The ABC can reveal more than 31,000 passwords belonging to Australian customers of the big four banks are being shared amongst cyber criminals online, often for free. The credentials were stolen from the personal devices of more than 14,000 Commbank customers, 7,000 ANZ customers, 5,000 NAB and 4,000 Westpac customers, using a specific kind of malware known as an 'info-stealer'. The discovery comes in the wake of recent attacks on Australian superannuation funds, where stolen passwords were used to try to gain access to members' accounts.
Category
📺
TVTranscript
00:00This is not a breach of banking infrastructure or banking companies. What this represents
00:08in our research is a large amount of Australian citizens who have had their devices compromised
00:15with a certain type of computer virus. And one of the things that computer virus does
00:20really well is steals things like banking credentials.
00:24So just tell us in a bit more detail about this specific kind of malware that you're looking at.
00:30So InfoSteeler malware is predominantly created by criminals to land on your computer and very
00:38quickly take as much information, hence the name, as possible to send that straight back to the
00:44criminals. Why did you choose banks specifically to focus on in this report? One of the reasons that
00:50we thought it would be useful to raise awareness is, you know, with recent news around superannuation
00:56attacks and credential stuffing, we've seen a tight correlation between the use of InfoSteeler
01:02malware and using those passwords to conduct these type of attacks against individuals.
01:10This is only a snapshot really, isn't it? This 31,000 credentials. Where did you find them?
01:15There's things like instant chat, online telegram chat rooms, cybercrime forums. Think of it like
01:23an Amazon marketplace for stolen information.
01:26So if you are one of those banking customers who's unfortunate enough to have had your credentials
01:34traded in this way, does that mean that theoretically your account could be drained using
01:41that information that's been stolen? Yes. You know, if criminals have your banking credentials,
01:47they can attempt to, you know, log into your account and perform actions. Whether or not the
01:53banks would detect that is up to each separate bank and they have a multitude of different things they do
01:59to try and detect that. I wanted to talk to you a bit about some of the maybe more common solutions
02:06that are often recommended to people that don't necessarily completely solve this issue.
02:13Look, I think everyone's familiar with the typical advice, right? Use a strong password, rotate your
02:20password, use an antivirus. If you have InfoSteeler malware on your device and you say change your password,
02:29then that malware is going to get the new password that you've just created. And so, you know, it's the
02:36equivalent of changing your locks while the burglar is still in your house. For users at home, you need
02:42to start thinking about how does InfoSteeler malware get on your device in the first place. One of the most
02:47common ways that we see from our analysis is, you know, online games, whether it's Minecraft, cracked
02:56software, which is software that you would typically have to pay license fees for, whether it's
03:01Photoshop or something else. If you've got banking credentials or, you know, highly sensitive information
03:08you want to use on your computer, keep that separate to, say, the devices and the computer that your
03:13children are using. What do you hope happens as a result of releasing this somewhat frightening
03:21information publicly? This is not intended to frighten anyone. This is a reality. There is,
03:28you know, millions of devices around the world being infected by this type of malware,
03:33and it's a public matter because most of the infections are happening on personal devices.
03:39So our goal with this research is to raise awareness for, you know, the average citizen,
03:45so they understand more about how valuable their data actually is and what they can do to make it
03:54difficult for attackers to actually take this information.