Banking passwords stolen from Australians are being traded online by cybercriminals
By
Ange Lavoipierre
, ABC
Photo:
Unsplash / RNZ
More than 31,000 passwords belonging to Australian customers of the Big Four banks are being shared amongst cyber criminals online, often for free, the ABC can reveal.
Despite the anti-fraud protections in place at those banks, cybersecurity experts warn victims could "definitely" lose money as a result.
An investigation by cyber intelligence researchers has shown credentials belonging to at least 14,000 Commbank customers, 7,000 ANZ customers, 5,000 NAB and 4,000 Westpac customers are available on the messaging platform Telegram and the dark web.
It comes in the wake of recent attacks on Australian superannuation funds, where hackers stole from pensioners and used leaked passwords to try to gain access to members' accounts.
The Australian firm Dvuln, which made the discovery, said the passwords were stolen directly from users' personal devices, which had been infected with a type of malware known as an "infostealer".
"This is not a vulnerability in the banks," Dvuln's founder Jamie O'Reilly said.
"These are customer devices that have been infected."
Infostealer malware, as the name suggests, is a type of malicious software tailor-made to infect a device, harvest as much valuable data as possible and deliver it directly to criminals.
It overwhelmingly targets computers running on Windows and as well as passwords, can capture credit card details, cryptocurrency wallets, local files, and browser data including cookies, user history and autofill details.
Dvuln started researching the scale of Australia's infostealer problem after superannuation funds were targeted in early April.
"We've seen a tight correlation between the use of infostealer malware and using those passwords to conduct these types of attacks," he said.
Experts said exposed passwords created a genuine risk of theft for the account holder.
"Threat actors can use the bank account to link to some kind of payment system, to transfer funds, or for money laundering," said Leonid Rozenberg, a specialist in infostealer malware from cybersecurity company Hudson Rock.
He also warned that the threat posed by Inforstealers was much broader than just breached banking credentials.
"We see that the average [infostealer] victim has between 200 [and] 300 account [details] stored inside the browser," Rozenberg said.
"It can be a PayPal account … it can be [an] account that is used [to] transfer money between different countries … it can be, for example, [an] e-commerce account that already has credit card linked."
Some of the 31,000 devices captured in Dvuln's audit were infected as far back as 2021, but would still provide valuable data to attackers, according to O'Reilly.
"As a day job, I work to hack some of the biggest companies in the world," he said.
"We have been able to compromise even some ASX-listed companies, in a controlled scenario, with four- or five-year-old passwords."
In light of Australia's growing infostealer problem, there is a notable lack of theft and fraud that's been publicly linked to it.
However O'Reilly said many instances could be happening under the radar.
"There may be a large number of fraud attacks happening against individuals and businesses… but there's been no public attribution because it's very difficult to trace back to a specific malware infection," he said.
"A lot of this crime, on an individual level, goes unreported."
The use of infostealers has exploded in recent years.
Hudson Rock said there were now more than 58,000 infected devices in Australia and more than 31 million infections globally.
The company arrived at the figure by counting all infected devices, rather than just those belonging to banking customers.
Recent analysis from cybersecurity firm KELA found that globally, at least 3.9 billion passwords had been stolen using the technique.
It's been dubbed "the silent heist" by the Australian Signals Directorate.
"Back in 2018 it was only 135,000 infections and today, we're speaking about 31 million," Rozenberg said.
That more than 200-fold increase has contributed to a breathtakingly low price tag on stolen passwords.
O'Reilly monitors about 100 Telegram groups dedicated to trading data siphoned using infostealers, many of which offer a subscription model.
"You can pay $US400 and every month, as this gang continues to steal more passwords and infect more computers… you may get 100,000 to 200,000 new logs from 100,000 to 200,000 infected computers from all around the world, not just Australia," he said.
That's $626 in Australian currency at the current exchange rate, which works out to be less than a cent per infected device.
For those willing to pay between US$3,000 and US$10,000, some Telegram groups promise "lifetime access".
In some cases, data is given away for free.
