A Trojan horse planted by criminals was used to steal more than $1 million from the accounts of British customers of the same online bank since last month, according to an international digital security company, and the cyber attack is still underway.
Security firm M86 declined to name the bank, but said in a statement that about 3,000 customers of "one of the biggest financial institutions have fallen victim to a sophisticated attack by cybercriminals using Web-based malware to rob money via the bank's online banking system."
Since July 5, 675,000 pounds, or a little more than $1 million, has been taken by the criminals, whose "command and control center" is believed to be in Eastern Europe, M86 said.
The Trojan horse, called Zeus v3, "steals the customer's online banking ID and hijacks their online banking sessions," the firm said. "It then checks the account balance and, if the account balance is bigger than GBP 800 value (about $1,200), it issues a money transfer transaction."
The Trojan horse is being placed in website advertisements and users who click on those ads may unwittingly be downloading the poisonous payload to their computers. Users who do not have their Web browsers updated to the most recent versions may be the most vulnerable.
Web browsers such as Internet Explorer, Firefox and Safari continue to get stronger in terms of providing much better protection against malware, or malicious software, like the protection, but it is up to users to make sure they have the most recent versions installed.
The Trojan horse itself kicks in when the user connects to the bank's website; the software then starts recording account details, such as passwords, as a user enters them.
Zeus v3 "managed to avoid detection by traditional anti-virus software," M86 said.
The scheme, the firm said in a white paper, "indicates a new level of technical sophistication and signals the continuation of a cybercrime trend that has evolved" in the past few years.
The company's findings jibe with those of McAfee Security, which said this week that the production of malicious software code worldwide reached a new high in the first six months of 2010.
A spokeswoman for Financial Fraud Action UK, which coordinates the British banking industry's efforts against fraud, told the Daily Mail that "The idea that criminals are targeting people by using malicious software or Trojans is nothing new. Bank systems are hard to attack so they’re having to go through the easier link in the chain, which is the customers.
"They’re hoping customers aren’t taking security precautions," she said. "We’ve been seeing this for the last few years and we’re constantly urging people to protect their computers to try to mitigate the risk of becoming a victim."
By Suzanne Choney