Brazilian ‘pirates’ sail around two-factor authentication to vex banking sector

Brazil's underground digital bazaar is host to opportunistic "pirates," some who are quite skilled, Recorded Future says.
Brazilian currency. Criminal hackers in the country have circumvented banks' controls, new research shows. (Flickr: Mark Hillary)

For researchers investigating malicious network activity in a given country, scanning hacker forums is like reading tea leaves. The discussion boards can provide insight about which malware is most popular, its likely victims and some clues that can help identify the thieves cashing in.

In Brazil, underground bazaars host a bevy of hackers that cybersecurity company Recorded Future has dubbed “pirates” for their willingness to change tactics at any time in order to find easy money. That traditionally could mean flooding a large number of users with text messages and counting on someone to click a link, or using spam to change the domain name settings on local routers.

It’s clear now some so-called pirates are capable of more. Skilled Brazilian cybercriminals are able to circumvent two-factor authentication through SIM-swapping, by compromising desktops used for banking, or by directly interfering with the banking sessions, according to research published Tuesday by Recorded Future. The findings illuminate a Brazilian black-hat hacking community that has been overshadowed by headlining-grabbing criminality originating in places like Russia and Eastern Europe.

“[A] very select group of Brazilian cybercriminals resemble their Chinese counterparts, in that they can bypass strict internet banking security controls and ATM security in an impressive way,” the Massachusetts-based company said.


Brazilian cybercriminal gangs are “organized into cells — software development, operations, money laundering — in a way that the disruption of one or more cells does not affect the business,” Recorded Future’s report says.

According to the research, the fraudsters have also looked for credit card companies with weak validation procedures and used algorithms to generate legitimate card numbers, sparing them the hassle of stealing the card numbers individually using malware or another means.

The scourge of financial cybercrime is happening in South America’s largest economy, where mobile banking, and the potential vulnerabilities that come with it, has been widely adopted. The severity of the problem has forced Brazilian banks to respond with new security controls, and the country’s National Monetary Council last year began requiring major banks to have a cybersecurity policy.

Cybercrime goes mobile

Brazil, a country of over 200 million people, has been hotbed for financially-motivated hacking for some time. The so-called Boleto trojan malware that surfaced six years ago and targeted the Brazilian banking sector potentially caused $3.75 billion in losses, according to RSA researchers.


For Brazil’s digital thieves, the trojan is the gift that keeps on giving. Earlier this month, Kaspersky Lab researchers reported on a new Android malware family built to steal Brazilian users’ credit and debit card numbers. The trojan began propagating during the 2018 Brazilian elections and has since racked up over 10,00 downloads from the Google Play Store, according to Kaspersky Lab.

The hunt for Brazil’s financially-driven hackers continues.  On Monday, Microsoft’s threat intelligence unit warned that another Brazilian trojan was phishing for Mexican banking credentials using a spoofed login page.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts