Using a modified version of the "haxdoor" Trojan, hackers based in eastern Europe have stolen money from at least 250 private accounts. Swedish police have arrested seven individuals for involvement in the attacks. A further 121 suspects are wanted for questioning.
Nordea has been aware of the attacks for more than three months but is yet to inform its customers of the Trojan.
The initial attacks were carried out in September 2006. Soon afterwards Swedish police established that the attackers had used a modified version of the haxdoor Trojan, which had been spammed to thousands of Swedish e-mail addresses during the summer. The police also found that the stolen information had been sent to servers in the U.S. and then rerouted to Russia.
According to Swedish police, new attacks against Nordea are still being carried out on a daily basis -- more than three months after the scam was first discovered.
So far about 8 million kronor have been stolen from the bank. Attempts to steal even larger sums have been intercepted and stopped by Nordea before the transactions could be completed.
The Trojan used to carry out the attack had been modified specifically to target Nordea customers, according to inspector Jim Keyzer at the Stockholm police IT-forensic group.
"The code contains references to many banks and trigger words. Primarily German banks but also towards Nordea. For example, it is activated by the phrase Skrapkod1," he says, adding, "There is one aspect which hasn't been fully explained yet. Once the customer has inputted the codes, the Trojan triggers an error message which stops them from reaching the bank."
The log-in system used by Nordea has been the target of much criticism during recent months. Users log in to their accounts using their date of birth, a standing four-digit security code and a one-time code.
Transactions are then validated using another one-time code. Several security experts have rated the system as the least secure of those used by Swedish banks. Nordea customers are also frequently targeted by phishing e-mails, which attempt to trick them into handing over log-in information.