IBM X-Force Incident Response and Intelligence Services (IRIS) has been tracking cybercrime capitalizing on the coronavirus pandemic since January, and has observed the geographical areas of this activity shift over time. In February, cybercriminals were focusing on Asia, and we observed threat actors targeting potential victims in Japan with coronavirus-related phishing lures. In mid-March and into April, as the virus spread dramatically into Spain, the United States and Iran, COVID-19-related attacks in these geographies also increased.

More recently, the virus has been spreading in Latin America, leading experts at the World Health Organization (WHO) and elsewhere to declare that “South America has become a new epicenter for the disease.”

We examine how cybercriminals are capitalizing on COVID-19 in Brazil — the most populous country in South America and second in the world for the number of coronavirus infections as of early June — by delivering malicious email, SMS text and WhatsApp messages and creating hundreds of malicious sites since March 2020. In particular, our analysts found that over 693 new COVID-19-related Brazilian cybercriminal malicious websites have been created this year, many capitalizing on the country’s government assistance program related to the pandemic.

Government Assistance and Cybercriminal Intervention

Similar to other areas of the world, the coronavirus pandemic has led the Brazilian government to enact policies aimed at decreasing social interaction and the spread of COVID-19 within the country, to include closing restaurants, schools and many stores, and prohibiting sporting events. While deemed necessary, these restrictions have challenged the economic situation of many families and individuals due to the loss of jobs and income.

To alleviate some of this financial strain, the government granted financial assistance to informal workers, low-income families and small entrepreneurship in the form of “coronavouchers.” These government vouchers are distributed monthly in the amount of 600 Brazilian Reals, or approximately $150 U.S. dollars at of late May 2020 exchange rates.

Similar to cybercriminal activity X-Force IRIS observed targeting small business loan applicants in the U.S. in April, cybercriminals are targeting Brazil’s coronavirus financial assistance program to take advantage of the situation. The Brazilian government initiative requires some beneficiaries to use electronic portals or mobile apps to formally register and confirm their personal data — communication mechanisms that attackers are targeting heavily for scams, financial fraud or to install malicious software on citizens’ devices.

Based on IBM X-Force IRIS research, cybercriminals are using email, SMS text messages and WhatsApp to deliver malicious URLs of webpages or apps spoofed to appear as legitimate government portals requesting personally identifying information and other sensitive data. After collecting this information from victims, cybercriminals are then able to open bank accounts in victims’ names and even request loans.

Some of the fake apps and webpages require the user to forward a link to all their contacts, thus propagating the attack to additional victims.

The below screenshot shows a WhatsApp message with a link to a fake website, inviting victims to register to receive 200 Brazilian Reals from the government to assist with difficulties encountered by the novel coronavirus, based on IBM X-Force research.

Figure 1: Screenshot of WhatsApp message containing links related to the fraud (Source: X-Force IRIS)

Similarly, the below message invites recipients to apply for emergency government assistance to potentially receive 600 to 1200 Brazilian Reals per month. The buttons lead to a fake website where victims enter personal information to learn whether they are “eligible” to receive assistance. Attackers can then use the information collected from this portal to commit fraud.

Figure 2: Some apps present questions to check if the person is able to receive assistance through the government’s program (Source: X-Force IRIS)

New Domains Related to Brazilian Government Assistance Have Proliferated

To carry out the above scams, Brazilian cybercriminals are registering new domains and creating fake webpages at a rapid rate. This allows them to stay ahead of law enforcement or rapidly reconstitute a scam when a previous attempt is shut down.

Using an open source threat list, X-Force IRIS researchers were able to identify at least 693 new COVID-19-related Brazilian cybercriminal websites with a high risk score created this year. The registration of domains referencing the Brazilian government assistance program, also known as “auxílio emergencial” as well as other COVID-19-related websites using the top-level domain “.br” for Brazil and local terms such as “auxilio” and “emergencial,” has increased at a rapid rate since the beginning of the year, with a particularly high rate of activity in mid-April.

The below chart shows the number of Brazilian COVID-19-related domains with the highest possible risk score (99) registered in 2020, giving a sense for the pace of activity in this area. The x axis shows data for the week ending on the date shown, demonstrating that this activity peaked the week of March 28. This list includes updates up to June 18, 2020.

