Millions of users of Android phone and tablet users are at risk of having their bank accounts cleaned out and their identities stolen by a virulent malware attack that is targeting customers of the big four banks.
Other institutions under fire include Bendigo Bank, St George Bank, Bankwest, ME Bank, ASB Bank, Bank of New Zealand, Kiwibank, Wells Fargo, ecommerce interfaces like PayPal, eBay, Skype, WhatsApp and several Google services.
Nick FitzGerald, senior research fellow with digital protection company ESET, said he and fellow researchers “detected the malware in late January after it got flagged by our security systems”.
The malware potentially puts millions of app users at risk and Mr FitzGerald described it as a “significant attack on the banking sector in Australian and New Zealand”, affecting big four banks ANZ, Commonwealth, Westpac and NAB.
How to protect yourself
Android users could protect themselves by not disabling security protocols that restrict them to downloading apps from the Google Play store, Mr FitzGerald said.
The malware is very sophisticated and it appears to be the first time it has been used across a wide variety of institutions.
“I’ve seen some specific banks targeted before,” Mr FitzGerald said.
Commonwealth and ANZ bank spokespeople told The New Daily they were aware of the malware and would reimburse customers caught up in the scams.
A Commonwealth spokesman said “our monitoring and detection systems have not seen any increase in threats to our customers as a result of these reports”.
Bad guys are very smart
Mr FitzGerald said the malware is extremely complex and gets around what are known as “two factor” security systems. It places a fake log-in screen over affected banking and e-commerce interfaces which steals usernames and passwords.
Then it cracks the second phase of security by diverting SMSs with security codes sent to customers to validate their transactions.
“This banking trojan will even redirect automated phone calls banks use to validate transactions with customers,” Mr FitzGerald said.
“Get a good security app that updates itself automatically,” he added.
Thomas Shanahan, communications officer with the Australian Computer Society, told The New Daily that “security is something people need to pay very close attention to”.
One couple he knows both had their bank accounts cleaned out after returning from a recent trip to Fiji, Mr Shanahan said.The woman “got home and tried to take money out only to find that her $12,000 in savings had been cleaned out and $8000 had been taken from her credit card”.
The scammers had so much information on the woman they even “went to her mobile provider, asked for a new SIM card and authorised transactions”.
Her husband then changed his passwords but “a week later his accounts were hit too”, Mr Shanahan said.
People hit in such ways need to change passwords and even Medicare cards and passports as scammers have enough information to steal their identities, Mr Shanahan said.
“The banks can do very little” about such attacks because their two stage security arrangements have been breached, Mr FitzGerald said.
Users of desktop and laptop computer banking sites were unlikely to be at risk if they have security codes sent to mobile phones as the malware is not capable of disrupting communication between both devices, Mr FitzGerald said.