Memory gaffe leaves Aussie bank accounts open to theft

Customers of major Australian banks are at risk of having usernames and passwords siphoned off by malware thanks to a flaw in the way credentials are stored.

The client-side flaws allowed a custom malware tool to pull passwords, account numbers and access credentials from the Commonwealth Bank, ANZ  Bank, Macquarie Bank, St George Bank and Bendigo Bank.

The tool created by security researcher Jamieson O'Reilly was able to scrape the unencrypted credentials from volatile memory of popular web browsers every two hours and siphon off the data up to a day later to remote servers.

He said the memory exposure was likely already exploited by criminals.

"I created this tool to put a spotlight on what most likely is already assisting crooks to extract juicy data from browser memory," O'Reilly told SC.

"The thing that surprises me is that this is so easily avoidable."

In a proof of concept video, O'Reilly showed how credentials from the affected named banks could be swiped by his proof of concept malware.

Westpac and NAB were the only banks tested to have encrypted the data.

Malware capable of scraping memory in point of sale terminals has existed for years and it was O'Reilly's idea to extend the concept with regular expressions to grab credential data.

He said he was surprised the flaws existed since forensics professionals at the banks would have known the credentials were accessible in plain-text memory.

SC alerted the affected banks to O'Reilly's research.

O'Reilly posted the information online and said banks would need only encrypt the credentials to ensure the data was inaccessible to data-stealing malware. 

RAM scrapers represented seven percent of the top 20 threats according to this year's Verizon Data Breach Investigations Report which O'Reilly said left "a lot of room for growth and creativeness from the attackers side".

Copyright © SC Magazine, Australia