More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.
Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could “definitely” lose money as a result.
An investigation by cyber intelligence researchers has shown credentials belonging to at least 14,000 Commbank customers, 7,000 ANZ customers, 5,000 NAB and 4,000 Westpac customers are available on the messaging platform Telegram and the dark web.
It comes in the wake of recent attacks on Australian superannuation funds, where hackers stole from pensioners and used leaked passwords to try to gain access to members’ accounts.
The Australian firm Dvuln, which made the discovery, said the passwords were stolen directly from users’ devices, which had been infected with a type of malware known as an “infostealer”.
“This is not a vulnerability in the banks,” Dvuln’s founder Jamie O’Reilly said.
“These are customer devices that have been infected.”
Infostealer malware, as the name suggests, is a type of malicious software tailor-made to infect a device, harvest as much valuable data as possible and deliver it directly to criminals.
It overwhelmingly targets computers running on Windows and, as well as passwords, can capture credit card details, cryptocurrency wallets, local files, and browser data, including cookies, user history and autofill details.
Dvuln started researching the scale of Australia’s infostealer problem after superannuation funds were targeted in early April.
“We’ve seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks,” he said.
Experts said exposed passwords created a genuine risk of theft for the account holder.
“Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering,” said Leonid Rozenberg, a specialist in infostealer malware from cybersecurity company Hudson Rock.
He also warned that the threat posed by Inforstealers was much broader than just breached banking credentials.
“We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser,” Mr Rozenberg said.
“It can be a PayPal account … it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has [a] credit card linked.”
Some of the 31,000 devices captured in Dvuln’s audit were infected as far back as 2021, but would still provide valuable data to attackers, according to Mr O’Reilly.
“As a day job, I work to hack some of the biggest companies in the world,” he said.
“We have been able to compromise even some ASX-listed companies, in a controlled scenario, with four- or five-year-old passwords.”
In light of Australia’s growing infostealer problem, there is a notable lack of theft and fraud that’s been publicly linked to it.
However, Mr O’Reilly said many instances could be happening under the radar.
“There may be a large number of fraud attacks happening against individuals and businesses… but there’s been no public attribution because it’s very difficult to trace back to a specific malware infection,” he said.
“A lot of this crime, on an individual level, goes unreported.”
Infostealers: The ‘silent heist’ on 3.9 billion passwords
The use of infostealers has exploded in recent years.
Hudson Rock said there were now more than 58,000 infected devices in Australia and more than 31 million infections globally.
The company arrived at the figure by counting all infected devices, rather than just those belonging to banking customers.
A recent analysis from cybersecurity firm KELA found that globally, at least 3.9 billion passwords had been stolen using the technique.
It’s been dubbed “the silent heist” by the Australian Signals Directorate.
(Courtesy:ABC news)
