MOSCOW: Computer experts have traced a $1 million online bank heist in Sweden to a Russian hacker known only by his colorful sobriquet — the Corpse — in one of the more brazen Internet banking crimes of recent memory.
As the extent of the fraud became known this week at Nordea, the Scandanavian bank involved, attention shifted to the Russian-made virus behind the crime and the darker world of Russian programming, where talented minds still struggle to find legitimate outlets for the computer skills.
The case also highlighted the risks of online banking, although Nordea said only customers who operated personal computers without anti-virus programs became victims.
The Swedish police said that the virus had been distributed with a spam e- mail message and aimed at several European and U.S. banks. Police have arrested both Swedish nationals and foreigners who withdrew cash from branches of the Swedish bank after making online transfers.
Corpse, whose true identity is unknown to antivirus experts, is believed to be the author of the so-called Trojan horse program, which surreptitiously logged keystrokes while online banking customers entered their passwords.
The Swedish police identified the program as a variant of the Haxdoor Trojan. Corpse is believed to be the author of the original Haxdoor program and several variations, which are improbably offered for sale openly on a Russian Web site.
The asking price ranges from several hundred to several thousand dollars, depending on the version. They are sold under names like A311 Death and Nuclear Grabber. The site offers to customize the software for clients for an undisclosed fee. The home page displays a thumbnail illustration of the Communist leader Vladimir Lenin making a rude gesture.
Thieves using the program in Sweden defrauded 250 customers of Nordea's online banking service over a period of 15 months. The bank has compensated its clients.
The program was activated when a user typed the bank's address into a browser program. It then recorded keystrokes to capture passwords. Later, criminals transferred money to newly opened accounts and withdrew cash at branch offices. It was one of the more brazen online bank heists in Europe in recent memory.
"It's a highly advanced form of IT fraud, and it's never happened before outside of industrial espionage," Daniel Goldberg, a writer for Computer Sweden, a Stockholm-based technology magazine that first reported the fraud, said by telephone on Wednesday.
Aleksandr Gostev, an antivirus researcher at Kaspersky Labs in Moscow, said that Corpse was well known as a hacker who sells programs to other hackers, meaning he might have been unconnected to the group that hit Nordea bank, even if he was the author of the key-logging program used in the heist.
"He writes these programs himself, and he sells them to whoever wants them," Gostev said. "In the case of Nordea bank, somebody who wanted to steal from clients ordered a customized version. The hacker could be from anywhere in the world."
Corpse's site carries a disclaimer in bungled English that use of the programs is "exclusively in the educational purposes." E-mailed questions sent to the site were not answered Wednesday.
Still, the Swedish police say the Russian connection in the heist goes beyond the source of the virus used.
Stolen passwords were transmitted to a server in the United States that forwarded the information to a server in Russia, said Anders Ahlqvist, chief inspector for the cybercrime division of Sweden's National Criminal Investigations Department.
Also, some of the money was sent to "the eastern shore of the Baltic Sea" after the attack, he said, referring to Russia.
He downplayed the virus's sophistication, saying the fraud depended instead on the carelessness of customers who downloaded it to their computers.
"If people used a little common sense when they received e-mails, these attacks would never appear," Ahlqvist said. "This Trojan is very much alive and well in computers in Sweden today. I would be surprised if it wasn't. People are not careful enough with their machines."
Some customers were defrauded using a simpler scam that asked clients to confirm their passwords on a fraudulent Web page that mimicked Nordea's home page.
The bank blamed lax security on personal computers for the breach.
"The weak point is the customer's computer," said Boo Ehlin, a bank spokesman.
The case has shed light on the bizarre and some say darkly brilliant world of Russian hacking.
Russia's weak laws and a strong tradition of scientific education combine to nurture a flourishing culture of computer hacking, those familiar with the programming industry say. The prevalence of pornography and fraud on the Russian Internet has contributed to the country's image as a digital no-man's land of spammer and hackers.
Essentials of Life
Center is a home-based
We choose this
designation for many
reasons, mostly to
freedom. Freedom of
important to us. We