the bank itself. In this case the bank wasn't actually the one robbed, the customers were digitally conned. It's a good business for FDIC itself as your premium as a bank would depend on your fraud record.

      [this] bank is being pretty cool about it, probably because the phishing e-mail containing the trojan appeared to come from the bank's domain. Its a semi dangerous public
    • If this was to happen in the US, would the FDIC cover these types of things?

      FDIC insures the bank customer against bank failure (as in going out of business).

      http://www.fdic.gov/about/learn/symbol/index.html [fdic.gov]

      They also enforce the Electronic Fund Transfer Act. That may address this particular problem, if it's an EFT that you (or someone you authorized) did not make.

    • If this was to happen in the US, would the FDIC cover these types of things?

      And don't forget to ask this other question

      If this happened in the US and if the FDIC didn't step up, would the bank be worried enough about losing its online customers and reputation to take the hit themselves?

      I suspect a bank might do that if worse came to worse. Online banking holds a lot of promise for a lot of banks. It may be expensive to get going at its core, but online banking holds the promise of scalability and redu
    • >idiots

      We'll never get decent security as long as we set traps for users and call them idiots when they fall in.

      The email containing the Trojan came from the bank's domain, apparently. Is it the fault of the users that email isn't authenticated? Are they idiots for not knowing how SMTP sessions can be spoofed?

      How many places require software downloads to work? Include Flash and PDF readers in that list. Are people idiots for installing something that any non-expert would think came from their bank?

      Do we
    • I think this was covered in Fight Club.

      If The cost of a class action suit (or lost business in this case) is X, the number of defective products (or victim here) is A and the cost of each recall (or refund here) is B. Then if A*B > X you don't do the recall.

      So most banks will probably reckon that refunding these customers (thereby giving their other customers a false sense of security that they will also be refunded if this ever happened to them) is worthwhile. Otherwise they would lose a lot of money i
  • Why can't movie studios come up with plans this ingenious for robbing a bank? The last bank robbing movie I saw involved some terrorist types kidnapping the head of bank security and having him steal the account numbers with a wacky device made out of scanner module from a fax machine and the hard drive from an iPod Mini.
    • Sounds easy enough...

      That's the problem, it's too easy. Robbers spam bank customers with phishing attack. Out of the thousands of customers, 121 dumbasses fall for it. Robbers transfer funds. Robbers go on vacation and buy a car. End of story.

      You're missing all of the critical pieces of a Hollywood heist movie. No hostages? No hereos? No fictional wonder tool fabricated out of duct tape a an old microwave oven? There's not even room for a car chase or an explosion.

      On another note, there's no

  • Boy, if all of the nefarious Slashdotters got together couldn't we beat that by at least an order of magnitude? After all, didn't Sean Connery and Catherine Zeta get away with a few billion?
  • Seems like a fairly precise number...wonder how they derived it? And if true, for $1,000,000 that works out to be just over $8,000 per participant (assuming the proceeds were/are shared equally). Hardly seems worth the risk. On the other hand, the article says (indirectly) that it took 15 months to decide a heist was in progress. Heh, as they say "Patience is a virtue".
  • Quoted.. (Score:3, Funny)

    by ZOMFF ( 1011277 ) on Friday January 19, 2007 @02:27PM (#17685238) Homepage
    An employee of the Swedish Bank was quoted as saying, "Gersh gurndy morn-dee hack-zee hack-zee!"
  • by logicnazi ( 169418 ) <gerdes&invariant,org> on Friday January 19, 2007 @02:29PM (#17685262) Homepage
    Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience. It involves lots of forms and remembering to do things at the right time and spending time on telephone lines. In short it is a pretty good incentive not to be careless with your banking security.

    All that not refunding the customer's money would accomplish is hurt a lot of people and discourage people from using online banking or encourage them to change banks. People are never going to become security gurus just so they can bank online and if you make banking online too risky or hard they will just give it up.