"The criminals have so many passwords and so much data, that they actually give away thousands and thousands of credentials just to entice new criminal customers to come and buy the private information," he said.
For now, more than 90 per cent of infostealer infections are on computers with Windows operating systems, O'Reilly said.
"There is a growing number of mobile devices being infected with malware, but it's nowhere near as much," he said.
That skew is less to do with any Windows security weakness, and more to do with the fact that attackers have chosen to target that system, Rozenberg said.
"Still, today, in 2025, most of the people, they're using Windows devices," said Rozenberg.
"So [attackers] mostly develop infostealers for Windows," he said.
There are steps people can take to protect themselves from infostealers, but a lot of the usual advice isn't enough on its own.
For example, changing your password won't do much if you're still using an infected device.
"It's the equivalent of changing your locks while the burglars are still in your house," O'Reilly said.
The best option, he said, is to change your password from a separate, secure device.
Even multi-factor authentication (MFA) isn't a total shield, with malware gangs sometimes selling cookies or access tokens alongside the stolen passwords.
"If you do have someone's active access token, a lot of the time you can actually bypass their MFA," he said.
It's still important to rotate passwords and use MFA, O'Reilly said, but he has two more key pieces of advice: firstly, stay on top of software and antivirus updates.
"Research does show that up to 50 percent of devices infected with infostealer malware have antivirus," he said.
"But what a lot of people don't talk about is the fact that either the operating system or the antivirus itself isn't kept up to date."
Therefore, the first line of defence is to update both.
The second piece of advice: beware the family computer.
Infostealer infections are spread in lots of ways, such as phishing, dodgy links, dodgy ads and dodgy downloads; including torrents, pirated software, and gaming mods (a downloadable modification to an existing game, often user-made and unofficial).
"One of the most common ways… [is] Minecraft mods or cracked software, which is software that you would typically have to pay license fees for," he said.
It's often a baited hook, set by malware gangs, according to O'Reilly.
"If you've got banking credentials or highly sensitive information on your computer, keep that separate from the computer your children are using," he said.
Ideally, he said, this research would be a wake-up call.
"Nothing is 100 percent unhackable, but there are definitely strategies that people can use at home to make it much harder for criminals to get their information in the first place," he said.
-
ABC
Hashtags
Try Our AI Features
Explore what Daily8 AI can do for you:
Comments
No comments yet...
Related Articles
RNZ News
13 hours ago
- RNZ News
Memorial, vigil for missing Bundaberg teenager Pheobe Bishop as community unites in grief
By Nikki Sorbello and Grace Whiteside , ABC Flowers, photographs and notes at the end of Airport Drive in Bundaberg, in memory of missing teenager Pheobe Bishop. Photo: ABC Wide Bay / Scott Lamond Flowers, photographs and handwritten messages line a busy street at the entrance of Bundaberg, a coastal city known for turtles, sugar cane, and rum. It's not a welcome to the town, 350km north of Brisbane, but the focal point of grief of a community mourning the loss of 17-year-old Pheobe Bishop. Flowers, photographs and notes at the end of Airport Drive in Bundaberg, laid in memory of missing teenager Pheobe Bishop. Photo: ABC Wide Bay / Scott Lamond For three weeks, Pheobe's smiling face has saturated social media and missing posters throughout the region after she went missing on 15 May, propelled by a family desperate for answers. As the memorial grows in the last place it was believed Pheobe was seen, a candlelit vigil is planned for Sunday night in Gin Gin, where Pheobe lived, 50km south-west of Bundaberg. Photo: ABC News The outpouring of grief and support for Pheobe's family comes as police confirm they found human remains in thick bushland more than an hour's drive south-west of Bundaberg. The discovery on Friday came after Pheobe's former housemates, James Wood, 34, and Tanika Bromley, 33, were both charged with one count each of murder and two counts each of interfering with a corpse. They were not required to appear in court or enter a plea when the matter was mentioned in Bundaberg Magistrates Court on Friday. Both matters were adjourned until 11 August. The Bundaberg memorial sits at the end of Airport Drive, the first location police searched for Pheobe. It was here that Wood and Bromley