Peter A Clarke

Another week, another attack on Australian companies. The latest trend is attack on bank related log ins. The latest is the theft of almost 100 staff log ins of staff at the Big Four Banks. Again the means of theft was via the infostealer malware which was on the staff’s personal devices.

The article provides:

Cybercriminals have stolen almost 100 staff logins from workers at Australia’s biggest banks, putting those businesses at higher risk of mass data theft and ransomware attacks, according to cyber security researchers.

The most serious risks arise from the fact that attackers could ultimately use those leaked logins to gain access to the banks’ corporate networks, they warned.

The cyber intelligence firm Hudson Rock told the ABC it found dozens of compromised staff credentials at both ANZ and Commonwealth Bank, and fewer than five at NAB and Westpac.

“There are around 100 compromised employees that are related to those four banks,” Hudson Rock analyst Leonid Rozenberg said.

The Big Four banks all have protections in place to prevent stolen passwords from being exploited in this way.

However, in a worst case scenario, those staff credentials could allow hackers to gain what’s known as “initial access” and break into the banks’ systems.

“This is like the open gate,” said Mr Rozenberg, warning that once the hacker is inside, there was a lot more damage they could do, including installing ransomware and stealing massive troves of customer data.

The almost 100 credentials identified by Hudson Rock belong to either current or former staff and contractors.

All of them had a corporate email address with the ability to log into the same corporate domain, such as “anz.com.au” or “cba.com.au”, researchers said.

The credentials were stolen between 2021 and April 2025, using malware known as “infostealers” planted on employee devices, and have since been given away or sold on the messaging platform Telegram, the dark web, or both.

Infostealer malware, as the name suggests, is a type of malicious software tailor-made to infect a device, harvest as much valuable data as possible, and deliver it directly to criminals.

It overwhelmingly targets computers running on Windows.

As well as passwords, infostealers can capture a wide range of data, including credit card details, cryptocurrency wallets and local files, as well as browser data such as cookies, user history and autofill details.

Researchers have provided no evidence that the digital infrastructure of any of the banks is compromised — only that data, including corporate logins, has been stolen from devices used by their staff.

Experts say one breach can cause ‘a lot of damage’

Earlier this week, the ABC revealed that more than 31,000 banking passwords belonging to customers at the Big Four banks had been stolen using the same kind of malware, exposing those people to possible fraud.

While the number of employee logins stolen by malware gangs is significantly smaller than the number of customers, the risk may be greater, according to researchers.

“Technically, [attackers] need only one [log in] to do a lot of damage,” Mr Rozenberg said.

A recent report from the Australian Signals Directorate (ASD) warned of the potential for infostealer infections to lead to dire consequences for businesses.

The ASD said stolen corporate credentials had already led to successful attacks on Australian businesses, although it did not name any victims.

In the case of all four banks, Hudson Rock also found stolen credentials belonging to third-party businesses, presenting an extra layer of risk.

“They’re not only targeting the access to the bank. They’re also targeting the services that this bank is using externally,” Mr Rozenberg said.

In the case of CommBank, Hudson Rock reported more than 40 leaked third-party credentials, while researchers found more than 30 for Westpac, more than 100 for ANZ and more than 70 for NAB.

“[Attackers] also know that if they get inside the JIRA, or Salesforce, or Slack, the communication system that is widely used by different companies … they can get a lot of sensitive information,” Mr Rozenberg said.

Researchers chose to focus on the banks in this investigation, but warned the threat posed by infostealers was universal.

“This malware can hit any business, in any industry and in any country,” Mr Rozenberg said.

The use of infostealers has exploded in recent years, with a more than 200-fold increase in infections globally since 2018, according to Hudson Rock’s analysis.

The company found there have been more than 58,000 infected devices in Australia alone since 2021.

How leaked staff credentials can lead to an attack

Gaining access to a bank’s corporate environment and staging a major attack is not as simple as just using stolen staff credentials to log in.

“Most large enterprise organisations will have supplementary controls, in addition to a username and password,” said Evan Vougdis from NSB Cyber, listing Multi-Factor Authentication (MFA) as one example.

For that reason, securing “initial access” is a specialised task in the cyber crime world, performed by “initial access brokers”.

“They shop around for infostealer logs that contain login passwords for large organisations or high-profile individuals,” said Jamie O’Reilly from cyber security firm Dvuln.

An initial access broker will search through big data dumps to find the right victim — ideally, a corporate employee working from home.

“They’ll look for things like VPN connections, screen sharing, software credentials,” Mr O’Reilly said.

“If they can use a home device to jump into the corporate network, that’s going to allow them to walk through the proverbial front door.”

If successful, the initial access broker can then sell that access to other criminals.

“They’ll take that [access] to a ransomware gang who can use that to then push ransomware malware throughout this enterprise company.”

Ransomware attacks have the potential to paralyse a business’s operations by locking owners out of their own systems and stealing valuable data to leverage huge payments, which can stretch into the millions.

Even when ransoms are paid, sensitive data may still find its way to the dark web, with businesses having no guarantee that the stolen data will be deleted.

Banks say security measures prevent unauthorised access 

ANZ, CommBank, NAB, and Westpac each responded separately to the ABC to say they have a number of safeguards in place to prevent the unauthorised use of staff logins.

A Westpac spokesperson said the bank couldn’t disclose those measures in more detail for security reasons.

NAB told the ABC it proactively scans cybercrime forums to stay on top of the problem.

“We continuously monitor open and dark web sources for a wide range of potential threats, including compromised credentials,” NAB Chief Security Officer Sandro Bucchianeri said.

“Colleague and third-party credentials are changed regularly,” he said.

A statement from CommBank said the bank invested more than $800 million in combating cyber and financial crime last financial year.

“We continuously adapt our defences based on real-time threat intelligence and regular testing of our security systems,” a spokesperson wrote.