    By making sure it is the bank who has to pay for security losses while still making sure people have some incentive (annoyance, possibility they might pay next time or lossing $50) to be safe you end up with the best results. The bank is the entity that can roll out new security solutions and most easily improve security practices so giving them incentives to improve security is the best move.
    • Re: (Score:3, Insightful)

      by planetmn ( 724378 )
      Having had to deal with a bank to get credit card charges reversed I can safely say it isn't a pleasant experience.

      What bank issued your credit card? I've had to reverse charges multiple times for different reasons. I've been billed twice for the same item, I've been billed incorrect amounts, I even reversed a Paypal charge because the seller never sent the item.

      In all cases it was simple (I have Citibank cards). Call up and tell them what charge you are disputing. Immediately you get a conditiona
      • Re: (Score:3, Interesting)

        by RKBA ( 622932 )
        Plus Citibank has a feature that I now find essential - the ability to generate "virtual" credit card numbers as needed, and to be able to set the expiration date and limit on the amount of purchase that can be charged to each virtual credit card number. It makes online shopping perfectly safe. MBNA offered a similar feature until they were bought up by BofA, which is when I changed to Citibank, and so far I'm very happy with Citibank.

        There's a rather humorous corollary to this, and since I feel loquacious
  • not really an incentive to take more care in future

    I'm hoping that the banks at least suspended and revoked the privilage of online banking from the users in question. If you can't take care not to download trojans/etc online that affect online banking, you shouldn't be allowed to do your banking online.
    • by Thansal ( 999464 )
      quick little drama for you to understand why that is NOT happening:

      Bank: You all suck at online skills, so you can't use our online banking services!
      Customers: Bye!
      Bank: What?
      Ex-Customers: ...

      simple, aint it? Also, actions like that will also have other customers leave.

      However, in reimbursing the customers, despite it being their fault, they have created a VERY good image for the bank.
      • Losing customers that just cost you millions of krona? I'd tell them "Don't let the door hit you on the ass on the way out!" Some customers aren't worth keeping.

        I wouldn't leave my bank if it enforced rules against careless customers. I'd want them to. The careless customers are endangering the bank's security and financial health.
      • by phorm ( 591458 )
        You forgot a line...

        Bank: You all suck at online skills, so you can't use our online banking services!
        Customers: Bye!
        Bank: What?
        Ex-Customers: ...

        Bank: Good riddance

        Banks aren't dumb, and they don't make megabucks by holding onto bad investments. In this case, said customers are bad investments. You really think that they bank is going to be overly upset if the a few dozen of the customers that just cost them upwards to a million bucks leave? Do you think that disabling internet accounts of people w
  • It's an incentive for the Bank to improve security. If every bank was required to do this (and cc companies as well) it'd do quite a bit to improve security in online shopping and banking.
    • What could the bank have done differently? The customers were entrusted with the keys to their accounts and they were tricked into handing them over. If you gave your ATM card and PIN to a stranger what could the bank do to protect you?
  • by A beautiful mind ( 821714 ) on Friday January 19, 2007 @02:34PM (#17685384)
    Well according to my anecdotal evidence coming from an ex security admin at a bank who was giving a lecture on bank security on a security themed conference, banks have a certain percentage of loss every year due to online activites. The loss they suffer is tuned to the line that spending more on security would cost more than the current losses they suffer.

    Anyway, I highly doubt that this was the largest ever online robbery, maybe it was the largest phishing attack.
    • A major swedish newspaper (www.dn.se) write that the amount is somewhere over 1.1 million USD (8 million SEK). A sizeable chunk of money but perhaps not the most anyone has gotten hold of in this. Other types of financial fraud go way over that. Last year a financial officer of a company fudged the numbers in the computer and transfered 3+ million to her own account (and used a good part of it as well... just hang around to long I guess).
  • by hankwang ( 413283 ) * on Friday January 19, 2007 @02:36PM (#17685414) Homepage

    I was curious about the security protocol for Nordea bank and although links on the Nordea site are currently broken (an attempt to cover up?), I could find them on Google.

    So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

    I used to have a bank account in Sweden with a different bank that uses a cryptographic challenge/response key generator, both for logging in and confirming a transaction. The website supplies you with a code number that you enter, as well as a PIN code. The device uses the code together with a secret key and the time from an internal clock and lets you send back the data.

