More than 2300 business websites, including dozens in Australia, have been compromised and used to steal consumers’ information as part of a year-long, “highly orchestrated phishing campaign”, a security firm warns.
Almost 80 small and medium-sized Australian businesses have been hacked in the operation, with the websites targeted ranging from a children’s education provider to three Queensland strip clubs.
Australian online security firm CyberCX revealed details of the attack on Tuesday after alerting compromised businesses, and warned consumers to take care when following website instructions, including completing CAPTCHAs.
Fake CAPTCHA features were used in the hacking.Credit: Olive Berg
In a paper called DarkEngine detailing the campaign, CyberCX said it discovered a group had compromised at least 2353 websites since June 2024, including 79 from Australia.
The online criminals targeted websites using “search engine optimisation poisoning” to publish hacked versions of a commonly used website management tool, the report said.
This allowed them to install malicious code on the websites, including fake CAPTCHA features ordinarily used as a security measure to identify website visitors.
AAP
Read the full article here
