According to recent media reports, cyber criminals stole approximately eight million kronor, or US$1.2 million, from about 250 accounts at the Swedish Bank Nordea (source). These attacks were initially reported by anti-virus software vendor F-Secure in August 2006, although the extent of the damage was unknown at the time (source). The attacks against Nordea, and other banks, are still ongoing but have recently tapered off. According to a Nordea bank spokesperson, ?This is ongoing. We have compensated all the customers in full.?

The Nordea bank accounts were compromised by the Haxdoor.ki trojan that was delivered to Nordea customers via spam emails (source). The spam emails enticed Nordea customers to download and install the Trojan by convincing the users that an email attachment contained free anti-spam software in the form of the ?rakningen.zip? attachment (source).

The Haxdoor.ki Trojan was designed in part to monitor a user?s Internet connections and log keystrokes when the user visited certain banking web sites. The purloined account information was then uploaded to a Russian-based web site, skyinet.info, via compromised servers hosted in the US (source).

The Structure of Cyber Crime

The attacks against Nordea bank customers help illustrate the structure and operation of cyber crime. According to F-Secure, the Haxdoor.ki trojan appears to have been designed by a Russian malware writer known as ?Korpsov? who maintains the email address [email protected] (source). Malware authors operate as the mafia dons of the on-line world. They typically organize and coordinate the creation and distribution of the account stealing Trojan as well as the collection of the stolen account information. Not surprisingly, the malware authors also reap most of the profit.

Once the malware authors have collected the stolen account information, they typically rely on low-level cyber criminal operatives known as ?money mules? . Money mules are typically located in the same country as the victims of the cyber heist because it is easier for them to withdrawal the stolen money from the victim?s accounts and wire the profits, minus a small commission, back to the malware author without being noticed. It is likely that the seven individuals arrested and the 121 suspects wanted for questioning by Swedish police (source) were the money mules whose job it was to ferry the monies stolen from the Nordea accounts back to ?Korpsov? in Russia.

The distributed and cross-border nature of the these cyber criminal enterprises drastically increases the complexity of the problem and makes is more difficult for traditional law enforcement organizations to investigate and prosecute crimes ? not to mention preventing future on-line criminal acts. For example, in the Nordea case authorities were likely able to arrest the low-level operatives but not ?Korpsov,? the mastermind of the heist who was safely in Russia . As a result, ?Korpsov? and other cyber criminals like him likely will continue to execute similar on-line heists.