    Banks here in the Netherlands use similar systems, often with a generic card reader that uses a chip that is built into the bank cards. Others send a confirmation code by SMS to a mobile phone number that is registered to your account.

    I think cryptographic systems are inherently much more secure than predefined one-time keys. The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction. Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

    • by Qzukk ( 229616 )
      Keylogging wouldn't help the scammer; instead he would have to take over the entire browser in order to actually display your transaction information together with his transaction challenge code.

      Some banks have gone a step further and made the transaction amount as part of the challenge, meaning that even an attack like this would fail (since you transferring $20 to your landlord wouldn't match his attempt to withdraw all $21.54 in your account)
    • by Znork ( 31774 )
      "The cryptographic keys are only valid for 30 seconds and, more importantly, only for a specific transaction."

      Short time keys make the interception slightly more difficult, but essentially the intercept software would just have to immediately use the collected keys in the alternate transaction, rather than save them for later use. Same with SMS, or anything else; as long as the customers PC is compromised, there's no way to guarantee that what the customer sees is what the bank sends, or that what the custo
      • ...just verify the forged transaction, rather than the one the customer thought he was entering.

        That's of course still an issue; it's the weakest link in the chain that counts. Still, with time-limited cryptographic challenge/response verification, it requires much more effort from the attacker. With user/password or user/password/one-time-key login schemes, the weakest link is even weaker. My Dutch bank actually tells me on the login screen [rabobank.nl]: "Please verify that the URL starts with "https://bankieren.rabob

    • by MobyDisk ( 75490 )
      That's amazing to me though: My bank just lets me enter in a PIN just the same as if I used an ATM. No one-time-pads at all. It looks to me like the bank was actually being fairly secure.
    • by Alef ( 605149 )

      So the scammer just needs the fixed PIN code, plus a few of the one-time codes.

      Or, if you have taken control of the user's computer, you can do a man-in-the-middle attack. Since the one-time codes are completely independent of the transaction that is taking place, the cracker can simply wait for the user to transfer money somewhere and substitute the amounts and account numbers.

      This is, however, not possible with at least some of the challenge/response systems you mention, because every number then ne

  • by silentounce ( 1004459 ) on Friday January 19, 2007 @02:44PM (#17685586) Homepage
    What?! No, Soviet Russia jokes yet?!?!
    In Soviet Russia, key logs you!
    Or even better. In Soviet Russia, you gulag.
    Perhaps, in Soviet Russia, bank robs you!
    One last note, in Soviet Russia, Russian reversal jokes are funny.
  • The sender encouraged clients to download a "spam fighting" application.'"

    The trojan in question only runs on Windows [symantec.com].

    Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP

    I'm not knocking Windows, the users contributed by not running antivirus software and not being terribly bright. But this is why I don't ever access any of my banking or investment accounts with Windows.

    Just makes it that much harder to automate installation of a keylogger

    • I'm not a windows fanboy ('nix is my preferred OS), but why would the crooks pump out a linux binary or an OSX application in their scammy emails when probably 80-90% of the recipients are likely to use windows, and probably about 80-90% of linux/mac users are slightly more educated in terms of scammy emails.

      This wasn't an automatically installed keylogged from the sounds of it, but rather one installed by dumb users. Windows has more users, so they email the windows users. PC's being more prevalent (and
  • What they just did was tell users that they can run insecure OSs, do nothing about it, and still not be held responsible for their actions. What these victims did was to buy a straw house, then leave the door wide open, and are now being compensated for stolen money. When will it end.
    • by swb ( 14022 )
      Nice blame the victim mindset. I suppose you tell women who have been raped to stay home, people who have their cars ripped off to buy more theft-proof cars, and so on.

      The better choice is for the banks to recognize that client systems are highly vulnerable and make their own security more immune from these problems. If I was a bank, I would also strongly consider blackholing IP space outside of their normal service area. More of an irritant to serious criminals that a real deterrent, but it might make i
  • If the trojan was targeted to something like a specific list of account holders, instead of wildly blasted around, that could indicate a different breach of security at the bank. In that case, the bank has a lot more cleaning up to do behind the scenes. I'm not saying that definitely happened, but I am given pause.

