This is the first blog in a two-part series. To get the full story, read part two as well.
Financial cybercrime in Brazil is known as one of the most geospecific panoramas, where local cybercriminals attack local internet users. With close to 210 million residents in the country, criminals are in lavish turf. Some reports cite losses of nearly 70 billion Brazilian reals — which equates to about $18.6 billion — to fraud and online scams in 2017.
In following the evolution of cyber activity in Brazil, IBM Security sees this threat landscape as unique, where technical sophistication is neither the norm nor a requirement. In this first article of a two-part series, we expose some of our recent research on the typical malware and tactics, techniques and procedures (TTPs) used against Brazilian online banking users.
In contrast to rising sophistication in other parts of the globe, one of the most poignant characteristics of cybercrime in Brazil is its simplicity. Attackers will often use their familiarity with how local users browse the internet to take advantage of them and steal their money.
Read the white paper: Preserving trust in digital financial services
Internet Access Spreads Far and Wide in Brazil, But User Education Is Still Scarce
The majority of global internet users are located in East and South Asia, and China is the largest online market in the world. Fourth on the global chart, Brazil is the largest internet market in Latin America, with nearly 140 million internet users as of 2016, according to Statista.
Internet access has grown rapidly in Brazil in the past decade, with nearly 77 percent of residents accessing the internet from home in some of the more populated regions of the country.
Figure 1: A regional estimate of the percentage of homes with internet access in Brazil (Source: The Brazilian Institute of Geography and Statistics)
However, while more Brazilians than ever before have access to internet-enabled services, many users are still not well-versed in using them safely. Regardless of the browser or search engine, it’s not unusual for internet users to look up something they want to access and click the first result without thinking twice about it. When it comes to online banking, for example, some may not take the time to type their bank’s URL into the address bar and favor searching for it, then browsing to the top result they get back. Fraudsters rely on this behavior and serve up poisoned links as the top results on a search engine to trap those who are unaware of the risks.
When the Going Gets Tough… Become a Cybercriminal?
The drivers of crime in Brazil stem from socio-economic difficulty. In addition, laws are either nonexistent or not strict enough to deter people from becoming online thieves.
The minimum wage in Brazil stands at 969 reals (around $258) per month, as reported by The Rio Times. Brazilian Institute of Geography and Statistics (IBGE) data from 2017 shows that “more than 50 million Brazilians, nearly 25 percent of the population, live below the poverty line, and have family incomes of R$387.07 per month.”
Many Brazilians have never had it easy when it comes to their socio-economic situations. Since necessity is the mother of invention, that reality is also what makes Brazilians quite creative in problem solving. In many cases, the main problem for everyday people in Brazil is the lack of financial resources to sustain themselves and their families. That’s where creative thinking comes into play — sometimes in good ways and, unfortunately, sometimes in the shape of financial cybercrime.
Remote Overlay Malware Is the Way to Go
Financial threats targeting online banking users in Brazil are a rather monotonous bunch. Most code is based on overlay malware and written in the Delphi programming language — code that is neither elaborate nor modular. Why spend a chunk of money buying or building state-of-the-art malware, wrapping it up in end-to-end encryption and enabling it to gain rootkit privileges on devices, when you only need simple malware to trick users into unwittingly giving up their credentials?
With evolving controls that curb attackers’ ability to use phished credentials, using malware is the preferred method in Brazil, offering a better return on investment for less effort. But how are everyday fraudsters operating the malware supply chain without much technical savvy? That’s where creative thinking and being local come into play. It is also why so many fraudsters in Brazil use very similar malware codes that do mostly the same things — namely, remote overlay.
As its name suggests, remote overlay involves remotely plastering fake images and application interfaces on users’ screens to limit their access to an authenticated online banking session and trick them into divulging additional information. This type of malware is by far the most common used in Brazil nowadays, and threat actors have little reason to change it.
Brazilian Fraudsters Don’t Complicate Things When Easy Does It
Using malware is one thing, but first, it has to reach unsuspecting users. Without technical know-how, most Brazilian fraudsters do not operate exploit kits, which can be costly and often require technical support from cybercrime vendors. Recent attacks that our team analyzed show that most attackers prefer victims to come to them by putting a consumer spin on the watering hole attack tactic.
In Brazil, residents can download their monthly invoices and tax bills from the corresponding vendor’s website or government site. It is common practice for people to log in to an online utility account, for example, and download their bill. By setting up a malicious replica of such a site, criminals can attract a large number of users to that page and trick them into downloading a fake bill, thereby having them willingly fetch a Trojanized file and unknowingly launch the malware infection on their devices.
