Always Watch for the Dark Horse: Brazil Enters the Cybercrime Ring

We’ve seen it happen in horse races and elections.  Two well-known hot contenders go neck and neck. Everyone is so completely focused on the two leads that no one sees the dark horse come charging up the middle. Until it’s already there.

In the murky waters of deepweb cybercrime, that dark horse is Brazil.  China and Russia may be attribution’s favourite poster twins but we cannot afford to lose sight of other, future contenders. “Nobody saw it coming” are the wrong words to hear when dealing with cybersecurity. And over the past year, breach after massive breach has shown that, despite our best efforts, we can’t seem to stay ahead of the curve. It isn’t just about the threats and attacks, but about who and why. We really need to know our adversaries. Brazil is the new kid on the block, and he’s big.


As early as 2011, InsightCrime was reporting a surge in cybercrime out of Latin America. What country did they identify at the epicenter? Brazil.  Both Norton’s Cybercrime Report and Symantec’s Intelligence Reports for 2011 put Brazil in that same top spot. Fast forward to July 2014.  Purported as what could be the largest electronic theft ever reported, a cybercrime op was discovered by RSA security. Approximately $3.9 billion was stolen through  “Boleto Bancario”. That catapulted Brazil into the headlines, establishing what had been building steadily yet unnoticed and unchecked for three years, since 2011.

The unnerving truth about cybercrime is that a lot can happen in just a very short time.  Which is why Brazil should have registered earlier on threat radar. The country is a perfect storm for cybercrime. The stats speak volumes. Per Kaspersky, Internet users in Brazil are the most targeted by cybercriminals in Latin America. Out of 400 million incidents logged over a period in 2015, 31% affected Brazil versus 21% in Mexico, Peru, Colombia and Venezuela.  There has been a drastic increase in new users corresponding with an increase in malicious activity of 197% between 2014-2015. This relates directly to the fact that users have no idea of what they should be doing to stay safe.  Avast reports that 65% of wireless network routers still used the default ID and password.  Symantec showed that in 2013 61% of adults connected to unsecured and public wireless.  And what about the fact that Brazil has the highest internet penetration for the region?  Or that Brazil is going through some economic turmoil, which means cuts, and that includes cuts to security.

How does that play out in a country where there is no requirement to disclose any information about breaches? Apparently, not well. At least 75% of those who use the internet in Brazil have been victims of online crime. Brazil passed its first cybercrime law in 2012, but that proved to be ineffective and inefficient.  Penalties are little more than a slap on the wrist, with house arrests or fines being levied. The lack of staff and lack of funding further limit any real action.  And here’s the kicker:  there is no law currently in place to protect personal information. That means – wait for it – that this info, this PII we fight so hard to protect, can be sold or given to anyone in Brazil, legitimate or criminal, with no repercussions.

PandaLabs Report Q1 2015 Infection rates

PandaLabs Report Q1 2015 Infection rates

According to Juan Andres Guerrero, senior security researcher with Kaspersky Labs:

“As far as global fraud is concerned Brazil is almost exclusively at the top …They are fantastically creative …Brazil actually takes an inordinate amount of time [to monitor] because of the amount of malware, the amount of schemes. They are constantly creating these phishing campaigns. They are incredibly elaborate.”

Brazil is a nation plugged in and online banking reigns supreme, at 41% of all transactions, according toe Trend Micro’s white paper from 2014 “The Brazilian Underground Market:  The Market for Cybercriminal Wannabes.”  One of Brazil’s better-known exports are banking trojans, perfected for the “Boleto” payment system there.  malware changes the bar codes on the boletos to redirect payments to attackers.  DNS poisoning is also employed to redirect users. Fake browser windows scoop credentials that are keyed in. Malicious browser extensions capture personal data and send it off to attackers.  That bestowed upon Brazil the dubious ranking of second worldwide for online banking malware infections, and almost 9% of global malware infected systems.


From Trend Micro white paper “The Brazilian Underground Market” 2014

William Beer, Managing Director of Cybersecurity at Alvarez & Marsal, told ZDNet

“There is a lack of focus on cybersecurity both in the public and private sector. Senior executives at organizations don’t really see that as a priority.”

High internet penetration rate, high credit card penetration rate, high user base unaware of good security practices, and a unique banking payment system based on “boletos” have set Brazil apart by creating a cybercrime training ground that’s open for business.  For the entry level fee of $579 US, wannabe cybercriminals can learn fraud training, FUD crypter programming, trojan coding. Like its peers, Brazil offers the same range of choices as China and Russia. And in the true spirit of staying competitive, the price of crimeware and service offerings in Brazil has steadily gone down since 2011. But wait – there’s more! They’ve been very good at evading security researchers and law enforcement.

It doesn’t bode well when the criminals openly use social media to flaunt and advertise their business.  Whereas cybercrime tends to opt for obscure channels to remain untraceable, the Brazilians are all over Facebook, YouTube, Twitter and WhatsApp to communicate and organize their lives and their business.  And why shouldn’t they, in a country where the gains far outweigh the risks. All of which makes Brazil very appealing, and very much the dark horse threat we should have been watching for.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s