Brazil is fighting an uphill battle when it comes to cybercrime. There’s a new fraud attempt every 16.9 seconds in Brazil, Convergência Digital reported. According to Brasil Econômico, there are about 4,700 attempts per day. No wonder internet fraud has been named the “fraud champion” of Brazil.

IBM X-Force continues to discover evolving cybercrime threats and new tactics in the country. X-Force researchers uncovered and analyzed a new phishing method that recently emerged in Brazil. This particular method is designed to emulate a banking Trojan by extracting critical data from its victims in real time via a live, interactive phishing attack.

This type of phishing scheme takes place over a web session between the attacker and the victim. It is able to mimic a target website’s look and feel, more so than just an idle phishing page. From afar and behind the scenes, cybercriminals impersonate the victim’s bank and ask for all kinds of account details.

Most likely, the criminal will access the compromised account from the bank’s website to make a transaction in real time, all the while milking more authentication details from the unsuspecting victim. The emergence of this new method’s will likely contribute to rises in fraud in Brazil over the coming months.

Brazil is already the second-largest generator of cybercrime in the world, according to Computerworld, and the country most affected by fraud in Latin America, per Globo. For some perspective, one of cybercrime’s most targeted countries in the world, the U.K., saw a 25 percent increase in online fraud in 2015, as reported by The Guardian. Brazil saw a 40 percent rise in online banking fraud, according to El País, during the same year.

A Man in the Middle Gone Phishing

Phishing fraudsters have devised numerous tactics to solicit the attention of banking customers. They may send emails impersonating the bank, redirect users to fake sites, deploy pharming attacks, induce malicious proxy changes, or launch fake windows or images on the victim’s desktop to rob access credentials, account information, card data and personally identifiable information (PII).

Most banks require users to provide personal details in real time to authenticate customers during digital transactions. This usually foils fraud attacks. These details are called out-of-band authentication because they happen away from the user’s browser, via a smartphone, card reader or numeric code chart. So how does a criminal rob an SMS code without infecting the victim’s smartphone? How does he or she gain real-time access to a time-based code issued by the bank for a given transaction?

Well, they typically can’t. But you can appreciate how much they would want this type of access.

Enter interactive phishing, a real-time web session that dupes users with a seamless flow of changing screens and messages controlled by the attacker from a remote server. Using this type of interactive attack, criminals can better impersonate the victim’s trusted bank or service provider. Furthermore, with information being delivered from the victim according to the attacker’s request in real time, the chances of success are much higher. This threat is considered advanced and high risk due to its credibility factor.

Read the complete X-Force Report on The Perils of Phishing

Reel Experts and Dainty Hooks: An Insider’s View

Like other cybercrime-related domains, the interactive phishing attack is hosted on a domain the attacker registers. But unlike regular phishing pages, it is a live web session attackers control and can personalize at their discretion.

1. Spam Email

A victim receives a phishing email containing a link. After clicking it, the victim lands on the attacker’s page, which looks like the bank’s real website, but the URL in the address bar is not the correct one. To add a measure of credibility and to manage the different targeted brands, the attackers add an underscore followed by the bank’s URL in the address bar.

2. Start a Session

The interactive web session begins as soon as a new victim arrives to the fake page. To alert the attacker every time there’s a new phish in the net, the admin panel launches a sound bite of evil laughter. Yes, evil laughter!

From this point on, the victim and the attacker are interlocked in a conversation of sorts — only the victim is entirely unwitting and the criminal is likely to initiate an account takeover fraud attempt during the talk.

Figure 1: An Interactive Phishing Conversation

Following the victim’s initial submission of login credentials, the criminal uses the admin panel to push social engineering screens to the victim, requesting other pieces of information the bank may require to complete a transaction.

3. Orchestrate

Using the admin panel (see Figure 2 below), the attacker can pick premade content or even type customized messages into the screen to make the process seem more personalized and legitimate.

The admin panel itself is mostly written in Portuguese. Before the victim enters any more information, the panel indicates the status: waiting.


