Pierluigi Paganini
January 20, 2016
Trend Micro has published a new report on the Brazilian Cybercriminal Underground, a criminal ecosystem that is becoming one of the most important in the world. A first study on the Brazilian criminal ecosystem was published by the security firm in November 2014, Trend Micro described a thriving marketplace where cyber criminals proposes their services and products to criminal crews that instead of creating their own attack tools from scratch could benefit of the competitive offer. The study reported the principal solutions and services offered to the crooks in a model of sale known as crime-as-a-service that is able to attract new actors in the cyber arena.
This new study confirms that new players appeared in the Brazilian cybercriminal underground in 2015, mainly unscrupulous youngsters.
“Most of them are young and bold individuals with no regard for the law. Unlike their foreign counterparts, they do not rely so much on the Deep Web for transactions. They exhibit blatant disregard for the law by the way they use the Surface Web, particularly popular social media sites like Facebook™ and other public forums and apps”. States the report
The report confirms a trend observed in the previous study, bad actors in Brazilian Cybercriminal Underground have a great expertise in online banking malware. The black market is very prolific and new malware continue to appear, but as explained in the report it is quite easy to pay for a ransomware, or the customized of any malicious code.
Understanding the underground players means understand the overall market, so how do they operate?
“Brazilian cybercriminals operate either solo or in groups, though more often than not, they prefer to work individually. They can be classified under two main categories—developers and operators.”
The developers are normal people with an educational background that turn to cybercrime because it’s a lucrative job, they are the ones behind the creation of new malware. They don’t use the deep web as their peers in other countries, they prefer to publicize their product through social media platforms like Facebook, Twitter™, YouTube™, Skype™,and WhatsApp™. Developers are normally young students that are financially motivates.
“One such developer is the notorious 20-year-old Lordfenix2 whom we profiled in June 2015. This computer science student was able to build more than 100 banking Trojans that can bypass Brazilian banks’ security measures. This has earned him a reputation as one of the country’s top banking malware creators. He supposedly started developing his own malware when he was still in high school and remains an active underground player to date.” continues the report.
The operators may have or not specific educational background, they are the actors that buy the malware to the developers. They are the ones who interact with the actual victims, they normally buy the malware from developers via crime-as-a-service model. Operators are the ones that normally law enforcement agencies catch, in opposite the malware developers that are hard to track down.
Which products/services can be found in the Brazilian underground?
Ransomware
A very important tool in the underground, and a must have in a cybercriminal arsenal. Anyone can get it for US$3,000 or 9 Bitcoins, and can use it in Windows®, Linux®, Android, iOS™, and OSX devices. It encrypts all sort of files.
Modified Android apps
Also a big hit recently appeared in the Brazilian criminal underground. These apps can be configured to steal credentials or credit card info.
PII-querying services
These services are normally sold for US$6.81, or 0.015 bitcoins, and can get you information like vehicle registration plate database, or CadSUS database (the Brazilian heath card system).
KAISER malware
It’s a malware focus in bypassing Sicredi’s (a Brazilian credit union), the time-based token system, among many others, can also exploit clients from the banks, Banco do Brasil, Itaú, HSBC, Santander, and Bradesco. The malware logs the victim’s credentials.
Proxy keyloggers
Useful tools to redirect victims to the attacker’s page, like a fake bank page. When infected the victim’s computer can be accessed remotely and the attackers can see the victim’s screen.
Remota keyloggers
Remota means remote, and has the ability to fake all sorts of browser windows, when a user tries to access a bank site, for US$511.61, an operator can get full support and updates each week.
DNS changers
DNS changers are offered for sale in the market for around US$1279.02 (prices may vary), they redirect the victim to a phishing pages when accessing a target site. DNS changers found in Brazil during 2015 were mainly written in JavaScript.
Cybercrime training
In the Brazilian market it is possible to pay for all sorts of training courses, including malware development, managing botnets, stealing credit card data, among many others.
Crypter programming
For around US$51.16, can provide programming training with online support via Skype.
Credit card-related goods
In this domain, you can many things, as Stolen credit card credentials, Credit card number generators, etc. etc.
PoS skimmers
Cybercriminals modified legitimate PoS terminals to be able to steal credit cards, these devices are normally sold for around US$2046.43.
Modified smart card readers and writers
Modified Europay, MasterCard, and Visa (EMV) card readers are commonly sold in the Brazilian underground. Recently was discovered the modus operandi of the cyber criminals that would convince a waiter to use a modified PoS terminals for credit card payments. The waiters were offered with US$255.80.
Credit card transaction approval services and training
In this case, the crook needs to work with more accomplices that are experts at getting transactions made with stolen credit cards approved. They normally help the operator to use the stolen card to buy good online.
Fake documents and counterfeit money
You can get a new ID card, or a new driver’s license.
Fake diplomas
Why not get a fake degree? Perhaps someone want to start dentist practice!
Counterfeit money
Counterfeit money was always used, and in this underground, it’s not different, you can get fake money
The Brazil, with its social economic landscape and weak laws, reresents the perfect environment for the growth of the Brazilian underground, since this criminal ecosystem can provide quick returns for its actors. Many trainings and tools are available to everyone that wants to learn, and to apply them. Another serious issue it that law enforcement is not heavily searching for cyber criminals because there are other priorities.Please feel free to check out the full
Let me suggest to read the report … it is a must read for experts and pasionates.
About the Author Elsio Pinto
Edited by Pierluigi Paganini
(Security Affairs – Brazilian Cybercriminal Underground, cybercrime)
