According to the Slovenian national Computer Emergency Response Team (SI-CERT), it all started last year, when several small companies notified the CERT and the police about their unexplained losses.
The investigation revealed that the companies' accounting personnel were targeted with emails pretending to come from a bank or tax authority, warning about a late payment or a bogus change in laws that would affect the companies.
The targets would open the attached file, which turned out to be a remote administration tool, and install it on their computer. Through it the criminals had access to the system, and could easily harvest critical information such as e-banking credentials.
The criminals would take advantage of the moments when victims would forget to remove the smart card containing the bank-issued certificate from the reader, and would access the accounts and transfer money to other accounts opened by the 25 money mules they recruited through work-at-home schemes.
They cleverly timed their attacks to coincide with Fridays and just before a national holiday, so that the firms and the banks wouldn't immediately notice the theft.
All in all, they gang managed to set up transfers of some 2 million euros, but luckily a lot of the transactions were stopped by the The Office for Money Laundering Prevention.