Internet banking breach may be a prank, for now

Jason Bryce
ANZ is warning its customers about a "personal details form" that appears to customers after they log on to the genuine ANZ website internet banking interface.

The pop-up form is convincingly branded and features a seemingly genuine form with scroll down menus.

Previous trojan attacks typically try to redirect the user's browser to a fake bank site, but this one operates when the user is in a session with the genuine bank website and the genuine online banking interface.

Sam Plowman, head of online banking, ANZ, says the threat is contained on user's computers and does not mean that the ANZ website or internet banking interface has been compromised in any way.

"A trojan has affected a couple of our customer's computers and uploads a form that is branded with ANZ and asking for personal details.

"Subsequently we have put out an alert to constantly be aware of this type of attack.

"The feedback I have from the e-crime groups is that this is wider than just ANZ, but unlike some of the other [banks], we have decided last night, upon noticing the trojan, to put the alert on the website to maximise the amount of information we share with our customers to protect them as best as possible."

Jeff McGeorge, Director of Brisbane-based security vendor Markets-Alert says this attack is a step forward by the hackers.

"This is very clever, this is a new angle.

"What is happening is that the session between the user's browser and the bank's server is being compromised. Once you press a button on the ANZ web page, that is triggering a PHP script on your browser to make the page pop up.

"If the user is logging in and then being redirected then that would be a real bugger - that would generally be showing that the bank's web server is being owned," said McGeorge.

"The script could be capturing all the information that the user is typing into the ANZ page, as well as the details they are typing into the bogus page."

Although ANZ's security alert says the bogus form appears to customers after they log on to internet banking, Sam Plowman denies that there has been any breach of the bank's server or website.

"In no way whatsoever has there been any compromise of the internet banking site - it is a trojan loading within the user's PC," said Plowman.

Plowman has no idea where this threat may have originated, but is not aware of any offshore institutions reporting similar attacks.

"Our internal team is currently investigating this and working with the external e-crime teams; we haven't been briefed by them yet but no doubt at some stage we will be."

Jeff McGeorge has some ideas about where the threat may be coming from.

"There have been a whole lot of retrenchments out of banks and financial institutions - disgruntled ex-IT staff, disgruntled ex-security staff, they know how the system works and the incentive is there to get some money."