Fraud’s New Frontier
Cybercrime in Brazil is on the rise, with gangs offering training to aspiring fraudsters at very reasonable rates.
Words Sean Stillmaker
Illustration Adrian Johnson
With very little money and no experience necessary, anyone in Brazil can be a cyber criminal. As Brazil has rapidly transformed into one of the world’s largest economic markets and most connected countries online, it has also become the new frontier for domestic cyber criminals who’ve comfortably amassed billions in stolen finances from the nation’s technologically naïve population.
Brazil currently has an internet penetration rate of over 50%, meaning that half the population has access. The country also has 280 million mobile phones (nearly one and a half for every citizen) and is the world’s second largest Facebook user network (just behind the US). But users are poorly versed in online safety, with weak passwords and absent firewalls leaving them exposed to system infiltration.
For potential fraudsters, the tools of the trade come cheap. A banking Trojan source code costs as little as R$1,000 ($260). For credit card fraud, R$350 ($92) provides credentials for cards with limits over $2,500, plus a random number generator thrown into the bargain for free. If these toolkits are too advanced, a ten module cyber fraud training course with practical exercises simulating attacks can be purchased for just R$1,200 ($315).
“For potential fraudsters, the tools of the trade come cheap. A banking Trojan source code costs as little as $260.”
“Sometimes we think that in order for an attacker to be successful he or she needs to be highly skilled technician, but in reality it is all about social life and cultural understanding,” says Dmitry Bestuzhev, head of research and analysis for Latin America at IT security firm Kaspersky Lab. “Where there are masses, there is money, and cyber criminals are well aware of this.”
As a consequence the primary geographical targets for Brazilian cyber criminals are Rio de Janeiro and São Paulo. These megacities have populations of approximately 12.8 and 20.8 million respectively — populations that frequently use an online banking system prone to successful attack.
Brazil’s most common form of banking is the Boleto, a digital invoicing system much like the UK’s Direct Debit scheme, enabling payment for a variety of services, taxes and other routine payments. Each transaction is given a unique barcode identification number and can be distributed in person, online, or through an ATM.
Boleto fraud is easily accomplished by infiltrating a user’s system through malware and changing the Boleto barcode prior to being fully downloaded. The payment through the false barcode is then routed to the criminal’s bank account instead of the intended recipient, with victims remaining ignorant until they’re notified of a delinquent payment or insufficient funds in their account.
Although Brazilian cyber criminal networks have yet to be implicated in engaging on the level of foul play attained by alleged state-sponsored hacker groups like North Korea’s Bureau 121, Russia’s APT28 or China’s PLA Unit 61398, numerous local and international Internet security analysts assert that the problem is very much on the rise. According to a 2014 analysis report by RSA, the security division of IT solution firm EMC, local cyber criminals have persistently penetrated Boleto system weaknesses, amassing over $3.7 billion since 2012 — the majority of which is concentrated in Rio de Janeiro and São Paulo. Local research analysts have contested the RCA figure as being too high, but sources close to Kaspersky Lab estimate Boleto fraud to be between $704 million and $1.1 billion in damages over the approximate three year period. Similarly, the Rio-based think tank Igarapé Institute, estimates that internet crime in Brazil, including fraud and stolen banking information, stands at $8 billion in annual losses — 7% of the total global annual loss generated by cybercrime.
“Just two weeks prior to the first match of the World Cup, the hacker group Anonymous took control of the Foreign Ministry systems network.”
With worldwide attention focusing again on Rio de Janeiro next summer for the 2016 Olympics, federal law enforcement officials have been upping their digital counter-measure strategies and increasing digital surveillance. The 2014 World Cup offered a testing ground of sorts for local hacktivists, to exploit the vulnerabilities of numerous government and private company system networks. Just under two weeks prior to the first match of the tournament, the hacker group Anonymous took control of The Foreign Ministry systems network, temporarily suspending the ministry’s access and compromising 55 email accounts. However, the actual extent of the hacking was much larger than reported, with Anonymous taking control of numerous state and private websites. This time, the authorities plan to be ready.
But although counter-measures have been taken by the state to tackle cyber crime directly in São Paulo and Rio, the Igarapé Institute suggests that more structure within the public finance budget is necessary, with greater allocations for cyber defence. Private security firms are providing details on digital threats and offering some preventative solutions, but the activities of cyber criminals will only increase in coming years. All that is certain is that the cost of failure will be far greater. For now, anyone with time and tech know-how stands to make a quick buck by exploiting the many weaknesses of cyber security systems.