Bank hit by 'biggest ever' hack

Swedish bank Nordea has been hit by what security company McAfee has called the biggest internet fraud in history. Up to £600,000 has been stolen in the past three months from 250 customer accounts, according to Swedish press reports.

Emails were sent asking Nordea customers to download a piece of software which they were told was a piece of anti-spam software. In fact it was a piece of software which was activated when customers tried to log into internet banking with Nordea. It recorded their login details and asked them to log in again because of a fictional error.

It then recorded their second attempt to log in, which would give hackers enough information to access accounts. Most internet banks only ask for a portion of an access code at login to prevent one-off spying attempts from gaining the whole code, but the fake error messages ensured that the Nordea hackers were given access to enough information to access an account.

Police told Computer Sweden that the information was sent to servers in the US and then on to Russia, from where money was siphoned from users' accounts.

"This is a worrying concern for any online bank user as the threat of cyber crime targeting 'safe' institutions gets an ever more real concern," said a statement from security firm McAfee.

Around 250 customers were said to have been targeted over a period of 15 months. The software was written especially for the Nordea system and to target only that bank's customers, though it was a modification of a more general Trojan application, Haxdoor.

Trojans are named after the Trojan Horse which was used at Troy. Like the wooden horse, the Trojan applications make a claim to be innocent and beneficial but are actually a secret mode of attack. This Trojan claimed to be an anti-spam application.

The bank has refunded the customers the money that was stolen from them. Nordea spokesperson Boo Ehlin told the ZDNet news service that most of those affected by the software were not running anti-virus applications.

The hackers had avoided automated transaction checking that internet banking systems have in place by transferring small sums of money over a 15 month period out of the affected accounts. Sudden large transfers would have alerted the system but the thieves were able to siphon a large amount of money out over time using smaller transactions.