More than 2300 business websites, including dozens in Australia, have been compromised and used to steal consumers' information as part of a year-long, "highly orchestrated phishing campaign", a security firm warns.
Almost 80 small and medium-sized Australian businesses have been hacked in the operation, with the websites targeted ranging from a children's education provider to three Queensland strip clubs.
Australian online security firm CyberCX revealed details of the attack on Tuesday after alerting compromised businesses, and warned consumers to take care when following website instructions, including completing CAPTCHAs.
The details come weeks after several superannuation firms were targeted in a co-ordinated online attack and less than a year after 12.9 million Australians had private information stolen from health provider MediSecure.
In a paper called DarkEngine detailing the campaign, CyberCX said it discovered a group had compromised at least 2353 websites since June 2024, including 79 from Australia, 50 from the United Kingdom, and 34 from Canada.
The online criminals targeted hundreds of websites using "search engine optimisation poisoning" to publish hacked versions of a commonly used website management tool, the report said.
This allowed them to install malicious code on the websites, including fake CAPTCHA features ordinarily used as a security measure to identify website visitors.
The effort and resources put into the phishing campaign suggested the criminals behind it were highly motivated, CyberCX intelligence and public policy director Katherine Mansted said, and would sell whatever credentials they could steal.
"They're quite omnivorous - there are sex shops through to kids' education websites," she said.
"What their objective is here is to compromise as many ordinary citizens' computers as possible for the purposes of financially motivated crime."
Stolen credentials such as personal information, logins and passwords had become the leading cause of online attacks, Ms Mansted said, taking over from email phishing attempts.
"What we're seeing is an ongoing professionalisation and industrialisation of the cybercrime ecosystem," Ms Mansted told AAP.
"I'd love to say that by outing this particular campaign the harm is stopped but it's not, as this is just an example of what we're seeing more and more of."
Individuals who might have had their details stolen in the Dark Engine campaign should change their passwords, employ a password manager, and use multi-factor authentication on accounts when possible.
Website visitors should also carefully scrutinise CAPTCHA features that look unprofessional, appear in a pop-up window, or ask users to copy code into a computer's command prompt.
Stolen passwords were also used to break into 10 AustralianSuper accounts in April in a theft that cost $750,000, National Cyber Security Co-ordinator Lieutenant General Michelle McGuinness confirmed in May.
