Russian criminals have pulled off one of the most audacious frauds of recent times, stealing a reported 8 million Kroner ($1.1 million) from the online wing of Sweden’s largest bank, Nordea.

Over a three-month period running to the end of 2006, criminals are said to have siphoned off the money using a specially-crafted phishing Trojan sent to the bank’s customers, which resulted in 250 of them having funds stolen. Police have a further 121 are on the watch list as suspected victims, with attacks continuing even now.

The Trojan’s journey to user PCs started with scammers sending an email offering a download of a supposed spam-fighting tool. This turned out to be an executable, raking.zip, which brought with it the haxdoor.ki Trojan, a modified version of a piece of malware that has been used to target other institutions.

At the point where customers logged in to online banking accounts, it was able to monitor their passwords and user names, which when entered would return an error message asking for a resend to make sure of the data. From that point on the attack unfolded like traditional data theft frauds, with accounts being emptied via stolen data stored on remote servers, in this case in Russia and via the US.

The security measures used by Nordea have not been confirmed, but the bank says it will compensate all the victims. It looks unlikely that there was any two-factor authentication involved, which might have caused the crooks to take their chances elsewhere.

The Swedish fraud is on a modest scale by comparison with some recent attacks, but is still unusual for banks to own up to a problem on even this scale.

Token-based systems are considered more secure than simple passwords and user names, but even these have come under concerted attack of late.