Internet fraud in South America has been widespread and rapidly growing in sophistication, with Brazil leading the pack. According to a survey published by Serasa Experian, in 2013 alone, losses due to financial fraud have surpassed $1 billion. Lax cybercrime laws are to blame, as well, giving rise to fraudsters who are notorious for their inventive techniques to defraud Brazilian victims, utilizing region-specific malware (such as two new Boleto malware families discovered by IBM Trusteer researchers in mid-July) and various online thievery schemes.

While the more familiar aspects of identity theft involving e-commerce and online banking fraud are common in many parts of the world, one particular element is unique to identity theft in Brazil. Despite being a key factor in many successful fraud operations in the country, Cadastro de Pessoas Físicas (CPF) fraud is often overlooked.

A CPF is an 11-digit taxpayer identification code issued by the Brazilian Federal Revenue agency. Taxpayers obtain their number by filling out an online form or applying for one through a post office or bank.

When CPF was originally instated, only financial institutions were allowed to ask customers for their CPF. Nowadays, however, CPF is used in a wide array of day-to-day activities in Brazil, with its convenience and ease of use driving its growing utility in personal and commercial activities. Brazilians typically present a CPF when signing up for a bank account, obtaining a credit card, applying for jobs and paying taxes. CPF numbers are also used to identify customers who wish to purchase anything from a mobile phone to a piece of furniture.

CPF Fraud

Since CPF has grown to be the most common form of identification in Brazil, it is no wonder it’s being used in fraud schemes there. Common fraud scenarios involving a stolen CPF identity include opening a bank account or obtaining loans on behalf of a legitimate CPF holder, which, unsurprisingly, ends up as debt in the victim’s name. CPF numbers can also be used in schemes that will reveal a victim’s complete credit card information to the fraudster.

Fraudsters also favor CPF fraud over traditional credit card fraud because activities involving CPF identification are not readily available for holders to track. While credit card holders can easily check their transactions and statements online, it is impossible to do the same with CPF. To check whether any anomalies have been found within their CPF history, CPF identity owners must consult with and receive verbal confirmation from a banker or government official.

Brazil does offer paid online services that let users more closely track their CPF activity, but many locals are not aware of that option, nor do they have the need to regularly track their CPF activity. As a result, CPF holders realize they are fraud victims too late in the game, typically when they attempt to make a purchase or when their request to issue a new credit card is declined.

What Makes CPF an Easy Target for Fraud?

Let’s look at the information on a CPF card. The visual structure of the card is rather simple, with no holder picture printed on it to authenticate the owner. The reason likely lies in the fact that the card was originally meant for tax-filing purposes and presented alongside the holder’s official ID — which rarely happens in Brazil otherwise. The card presents a number, the person’s name and a date of birth. While the card does not typically expire, it can be revoked by the government if a citizen fails to pay federal taxes. This is a rare occurrence; Brazilians would sooner fill out an annual tax exempt declaration than have their CPF card revoked. The reverse side indicates that the card must be presented alongside official identification and shows its date of issue.

Figure 1: A blank CPF card

While simplistic in its personally identifiable information (PII), this identification element is used very loosely in Brazil. Research from 2011 confirmed that Brazilians give out their CPF without hesitation, thinking little of identity theft and its consequences. More than 94 percent of survey participants wrote their CPF on the questionnaire itself. Absurdly enough, the questionnaire was served to the participants as part of an Internet fraud awareness course.

CPF-Focused Fraud-as-a-Service

Naturally, fraudsters take advantage of low-hanging fruits and find CPF cards to be an ideal target. Much like the Russian underground, the Brazilian fraud community operates an evolved ecosystem that facilitates CPF fraud-as-a-service with advice, accomplices and paid services to help newcomers. All you need to bring into the mix is a list of valid CPF card numbers, which can be obtained through phishing or malware attacks.

Figure 2: A fraudster in a Brazilian cybercrime forum offers a free download of a phishing kit that steals CPF, among other PII.

Similar to how thieves obtain stolen credit cards and PII online, fraudsters in Brazil can key in a CPF number and pay a small fee for full information on the victim. Details include full name, mother’s name, date of birth, address, ID number and phone number.

Most of these underground sites query government and privately held websites for CPF information and serve it to their dubious clientele. Fraudster service sites are typically operated by cybercrime experts that specialize in finding online resources that, when queried, return much more information than they should — and for little or no effort.

That same information may, of course, be obtained by directly paying a fraudster to do the dirty work rather than working through a service website. Once a fraudster gets hold of the full victim information, the road to a successful fraud operation is open. The next step is a custom spear-phishing email, unique to the victim, that carries concealed malware in order to infect the computer and harvest even more information.

The image below was captured on a Brazil-based underground forum and offers CPF fraud advice directly from the forum’s administrator.

Figure 3: A fraudster in a Portuguese-speaking forum lists the types of information (PII) that can be extracted from legitimate Web resources with just a CPF number. A short explanation by the forum’s admin follows, giving fraudsters tips on how to make use of the PII in fraud schemes.

The next two images show an online interface designed to help fraudsters uncover full personal information on their future victims by a CPF number.

Figure 4, Figure 5: Fraud-as-a-service website designed to obtain full information from a CPF number, as posted by a fraudster in the Brazilian underground.

Brazil’s large population and the fact that the country is an e-commerce leader in South America are just two factors that make it an extremely lucrative place for cybercriminals. Throw in a wide gap in public awareness regarding identity theft and online security and you have sufficient motivation for new fraud methods and a rapidly growing criminal community pushing fraud losses through the roof. In Brazil, CPF fraud remains an important foundation in a vast array of geospecific cybercrime schemes that is not likely to subside, especially if common Brazilians cannot easily and quickly track their CPF activity.

This article is based on research conducted by IBM Trusteer Fraud Analyst Rachel Zilberberg. IBM Trusteer’s Threat and Intelligence group comprises leading professionals in malware and intelligence research who detect and analyze new, emerging threats in the modern cybercrime landscape.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today