Commonwealth Bank served as training ground for global phishing attacks

Cyber crime researcher claims March 2003 attacks on the Commonwealth Bank's Netbank customers was among the world's first wide-scale phishing attempts

When international organised crime groups launched the first wide-scale phishing attacks in 2003, their targets weren’t the United States or the United Kingdom but actually the customers of one of Australia's major banks, the Commonwealth Bank of Australia, according to a cyber crime researcher.

The claim was made in a revealing presentation at the recent International Serious and Organised Crime Conference in Melbourne, where Macquarie University lecturer, Stephen McCombie, explained how stolen money is laundered overseas and some possible solutions.

McCombie works at the university’s recently established centre for policing, intelligence and counter terrorism and has completed research into the history of the internet phishing scams, which are used by criminals to steal banking details of victims.

Data shows the first major phishing attacks took place in March 2003, he said, and the world's first major internet banking service to be used in an attack was the Commonwealth Bank, targeting its Netbank customers.

“Now no one's looked terribly closely at that first attacks,” he said. “I've done a bit of research if there was any before that attack, and there certainly weren't any against major internet banks.

“The language wasn't particularly convincing but it certainly tricked a lot of people. It was a simple matter of sending out enough of those emails, so enough people put their credentials in.”

This was quickly followed by attacks on the services of ANZ bank in April of that year, Bank of America in May and Westpac in July.

CBA and Westpac declined to comment on the attacks and both said they have invested significantly in online security measures, details of which are available on their websites. ANZ did not respond to a request for comment.

Financial institutions invest billions, maybe even trillions on infrastructure security, McCombie said, coming second only to the most top-secret government departments but it is one of the “great ironies” that the cyber criminals bypassed these walls and instead targeted the end users.

“They were the easy targets and while there were definitely a lot of technical attacks that took place, most of them were social engineering, so just tricking people.”

Perhaps for this reason, McCombie decided not to investigate the technical aspects of the attacks and instead sought to “know the enemy”.

“It was a very significant time in my life, as far as my working life went... Until you understand the people behind it, you need to know about your enemy, their disposition and their motivations otherwise you're never going to defeat them.

“Obviously we've focussed on what technically we can do to stop this, there is a great limitation because once the systems are compromised, most of those security measures aren't really effective.”

According to his research, the attacks primarily came from Eastern European countries Russia and the Ukraine, which resulted from multiple factors including the collapse of national institutions, a highly educated population, and widespread corruption.

“You have the combination of a very low corruption perception index score, there's a high level of technical education, we've had a period of economic uncertainty, a breakdown of institutions, a tradition of organised crime, so it's created this haven for Russia and the Ukraine as the sweet spots for cyber crime.”

The phishing attacks in Australia in 2003 coincided with the closure of Russia’s Federal Agency of Government Communications and Information (FAPSI), he said, which housed some of the country's best hackers and intelligence agents.

“FAPSI which is more or less was the equivalent of the NSA of the Russian government it was actually disbanded in 2003 and you can see they had various specialists, including information warriors and cyber experts in that area.

“Many of them end up joining organised crime, in the same year they were disbanded was the same year phishing became a problem.

“And many of the FAPSI people didn't go to organised crime are now in the [Federal Security Service], so very closely aligned with some of these huge forces.”

While the money was going to organised crime groups based overseas the actual fraud and money laundering all takes place on Australian shores, in a “very simple” exercise.

The fraudster first uses a phishing scam, or another fraud, to obtain the victim’s account information and credentials. Then they need to do a transaction using those credentials to steal the money, which is subsequently moved into the bank account of a local “mule” - a person located in the country where the fraud’s occurring. The mule, which may or may not be aware of the fraud, then draws out the money in cash and uses a global remittance dealer such as a Western Union or Moneygram to transfer the funds overseas, where it is waiting to be picked up by the organised crime gangs.

The "most solvable" part of phishing attacks is using remittance dealers to transfer money out of the country, McCombie said, and he suggested this should be addressed by legislation as well as authorities such as AUSTRAC, the Australian Crime Commission and the Australian Federal Police high tech crime centre.

Earlier this year AUSTRAC chief executive, John Schmidt, was granted new powers to de-register remittance dealers that pose a money laundering risk. Schmidt exercised these powers last week when Thi Kim Hong Tran was de-registered, but this was only after Tran convicted and sentenced for money laundering offences.

In July, the Australian Crime Commission's $14.5 million criminal intelligence fusion centre commenced operation, with a mandate to detect crimes such as money laundering. It works with staff from the AFP, Tax Office and Centrelink to integrate data and criminal intelligence to identify high risk cash flows.

However, McCombie said such efforts are largely reactive and there is room to be more proactive. He suggested one of the first steps would be to look at outgoing money transfers to properly scope the size of the problem.

“There's probably the first steps to develop some intelligence on the area and do some work around reducing the effectiveness of these transfers getting out of the country.

“The problem to date has been the amounts individually are quite small and to me that's been driven by the transaction limits put in place by the banks to reduce their losses and it doesn't sound like a lot of money individually, but the quantum is a large amount of money.

“If someone took a strategic view of that they would see that, there's billions of dollars going out of Australia to organised crime groups in Eastern Europe.

“That could easily be dealt with if someone took a step back and looked at those transactions a bit more strategically," he said.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags cyber crimeCBAMacquarie UniversityCommonwealth Bank of Australia

More about ANZ Banking GroupAustralian Federal PoliceCentrelinkCommonwealth Bank of AustraliaCommonwealth Bank of AustraliaFederal PoliceMacquarie UniversityMacquarie UniversityNSAPSIWestern UnionWestpacWestpac

Show Comments