The Metropolitan Police e-crime unit has arrested 12 men in connection with an alleged "cyber plot" at a branch of Santander Bank.
The gang tried to install a device on a PC at Santander's Surrey Quays branch that intercepts keystrokes, mouse movements and a video feed of the monitor (known as a KVM device).
This would have given them the ability to "take control of the bank computers remotely", the Met said in a statement today.
According to Santander, "the attempt to fit the device to the computer in the Surrey Quays Branch was undertaken by a bogus maintenance engineer pretending to be from a third party."
"It failed and no money was ever at risk," the bank said in a statement. "No member of Santander staff was involved in this attempted fraud."
“This was a sophisticated plot that could have led to the loss of a very large amount of money from the bank, and is the most significant case of this kind that we have come across," said detective inspector Mark Raymond, of the Met's Central e-Crime Unit.
Santander said that it knew about the possibility of such a heist in advance. "Like all high street banks, Santander works very closely with the Police and other authorities to help prevent fraud," it said. "Through this co-operation, Santander was aware of the possibility of the attack connected to today’s arrests."
The Met said the arrests "are the result of a long-term, intelligence-led, proactive operation by the PCeU".
Some security experts have inferred that the arrests may have been part of a "controlled operation" or even a "honeytrap". A Met spokesperson denied this, saying that "we got some intelligence, and we acted".
Key loggers have been used in bank heists before. In 2005, the UK's now-defunct National Hi-Tech Crime Unit foiled a plot to steal £220 million from the London offices of Japan's Sumitomo Mitsui bank, that used a software-based key logger.
According to independent security expert Graham Cluley, the advantage of a hardware-based key logger is that it cannot be detected by anti-virus software. "Hardware is much more difficult to detect, because there's nothing running on the machine," he told Information Age this morning.
He believes the device may have been a KVM logger that gives the operator remote control over the affected machine, which would have allowed the hackers to transfer funds using the PC.
The plot shows the need for employees to challenge anyone unknown that enters the workplace, Cluley said. "You have to be really careful every time someone comes into the office," he said.
He added that attacks of this kind could also be prevented by implementing two-factor authentication for internal employees. "That would have made this kind of attack much more complicated."
