ABC News
[ Source: ABC News ]
More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.
Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could “definitely” lose money as a result.
An investigation by cyber intelligence researchers has shown credentials belonging to at least 14,000 Commbank customers, 7,000 ANZ customers, 5,000 NAB and 4,000 Westpac customers are available on the messaging platform Telegram and the dark web.
It comes in the wake of recent attacks on Australian superannuation funds, where hackers stole from pensioners and used leaked passwords to try to gain access to members’ accounts.
The Australian firm Dvuln, which made the discovery, said the passwords were stolen directly from users’ personal devices, which had been infected with a type of malware known as an “infostealer”.
“This is not a vulnerability in the banks,” Dvuln’s founder Jamie O’Reilly said.
“These are customer devices that have been infected.”
Infostealer malware, as the name suggests, is a type of malicious software tailor-made to infect a device, harvest as much valuable data as possible and deliver it directly to criminals.
It overwhelmingly targets computers running on Windows and as well as passwords, can capture credit card details, cryptocurrency wallets, local files, and browser data including cookies, user history and autofill details.
Dvuln started researching the scale of Australia’s infostealer problem after superannuation funds were targeted in early April.
“We’ve seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks,” he said.
Experts said exposed passwords created a genuine risk of theft for the account holder.
“Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering,” said Leonid Rozenberg, a specialist in infostealer malware from cybersecurity company Hudson Rock.
He also warned that the threat posed by Inforstealers was much broader than just breached banking credentials.
“We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser,” Mr Rozenberg said.
“It can be a PayPal account … it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has [a] credit card linked.”
Stream the best of Fiji on VITI+. Anytime. Anywhere.