Figure 2: Attacker’s Web-Based Admin Panel

Figure 3 shows how the panel enables the criminal to select messages from a menu. These are programmed to request different elements from the victim. Some examples are:

  • Token code;
  • Digital signature;
  • Payment card PIN;
  • Identification number;
  • Phone number; and
  • Content of SMS messages.


Figure 3: Admin Panel Offers Different Premade Options to the Attacker

On top of asking for these critical elements, the attacker can also return an error message if the victim enters incorrect information. The attacker can verify whether the information is correct by testing it on the bank’s site in real time.


Figure 4: Social Engineering Screens Requesting Critical Authentication Elements

Victims are kept waiting online between new questions. The attacker displays a message asking the victim to wait a moment to draw out the live session.


Figure 5: Fake Hold Screen Asking Victims to Wait Between the Attacker’s Actions

To keep switching up the requests displayed to the victim, the website renders new fields via JavaScript using AJAX, implemented by an external script, which is also written in Portuguese. This offers a hint to the kit’s origins:

The following figure demonstrates conditions related to the fields rendered by the AJAX request. For example, once the phishing operator requests the password “senha” in Portuguese, the “senha” field will be displayed to the victim on the same screen they are looking at:

The JavaScript code “document.getElemetById(“sen”)” acquires the relevant DIV element by the requested ID. By doing that, it sets the style of the DIV from “none” to “block” to render the content to the page. The next figure shows an example of the HTML chunk called for each question/screen change:

4. Finalize and Keep Them Away

After managing to obtain information from the victim, the attacker ends the sessions with a message about the “successful update” being complete.

Notice the attacker ask the victim to wait 24 hours before accessing the site again. This is because the attacker wants the fraudulent transaction to clear before the victim discovers it. Banking Trojans do this by locking the access to the bank’s page. Interactive phishing uses social engineering throughout the process to achieve the same goals.


Figure 6: Social Engineering Screen Notes the Update Is Complete

The admin panel also indicates the completion of the attack on the cybercriminal’s end by modifying the status message to “finalizada,” which means “finalized”:


Figure 7: Admin Panel Status Changes to “Finalized” After Attack Conclusion

To keep things in order following each attack completion, the panel logs the IP addresses of victims from whom details were stolen during the web session.

Phishing Here to Stay?

Phishing is one of the oldest threats on the internet. This social engineering trick has been around since about 1995, per Phishing.org. But although it really is one of the oldest tricks in the book, phishing attacks are still on the rise.

The volume of phishing attacks surged 250 percent in Q1 2016, according to the Anti-Phishing Working Group’s “Phishing Activity Trends Report.” That’s more phishing recorded this year than in any other three-month span since the group began tracking attack data in 2004.

But phishing is also evolving. According to IBM X-Force, interactive man-in-the-middle (MitM) phishing is proof of increased sophistication, making attacks more believable through real-time data theft.

Data stolen through interactive phishing can be commercialized in underground boards and sold to an untold number of cybercriminals. The commercialization factor amplifies the prevalence and risk of any online threat. The same kit can be adapted to target any bank in any country. Service providers must acknowledge this risk and mitigate it ahead of time.

Since this sort of phishing attack can enable criminals to access victims’ accounts and defraud them with illicit transactions, one of the best ways to detect it is by using a solution that identifies account takeover (ATO) attacks.

Going beyond the use of technology, browsing hygiene rules are just as important to help users avoid even an advanced attack like interactive MitM phishing. Use these tips for mitigating malware to reduce risks, and check out the IBM X-Force Report “The Perils of Phishing” for additional recommendations.

More from Advanced Threats

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Top-ranking banking trojan Ramnit out to steal payment card data

4 min read - Shopping online is an increasingly popular endeavor, and it has accelerated since the COVID-19 pandemic. Online sales during the 2021 holiday season rose nearly 9% to a record $204.5 billion. Mastercard says that shopping jumped 8.5% this year compared to 2020 and 61.4% compared to pre-pandemic levels. Cyber criminals are not missing this trend. The Ramnit Trojan, in particular, is out for a shopping spree that’s designed to take over people’s online accounts and steal their payment card data. IBM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today