Fraud’s New Frontier

Cybercrime in Brazil is on the rise, with gangs offering training to aspiring fraudsters at very reasonable rates.

Words Sean Stillmaker
Illustration Adrian Johnson

With very little money and no experience necessary, anyone in Brazil can be a cyber criminal. As Brazil has rapidly transformed into one of the world’s largest economic markets and most connected countries online, it has also become the new frontier for domestic cyber criminals who’ve comfortably amassed billions in stolen finances from the nation’s technologically naïve population.

Brazil currently has an internet penetration rate of over 50%, meaning that half the population has access. The country also has 280 million mobile phones (nearly one and a half for every citizen) and is the world’s second largest Facebook user network (just behind the US). But users are poorly versed in online safety, with weak passwords and absent firewalls leaving them exposed to system infiltration.

For potential fraudsters, the tools of the trade come cheap. A banking Trojan source code costs as little as R$1,000 ($260). For credit card fraud, R$350 ($92) provides credentials for cards with limits over $2,500, plus a random number generator thrown into the bargain for free. If these toolkits are too advanced, a ten module cyber fraud training course with practical exercises simulating attacks can be purchased for just R$1,200 ($315).

“For potential fraudsters, the tools of the trade come cheap. A banking Trojan source code costs as little as $260.”

“Sometimes we think that in order for an attacker to be successful he or she needs to be highly skilled technician, but in reality it is all about social life and cultural understanding,” says Dmitry Bestuzhev, head of research and analysis for Latin America at IT security firm Kaspersky Lab. “Where there are masses, there is money, and cyber criminals are well aware of this.”

As a consequence the primary geographical targets for Brazilian cyber criminals are Rio de Janeiro and São Paulo. These megacities have populations of approximately 12.8 and 20.8 million respectively — populations that frequently use an online banking system prone to successful attack.

Brazil’s most common form of banking is the Boleto, a digital invoicing system much like the UK’s Direct Debit scheme, enabling payment for a variety of services, taxes and other routine payments. Each transaction is given a unique barcode identification number and can be distributed in person, online, or through an ATM.

Boleto fraud is easily accomplished by infiltrating a user’s system through malware and changing the Boleto barcode prior to being fully downloaded. The payment through the false barcode is then routed to the criminal’s bank account instead of the intended recipient, with victims remaining ignorant until they’re notified of a delinquent payment or insufficient funds in their account.

Although Brazilian cyber criminal networks have yet to be implicated in engaging on the level of foul play attained by alleged state-sponsored hacker groups like North Korea’s Bureau 121, Russia’s APT28 or China’s PLA Unit 61398, numerous local and international Internet security analysts assert that the problem is very much on the rise. According to a 2014 analysis report by RSA, the security division of IT solution firm EMC, local cyber criminals have persistently penetrated Boleto system weaknesses, amassing over $3.7 billion since 2012 — the majority of which is concentrated in Rio de Janeiro and São Paulo. Local research analysts have contested the RCA figure as being too high, but sources close to Kaspersky Lab estimate Boleto fraud to be between $704 million and $1.1 billion in damages over the approximate three year period. Similarly, the Rio-based think tank Igarapé Institute, estimates that internet crime in Brazil, including fraud and stolen banking information, stands at $8 billion in annual losses — 7% of the total global annual loss generated by cybercrime.

“Just two weeks prior to the first match of the World Cup, the hacker group Anonymous took control of the Foreign Ministry systems network.”

With worldwide attention focusing again on Rio de Janeiro next summer for the 2016 Olympics, federal law enforcement officials have been upping their digital counter-measure strategies and increasing digital surveillance. The 2014 World Cup offered a testing ground of sorts for local hacktivists, to exploit the vulnerabilities of numerous government and private company system networks. Just under two weeks prior to the first match of the tournament, the hacker group Anonymous took control of The Foreign Ministry systems network, temporarily suspending the ministry’s access and compromising 55 email accounts. However, the actual extent of the hacking was much larger than reported, with Anonymous taking control of numerous state and private websites. This time, the authorities plan to be ready.

But although counter-measures have been taken by the state to tackle cyber crime directly in São Paulo and Rio, the Igarapé Institute suggests that more structure within the public finance budget is necessary, with greater allocations for cyber defence. Private security firms are providing details on digital threats and offering some preventative solutions, but the activities of cyber criminals will only increase in coming years. All that is certain is that the cost of failure will be far greater. For now, anyone with time and tech know-how stands to make a quick buck by exploiting the many weaknesses of cyber security systems.

This is article is from Weapons of Reason’s second issue: Megacities.
Weapons of Reason is a publishing project to understand and articulate the global challenges shaping our world by Human After All design agency.

Created in partnership with…





Issue two of Weapons of Reason explores another huge global challenge: Megacities. Weapons of Reason is a publishing project by Human After All design agency in London.

Recommended from Medium

Understanding Software Security

Estimated 35 Million Voter Records For Sale on Popular Hacking Forum

{UPDATE} My Dog Album - Álbum de Figurinhas de Cachorros Hack Free Resources Generator

Breach Notification Laws Impose High Penalties

Top 5 Cyber Security Tips for Small Business in 2018

Am I on the list?

Why We Invested: Revelstoke

Classification, Anomaly Detection and Prediction

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Weapons of Reason

Weapons of Reason

A publishing project by @HumanAfterAllStudio to understand & articulate the global challenges shaping our world. Find out more

More from Medium

Michael Whitehouse: The Guy Who Knows A Guy

My Thoughts on Autonomous Cars

I’m a Longtime Pro Editor Offering Consultation to New Editors

Binge Watch for Women Entrepreneurs

Girl Boss series