Brazilian ‘pirates’ sail around two-factor authentication to vex banking sector

For researchers investigating malicious network activity in a given country, scanning hacker forums is like reading tea leaves. The discussion boards can provide insight about which malware is most popular, its likely victims and some clues that can help identify the thieves cashing in.

In Brazil, underground bazaars host a bevy of hackers that cybersecurity company Recorded Future has dubbed “pirates” for their willingness to change tactics at any time in order to find easy money. That traditionally could mean flooding a large number of users with text messages and counting on someone to click a link, or using spam to change the domain name settings on local routers.

It’s clear now some so-called pirates are capable of more. Skilled Brazilian cybercriminals are able to circumvent two-factor authentication through SIM-swapping, by compromising desktops used for banking, or by directly interfering with the banking sessions, according to research published Tuesday by Recorded Future. The findings illuminate a Brazilian black-hat hacking community that has been overshadowed by headlining-grabbing criminality originating in places like Russia and Eastern Europe.

“[A] very select group of Brazilian cybercriminals resemble their Chinese counterparts, in that they can bypass strict internet banking security controls and ATM security in an impressive way,” the Massachusetts-based company said.

Brazilian cybercriminal gangs are “organized into cells — software development, operations, money laundering — in a way that the disruption of one or more cells does not affect the business,” Recorded Future’s report says.

According to the research, the fraudsters have also looked for credit card companies with weak validation procedures and used algorithms to generate legitimate card numbers, sparing them the hassle of stealing the card numbers individually using malware or another means.

The scourge of financial cybercrime is happening in South America’s largest economy, where mobile banking, and the potential vulnerabilities that come with it, has been widely adopted. The severity of the problem has forced Brazilian banks to respond with new security controls, and the country’s National Monetary Council last year began requiring major banks to have a cybersecurity policy.

Cybercrime goes mobile

Brazil, a country of over 200 million people, has been hotbed for financially-motivated hacking for some time. The so-called Boleto trojan malware that surfaced six years ago and targeted the Brazilian banking sector potentially caused $3.75 billion in losses, according to RSA researchers.

For Brazil’s digital thieves, the trojan is the gift that keeps on giving. Earlier this month, Kaspersky Lab researchers reported on a new Android malware family built to steal Brazilian users’ credit and debit card numbers. The trojan began propagating during the 2018 Brazilian elections and has since racked up over 10,00 downloads from the Google Play Store, according to Kaspersky Lab.

The hunt for Brazil’s financially-driven hackers continues.  On Monday, Microsoft’s threat intelligence unit warned that another Brazilian trojan was phishing for Mexican banking credentials using a spoofed login page.