told police they had dropped the teenager on the morning of 15 May for Pheobe to catch a flight to Western Australia via Brisbane. But she never made it inside the terminal. Bundaberg Mayor Helen Blackburn says the community is 'reeling'. Photo: ABC Wide Bay / James Taylor Bundaberg Mayor Helen Blackburn said the Bundaberg community was "reeling". "It's important for the community to come together, it's important for them to know that they are there for one another and it's certainly important for them to grieve," Blackburn said. "It's a very, very sad time for the family and for the community but we are resilient and we are going to get through this, but we will only do it if we do it together." Wide Bay Burnett Detective Inspector Craig Mansfield said forensic examination on Saturday confirmed remains found at about 2.30pm on Friday were human, with further work needed to confirm the identity. "We always wanted to bring Pheobe home and we believe this is the first step in that process," Mansfield said. Detective Inspector Craig Mansfield says police will continue searching for Pheobe. Photo: ABC Wide Bay / James Taylor Mansfield said the body was found unburied in bushland 9km from the initial Good Night Scrub National Park search area that police scoured for five days. Cadaver dogs were bought in, with telecommunications data leading police to the revised search area. Earlier on Friday, Mansfield described the three-week investigation as "complex and protracted" with more than 100 police officers involved. Police have received more than 200 calls from the public. Police and SES searched Good Night Scrub National Park for five days. Photo: ABC News / Lawrence Jeffcoat "We believe Pheobe was murdered and her body was moved," he said. "We will allege that Pheobe was moved more than once." Mansfield confirmed police had seized Wood's four-wheel-drive vehicle on Thursday night. Police initially focused their search on the Bundaberg area, specifically near the airport, as they tried to locate Pheobe or the luggage she was believed to have been carrying. One of two crime scenes established six days after Pheobe Bishop went missing. Photo: ABC Wide Bay / Grace Whiteside It was not until Wednesday, 21 May - six days after Pheobe went missing - that police declared her disappearance suspicious and announced they were looking at two crime scenes. The first was the Gin Gin house where Pheobe was living with Wood and Bromley, where a number of deceased dogs were also found. The second crime scene was Bromley's car, a grey Hyundai ix35 in which Pheobe was believed to have been travelling to Bundaberg. Two days later, on Friday, 23 May - eight days after Pheobe was last seen - police started what would be a five-day search of the Good Night Scrub National Park. Mansfield said "telephone data" led police to search the dense bushland, more than an hour's drive southwest of Bundaberg. "It is evidence enough to say that we believe that the accused and Pheobe were there," he said. Human remains detection specialist dog Rio was involved in the search at Good Night Scrub National Park. Photo: ABC Wide Bay / Grace Whiteside For five days, police used drones, police divers and cadaver dogs - trained to detect human remains - to search the area. Pheobe's body was not found, but items of interest were collected from the bushland and sent for forensic testing. Police also believe some items were removed from the area before their search began. Pheobe's disappearance was described as out of character from the outset. Pheobe Bishop's family have kept the case in the public eye. Photo: Supplied / Queensland Police Service Through statements via police and daily social media posts, the teenager's family has begged the community for information relating to the disappearance of their beloved "Phee Phee". Posting on social media, Pheobe's mother, Kylie Johnson, said that their world had been "shattered". "I didn't think my heart could break any more than it did when you went missing, or when charges were laid, but this! "This is ripping me apart." Pheobe's sister, Kaylea Bishop, spoke to the media outside the court on Friday. Pheobe Bishop's sister, Kaylea, spoke outside court on Friday. Photo: ABC Wide Bay / Grace Whiteside "She was loved; she is missed dearly," she said. The police investigation is still ongoing, with police still appealing for information about the movements of the grey Hyundai ix35, registration 414 EW3, around the greater Gin Gin area between 15 and 18 May. - ABC News
1News
18 hours ago
- 1News
Australian warship accidentally blocked radio, internet to parts of NZ