  • Annoyingly I've not been able to google it up, and I can't remember where I read about it, but I read somewhere that a Brazilian bank went bankrupt following fraud enabled by hacking attacks which lost them (IIRC) over $300m. Please, someone, spare my sanity and find me a link? It would have been an Infosec story on the net -- I thought CryptoGram at first, but apparently not. Help! :)
  • If I remember this correctly this is the 3rd or 4th time this bank, Nordea, takes a hit in the last year! The first three or four times there were false e-mail and a dupe website saying that the customer for security reasons should supply three of their single use codes (you have them on a plastic card), then their PIN-code and their account number. The phishing email and website were full off misspelled and fake words and bad language in general, it's amazing that anybody fell for it!
    This was really bi
  • How many OS X users lost money?

    Why doesn't the headline name the real enabler: Microsoft.

    Running Windows is like putting your money in a cardboard safe. Wet cardboard.
  • by judd ( 3212 ) on Friday January 19, 2007 @04:35PM (#17687752) Homepage
    "good news for the victims, but not really an incentive to take more care in future"

    Consumers are told by people who market computers that they are easy and safe to use. Consumers are told by internet service providers that online services are easy and safe to use. Consumers are told by banks that online banking is secure and convenient.

    Aside from the criminals, who appear to have escaped without any consequences to them, the burden is falling where it should be, namely on agents who allow marketing over reality. While the /. crowd may know better, the average punter does not, and shouldn't have to.
  • Banks can guard against this by making users click on a randomizing keypad with their PIN in addition to any password/username combination they need to type in. ING Direct does this.
  • by AxelBoldt ( 1490 ) on Friday January 19, 2007 @04:51PM (#17688026) Homepage
    The bank is refunding everyone who lost money
    That's crap. The customers didn't lose anything. The bank lost money; it was tricked into paying out funds without having been authorized to do so by the funds' owners. The bank neglected the first rule of the banking business: "Know your customer". It did not properly check the identity of the people it was interacting with, and therefore has to eat the full loss.
  • by Jugalator ( 259273 ) on Friday January 19, 2007 @05:10PM (#17688328) Journal
    It appears that most of the victims weren't running security protection.

    Often these guys use directed fraud mails written in reasonably good Swedish, so I wouldn't really doubt they have custom made keyloggers too to attempt to escape antivirus tools.
    Sure, they could use detection by heuristics like some support, but then the accuracy falls rapidly, as well as the fact that not nearly all popular tools even supporting that.

    What's needed here is that users don't become so naive when they sit down in front of a computer. To many, it seems like they then enter a world of safety where they don't have to think much and just click through mails that "look right" even if they ask for logon details that the banks has earlier been very careful to inform they'll never request. (because they already have that info, or can reset it at their whim anyway, duh!) The problem is that on the Internet, the exact opposite mostly holds true.

  • I'm thinking that the refunds are a result of the newness of on-line banking. When the newness wears off - people will lose their life savings with these tricks.

    It's no different than meat-space scams that trick people into withdrawing money or allow theives access to their bank accounts (like a stolen ATM card with the PIN number written on it).

    The message here should be "if you do on-line banking, your computer is your ATM card. Protect it just as you would your ATM card"
    1. mass-email a trojan keylogger
    2. capture web banking passwords
    3. drain bank accounts
    4. ??
    5. PROFIT!
    6. Never have to eat SPAM again. You're rich!

    That's how we fight SPAM.

  • Damn, seems like their site are down for the moment, and not just the Swedish one(they have banks in more than one country). I guess they are all hosted the same place. I wanted to log in to my account.

    The security for their online banking system includes a key file that you must have on your PC so a trojan could be used to gain access if it got found the key file. I am not aware if they have additional optional security options available, like a key card or whatever.

    BTW the client side runs Java and works

"The vast majority of successful major crimes against property are perpetrated by individuals abusing positions of trust." -- Lawrence Dalzell

Working...