NEWS FROM THE LAB - Tuesday, October 4, 2005

Nordic Phishing Posted by Mikko @ 11:07 GMT

Phishing attacks have been jumping from one geographical area to another. First we saw them in USA. Then in Australia. Then UK. Then in Germany, localized to German language. In early 2005, we saw isolated phishing cases in Denmark.

Last night an unknown party launched a large-scale attack against Nordea Sweden. Nordea is the largest bank in Nordic countries. It also operates one of the largest internet banks in the world, with over 4 million internet customers in eight countries.


Basically this was a normal phishing scam: somebody spammed a large amount of spoofed emails with links pointing to a fake bank. What made it different was two things:
1. The phishing emails were in Swedish
2. Nordea operates a one-time password system

The one-time password system in use by Nordea Sweden consists of a scratch sheet, where you will scratch to uncover the next available pin code for login.

Attacking a site like this is quite a bit more challenging than attacking banks authenticating users with a bank account number and a constant 4-number pin which never changes.

However, that's just what has now been attempted.

The fake mails were explaining that Nordea is introducing new security measures, which can be accessed at www.nordea-se.com or www.nordea-bank.net (fake sites hosted in South Korea).

The fake sites looked fairly real. They were asking the user for his personal number, access code and the next available scratch code. Regardless of what you entered, the site would complain about the scratch code and asked you to try the next one. In reality the bad boys were trying to collect several scratch codes for their own use.


As the scam was uncovered, Nordea Sweden shut down their whole internet bank. Apparently this was done in order to prevent the scammers from using the codes to move money around.