Figure 3: High risk score domains related to Coronavirus (Source: Domain Tools)

 

Spam Email Targeting Brazilians Proliferating

IBM X-Force used access to spam databases to search on trends for spam sent containing the phrase “auxílio emergencial,” key terminology used to reference the Brazilian government’s COVID-19 assistance program. The following chart depicts the outcome of this search from early March to early June:

Figure 4: Spam sent using the phrase “auxílio emergencial” from March 1 – June 21, 2020

This data shows that there were spikes in these messages on May 22, May 27, June 4, and June 8-9, 2020, suggesting that criminal campaigns capitalizing on Brazil’s government assistance program continue to be active and have increased over the past month. The term “auxílio emergencial” appears to be unique to Brazil and is not being used as frequently in other Portuguese-speaking countries — even Portugal— suggesting these spam messages are intended for Brazilian recipients.

Below is a screenshot of one of the emails included in the June 4 spike in activity. It advertises Brazil’s emergency assistance (auxílio emergencial) with an authentic-looking logo and graphic, and then provides a link for the recipient to check their registration and confirm their details.

Figure 5: Phishing email encouraging recipients to click on a malicious link

When a user clicks on the link, it downloads a malicious file that appears to be an information stealer and has elements in common with Brazilian banking malware aimed at harvesting a user’s banking credentials to conduct unauthorized bank transfers. Other elements appear similar to the Parallax Remote Access Trojan (RAT), which has been associated with several COVID-19-related campaigns and can bypass detection, harvest credentials, and execute remote commands. After clicking the link, a zip file Relatorio br1.zip is automatically downloaded onto the user’s device. This zip file contains three files, including one dynamic link library (.dll) file that, according to our research, has several detections for being malicious.

Staying Safe in the Storm

What actions can individuals and enterprises take to maintain security during this barrage of COVID-19 cybercrime activity? X-Force IRIS has identified several actions you or your organization can take to avoid lures such as the ones above:

  • Become naturally cautious of COVID-19-related messages arriving via email, text message or other apps. Whenever possible, gain information by actively initiating searches and visiting known government-sponsored websites, rather than only consuming information pushed to you.
  • Use IBM’s X-Force Exchange and TruSTAR COVID-19 Enclave to stay on top of the latest COVID-19 threats, which we are consistently monitoring and updating.
  • Employ Quad9 — a free DNS resolver — to block your device from communicating with known malicious domains.
  • Use threat intelligence to stay aware of the current tactics and phishing lures employed by cybercriminals, so you are more likely to spot them and avoid them.
  • Engage in workforce education and employ software solutions and banners to help mitigate the threat from phishing attacks at your organization.

Where Will COVID-19 Cybercrime Go From Here?

Worldwide, COVID-19-related phishing lures and malicious domains are decreasing, as X-Force IRIS has highlighted in analysis on our Enterprise Threat Intelligence platform for subscription members. This trend echoes the decrease in new malicious domains in Brazil as noted above. At the same time, some specific campaigns in Brazil are just heating up — such as the “auxílio emergencial” spam email campaigns we highlight above. In the case of Brazil — a geography with a unique cyber threat landscape, where Brazilian cybercriminals tend to focus on targeting individuals in their own country — it is possible that this increase in cybercrime is a way of coping with the pandemic, which undoubtedly is affecting attackers as well. The good news is that COVID-19 cybercrime appears to be decreasing overall as attackers turn to new themes, lures and newsworthy events to attract activity.

More from X-Force

FYSA – Adobe Cold Fusion Path Traversal Vulnerability

2 min read - Summary Adobe has released a security bulletin (APSB24-107) addressing an arbitrary file system read vulnerability in ColdFusion, a web application server. The vulnerability, identified as CVE-2024-53961, can be exploited to read arbitrary files on the system, potentially leading to unauthorized access and data exposure. Threat Topography Threat Type: Arbitrary File System Read Industries Impacted: Technology, Software, and Web Development Geolocation: Global Environment Impact: Web servers running ColdFusion 2021 and 2023 are vulnerable Overview X-Force Incident Command is monitoring the disclosure…

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today