But without using an exploit kit or relying on high-traffic sites, how will that malicious infection zone become known to potential victims? Knowing that many people in Brazil are in the habit of searching for websites via search engines rather than typing their exact URL into the address bar, the obvious choice is to pay for a sponsored advertisement to have the malicious page top the search results. To keep their own identities out of sight, cybercriminals pay for sponsored ads with stolen credit card information, saving themselves both money and risk.
Posting malicious ads on popular search engines is no stroke of genius, but a surefire way to get those ads discovered by security controls and promptly taken down. Fraudsters using this tactic therefore rely on short, aggressive bouts of luring people to their phishing pages. Since they do not pay for the ads and can spin up a malicious page very quickly, they can still get enough clicks to make each attack worthwhile.
To further protect their malicious site for a long enough period to trap as many users as possible, fraudsters often use stolen payment cards to pay for legitimate services that optimize their site’s performance and mitigate the risk of a distributed denial-of-service (DDoS) attack.
Figure 2: Phishing site data on Virus Total
Figure 3: Phishing site uses DDoS protection
IBM X-Force noted that recent campaigns that spread malware using sponsored URLs were carefully targeted by focusing on a specific region on specific days. For example, these campaigns often impersonate a state’s power company around the due date of that month’s bill, exploiting the timely context for visitors trying to pay their invoice to infect victims with remote overlay Trojans.
As users attempt to download their invoices, they are actually accessing a ZIP file containing a shortcut file (.LNK) used by Microsoft Windows to point to an executable file. That file will then download additional malware components to infect the user’s device. Victims would only see a file that opens to nothing and may attempt to download the file again, which our researchers witnessed in many cases.
Need Help With Your Attack Campaign?
When it comes to financial cybercrime, technical sophistication, while not entirely absent, is not very common in the Brazilian threat landscape. In many cases, cybercriminals in the region are newcomers to the trade and need help to become familiar with the works of online fraud.
To fill in the gaps, these newcomers receive assistance from other criminals in the shape of tutorials, lessons, tools and wares to help them along — a marketplace that’s comparable to other dark web and underground forums across the globe.
In the images below, we can see that selling information and tools is a dynamic business in Brazil. Each of the following screen captures shows commodities offered to fraudsters, including compromised data, web resources and platforms to launch attacks, blackhat lead generation help, and cash-out services. The same types of vendors also offer malware for sale.
Figure 4: Cybercriminals often offer services and commodities to help other criminals along.
Dark web marketplaces spread knowledge and train more criminals on fraud tactics. Localized cybercrime ecosystems are more targeted, which boosts their efficiency and adverse effects.
A Word to the Wise: Top Tips for Safer Web Browsing
While it is easy for Brazilian users to get infected with malware, infections cannot occur without user interaction. This is in contrast to other parts of the world, where people can often get infected simply by visiting a compromised page through a drive-by download from an exploit kit, for example.
Below are some consumer tips for safer browsing, adapted to the popular infection scenarios in Brazil:
- Don’t search for the homepage of important accounts. Poisoned search engine results can easily lead users to a malicious page. For important accounts, especially those involving payments, type the URL into the address bar or save the genuine website in the browser’s favorites list and access it from there.
- Double-check the site before downloading files. Before clicking to download an invoice, double-check the domain and its credentials — a malicious site might be written with a spelling mistake or use a different top-level domain (TLD).
- Make sure the site is secure. Since the update to Hypertext Transfer Protocol Secure (HTTPS), all websites feature encryption. Look for a lock icon in the address bar and click it to see that you are in the right place. Most popular web browsers will alert users to a site that is not secured, or worse, dangerous to visit. If that’s the case, close the page and contact the service provider directly to pay a bill.
- Get genuine security software for your devices. Even though regular antivirus software can take longer to detect new banking malware, it can offer some protection against known threats, which are what hits users most often. Use and update an antivirus program on your home and mobile devices.
- Keep your operating system (OS) and all applications up to date. Cybercriminals can take advantage of bugs and flaws in unpatched systems to compromise or infect them with malware. Apply patches and updates as soon as they become available to limit vulnerability.
- Stay away from counterfeit software. All major software vendors have one, if not many, application security teams. Anyone offering up counterfeit software goes to great lengths to bypass the original vendor’s controls and, as a result, counterfeit applications are often weaker and open up backdoors to devices. Stay away from counterfeit applications and favor open source or freeware programs if you cannot afford to buy original software.
- Last, but not least: education. One of the most important ways to help prevent malware infections and online banking fraud is user education. While security controls can help mitigate risks, they can’t replace user vigilance. Organizations and service providers alike should offer information that can help users become more aware of attack tactics and the risks associated with them.
Malware is prolific, but with the right risk management solution, you can prevent fraud while establishing digital identity trust throughout your customer’s online journey.
Read the white paper: Preserving trust in digital financial services