Both banks use one time passwords and verification codes, so run of the mill phishing yields little of value to an attacker other than the account number. But in this case, the attacks are connected to a server-side man-in-the-middle attack that attempts to complete a banking transaction.
Here's an example of the fake Nordea site:
If the netbank customer enters their account ID and one-time passcode, they are asked to wait 2 minutes:
This gives the attack server time to configure a transfer and the customer is then asked for one of several confirmation codes:
And then, the customer is thanked for their time:
The process is initiated by an e-mail such as this:
Unfortunately, the e-mail bait is rather short (and not everyone reads carefully enough), and once the customer clicks on the link, all the Finnish has been copied from the bank's own site. Better advice would be to never click on links from e-mails, but to go to the bank via a browser bookmark.
Our Browsing Protection toolbar blocks all currently known URLs being used, but the registered owner has at least 90 other domains so new variants could come online at any time.
Hopefully the man-in-the-middle server, hosted in France, will be shutdown soon.