Cenzic 232 Patent
Paid Advertising
web application security lab

Nordea Bank in Sweden Phished - 100 Users Compromised

This is right on the cusp of what I think is worth talking about since the volume is so low. It’s not particularly interesting that Nordea.se was phished (article in Swedish). The part that’s interesting is that a relatively small market segment is being attacked. This is common behavior for phishers, but in this case I think it’s more interesting than most for a few reasons. The bank is small compared to most of the more common attacked banks and it’s non-english.

Nordea.se is what I like to call a phishing probe. Phishers often attempt smaller regional banks to see if they can get a spike in returns. Either they buy spam lists of users or find other ways to attempt more targeted demographics but in the end the attack is the same. Phishers like to try these types of things because it costs them next to nothing to attempt, and it can be a huge return on investment.

The economics are pretty simple. Let’s say 100,000 emails were sent. For a pretty targeted list that might cost anywhere from $100 to $1000. It may cost $100 to get somoene to break into a server for you and throw up your PHP kit that you probably already had if you are a regular phisher. It might cost several hundred for the card blanks and the card writer for making the fake cards but that’s a one time cost. Setting up the email drop for the passwords is free. So once the card number has been stolen what can you get for it?

Typically you can only pull out $300 per card. It’s dangerous to try more than once. But it’s not unusual for phishers to sell the numbers after they’ve been used. They can get up to $75 for a card number with pin. So a max of $375 if they do all the work themselves. $375 x 100 users = $37,500. When you subtract expenses you’re still well above $30,000 for a single haul. That’s not a bad haul for someone who is probably living in a country where that is far higher than the annual average income.

Even though Nordea.se is a small bank in comparison, the yield is still high enough to make the economics worthwhile. These probing techniques are not just worthwhile from an experimentation perspective but even if the yield is remarkably low (0.1% of users really is not much) the potential revenue is dramatic.

2 Responses to “Nordea Bank in Sweden Phished - 100 Users Compromised”

  1. GhostDoggieDogg Says:

    Dude, if you read the phishing email, then you see several basic Swedish grammatical errors and even spelling mistakes. Many words also look really lame. Maybe these guys used Babelfish or some shite like that to translate and compose their email? This bank has been hit by phishers before so it proves the point you make that it is worthwhile to do smaller targeted phishing even against the same target over and over. Around 100 out of 2.3 million bank customers fell for it and the attack netted SEK 2-4 million which is roughly USD 250-500k. Nice work considering the shitty quality of the email. Where is my phishing rod?

  2. GhostDoggieDogg Says:

    To clarify the numbers, 15 peeps got hit with this specific attack and overall in Sweden roughly 100 have been successfully attacked by phishers out of a total of 2.3 million internet banking customers (1/4 of the population) … The figure USD $250-500k is again for Sweden as a whole. Do the math.