An Australian warship visiting Wellington accidentally caused internet and radio outages across parts of New Zealand earlier this week. The incident occurred when HMAS Canberra, one of Australia's largest warships, sailed along the country's coast Wednesday morning, en route to Wellington to visit the city. According to 9News, telecommunication companies had reported interruptions as early as 2am. An Australian Defence Force spokesperson told the Australian outlet that crew aboard the ship became aware the vessel's navigation radar was interfering with Wi-Fi in Taranaki and Marlborough. "On becoming aware, HMAS Canberra changed frequencies, rectifying the interference. There are no ongoing disruptions." ADVERTISEMENT Services had returned to normal by the time the ship docked in the capital on Thursday. An NZDF spokesperson told 1News: "The issue was reported to the New Zealand Defence Force. We contacted the Australian Defence Force and the issue was resolved." It had no further comment on the nature of the event. Matthew Harrison, founder and owner of Taranaki internet provider Primo, wrote on LinkedIn that the outage "wasn't just a blip". "It was full-scale, military-grade radar triggering built-in safety protocols designed to protect airspace… and it rolled across our network in sync with the ship's movement. "We've never seen anything like it here before," he wrote. "It's not every day a warship takes your gear offline." The vessel, an amphibious assault ship, can carry and launch numerous helicopters from its deck. ADVERTISEMENT It docked in Wellington with the Australian Capital Territory Chief Minister, Andrew Barr, onboard. Barr said the visit reaffirmed "deep and growing ties" between the two capitals. 'Our sister city relationship with Wellington is one of genuine friendship and mutual respect. It's built on a shared commitment to sustainability, creativity, and inclusive growth." Its delegation and crew participated in several community activities in Wellington, including assisting a soup kitchen and cleaning up selected coastal areas and tracks around the city. 'This week's celebration reflects the strength and significance of our city's relationship with Canberra, further deepening the bonds of friendship and collaboration between us,' Wellington Mayor Tory Whanau said about the visit. 'Our partnership is a source of great pride and a key element in Wellington's international engagements, fostering a continued exchange of ideas, culture, and goodwill.'
Otago Daily Times
a day ago
- Otago Daily Times
Butter proving to be a popular fundraiser
While the skyrocketing price of butter may be leaving a bitter taste in the mouths of some, one non-profit saw a golden opportunity. Southland Paws Rescue founder Amy Greig said the organisation made $1 profit on each of the 5560 blocks of butter it sold in its latest fundraiser. Ms Greig said it was the first time it had sold butter and it had been the most successful fundraiser to date. The orders for the 250g Westland Gold blocks started rolling in thick and fast after a post about it was placed on their social media page. "Word of mouth got around and people started ordering." Jingo and cheese rolls had been used to raise revenue in the past, but the butter was less work and easier to sell. One buyer ordered $1000 of butter while ironically, 500 blocks were ordered by staff from a local dairy processing factory. Ms Greig said several orders had been received from people who made cakes for others. Prices were initially marginally lower than supermarkets, but even from the time they first started receiving orders at the start of May, Westgold community fundraising prices had risen from $4 to $5.15. "I'd rather put that dollar that we got back into a local organisation for what we do . . . than letting that supermarket profit that dollar." Orders had to be prepaid and picked up once the delivery had been made because of the logistical challenge of storing pallet loads of butter. Funds raised paid for the care of the multitudes of animals the charity looked after throughout the year. While they had a good relationship with their vet, their bill still needed to be paid. Some animal healthcare expenses ran more than $1000. Leithfield School in Canterbury sold 10,000 blocks of the golden dairy bars in a recent fundraiser, RNZ said. Invercargill's Kaye's Bakery had been importing Australian butter by 10-tonne shipments to make its biscuits. Kaye's Bakery owner Luella Penniall said three years ago the company was paying $11 per kg — now it was up to $15. Stats New Zealand data shows prices have increased more than 65% in the 12 months ending at April 2025. Stats NZ also said dairy prices were the main driver for food price increases — increasing the food price index by 3.7%. The average cost for 500g of butter was $7.42, 12 months ago. Butter hit a record high of $7992 a tonne early in May before falling to $7821 in mid-May. By Toni McDonald
