Cyber security firm Dvuln warns Australian banks, customers of new wave of identity theft
An internet security group says Australia needs to prepare for a new generation of criminal software that penetrates big computer systems using stolen customer cookies.
Security consultant Dvuln says stolen customer credentials are presenting a double challenge to Australian financial institutions — forcing them to defend the integrity of their own networks and protect customer accounts.
Infostealer software not only steals the account name and passwords details that a person might store on their phone or computer.
Sign up to The Nightly's newsletters.
Get the first look at the digital newspaper, curated daily stories and breaking headlines delivered to your inbox.
By continuing you agree to our Terms and Privacy Policy.The malware can also harvest the digital cookies, or tokens, that allow users to move smoothly through a secure system after they have passed traditional log-ins and even advanced multi-factor authentication (MFA) systems.
Dvuln said some infostealer systems had captured authentication tokens to the extent that they could entirely bypass MFA gateways.
“Criminal marketplaces have adapted to capitalise on these capabilities,” the security group said in a report. “Some marketplaces now featured dedicated filters for ‘token-included’ credential packages that increased the likelihood of MFA bypass.”
Israeli cybersecurity group KELA estimated in February that 330 million individual credentials were compromised by infostealer infections in 2024, enabling fraud and ransomware attacks.
Dvuln said its research had identified the 30,000 Australian bank customer credentials in infostealer logs, but the actual number of stolen credentials was likely far higher. The banking details belonging to at least 14,000 CommBank customers, 7000 ANZ customers, 5000 NAB customers and 4000 Westpac customers.
“Many infections remain undetected or are traded in private channels outside our visibility,” he said.
With lines continually blurring between organisational security and customer security, Dvuln said financial institutions, governments, customers and security experts needed collaborative approaches to address this growing problem.
“This is not about shifting responsibility to any single party, but rather recognising that traditional security boundaries are being challenged by evolving criminal tactics,” the report said.
