Russian cybercriminals have taken aim at the nation’s major banks with a sophisticated new malware campaign, with Australians specifically in their sights.
Unsuspecting victims are being swindled with bogus login pages on their banking apps, which appear authentic to even the technologically savvy eye.
Before we explain how it works, let’s see if you can pick the scam.
Loading
If you punched in your details into any one of these bogus login pages, your bank details would’ve been sent directly to scammers.
This is a relatively new malware called Octo and it’s the latest offering from cybercriminals which can be privately purchased on the dark web.
Its creator is a shady figure (or figures) who call themselves the Architect or “goodluck”.
The malware is powerful — it can record your calls, harvest your contacts, evade antivirus, bypass multi-factor authentication, log what you type and send you text messages.
It can also perform what’s known as overlay attacks, which is what happens when hackers superimpose a fake login page over an authentic app, like the ones above, to trick you into giving up your credentials.
Exclusive new data obtained by the ABC has uncovered what appears to be the first major distribution campaign of the malware, with Australians identified as specific targets.
Many of the nation’s major banks are caught up in the scam, including:
- ANZ
- Bank Australia
- Bank of Melbourne
- BankSA
- BankWest
- Beyond Bank
- Bendigo Bank
- Commbank
- Greater Bank
- HSBC
- myRAMS
- NAB
- St George
- Westpac
- UBank
Hundreds of Australians have been lured into downloading the vicious malware onto their devices within days of it appearing in the wild.
It comes as consumer advocates warn that Australians are being targeted because the nation is seen as a soft target.
Octo targets Android phones — think brands like Samsung, Google, HTC — and can be hidden in what look like legitimate apps on the Google Play store, which is trusted by most users because it’s run by one of the biggest tech companies in the world.
It can also be downloaded and installed independently of the Google Play store, because of the way software on Android phones works.
The number of people in your life with Android phones might seem small, but there are actually more than you think.
In Australia, 52.9 per cent of people own an Android device compared with 47.1 per cent of iPhone users, according to Kantar WorldPanel, a market research company based in London.
It means that even if you own an iPhone, there’s probably someone in your orbit who has an Android device.
Hackers selling ‘malware as a service’
This latest campaign against Australians was uncovered by Dario Durando, a senior threat analyst from ThreatFabric, a banking security platform based in the Netherlands.
He found the malware posing as an update for the Google Chrome mobile browser.
A hidden counter in the website’s back-end revealed that there were 533 downloads in Australia, 362 downloads in Spain and just 64 downloads in the United States.
That counter has since been taken down.
Mr Durando said it was part of an increasing trend called “malware as a service” which is where hackers create something like Octo before renting it out to other criminals who then distribute it.
“All of these people collaborate just as normal businesses would do. So they have subscription schemes, they have discounts, they have support channels, it’s very, very concerning,” Mr Durando said
An advertisement spruiking Octo boasts the malware has a “high survival rate”, gives hackers “full device control” and has the ability to steal two-factor authentication codes.
It’s the same thing that happened with the malware that once solely targeted desktop computers.
“Nowadays with the predominance of mobile …criminals are deciding well it is the time to actually invest research and create more mobile malware because that’s where the money’s at,” Mr Durando said.
What do we know about the ‘Architect’ behind this?
Eward Driehuis, vice president of fraud engineering at ThreatFabric, said the group responsible for Octo was Russian-speaking and possibly linked to the Russian cybercrime underworld.
“They are after your hard-earned cash,” Mr Driehuis said, differentiating them from politically motivated groups which are run by foreign nations.
“There’s definitely more than average attention to Australia.”
Mr Driehuis urged Australians to be more cautious but his message was different for the nation’s banks.
“I think you can never rely on awareness to be your first and last line of defence, that would not be fair to shift responsibility to your customers,” he said.
Last year more than $3.1 billion was lost to scams — an 80 per cent increase from 2021 — according to a report from the Australian Competition and Consumer Commission.
Phishing, which is where people are tricked into handing over sensitive information like bank details, was responsible for $24.6 million in losses, an increase of 469 per cent from 2021.
Most of that money — $20.1 million — was stolen through bank transfer.
Another report from the corporate regulator, ASIC, found the big four banks reimbursed customers at a rate of between 2 and 5 per cent.
Calls for Australian government to protect ‘soft target’
Stephanie Tonkin from the Consumer Action Law Centre said Australian banks weren’t doing enough to protect customers, who were being hoodwinked by increasingly sophisticated scams.
“The scams that we hear about on our front lines every day are so complex, so involved that it is near impossible to detect,” Ms Tonkin said.
“Australia is a soft target for scammers because we don’t have the laws and systems in place to prevent scams from taking place,” she said.
She urged the banking sector to take more responsibility because the scams were taking place on their platforms.
“Right now in Australia, we have banks posting multi-billion dollar record profits, yet Australians are the ones who are having to pay for being scammed through no fault of their own,” she said.
“What we have in Australia is a vacuum in laws, a vacuum in responsibility, when it comes to scams and therefore what happens is the innocent victims are left to pick up the pieces.
“What we need is the Australian government to implement laws that put the banks on the hook for reimbursing scams victims that will drive the incentive for banks to invest in their systems to prevent and detect scams.”
A spokeswoman for the Australian Federal Police said Australians were facing “increasing, persistent and pervasive cybercrime threats”.
“The AFP are innovating and exploring further opportunities to disrupt cybercriminals, particularly through our joint operations with Australian Signals Directorate,” she said.
“We are coordinating national joint task forces against business email compromise, ransomware, remote access scams and identity fraud.”
Banks back their own cybersecurity
Most of the banks contacted for this story spruiked their cybersecurity teams and told the ABC they take security seriously.
Both NAB and Beyond Bank said they has not been any fraud activity attributed to Octo.
A spokeswoman for the Australian Banking Association said its members will be holding discussions about anti-scam measures that could be implemented across the industry.
When asked about whether banks should be compensating customers for scams, she quoted a 2022 speech from the Assistant Treasurer, Stephen Jones, pouring water on the proposal.
“Some people are suggesting that the banks should always be liable. I don’t support this approach, there should be a high bar on what is expected by all of our institutions – but if they meet all of their obligations it doesn’t seem right that they are liable,” Mr Jones said.
“If banks always pay, the net result creates a honey pot for scammers.”
