Brazil does not have a highly organized hacker underground in the same way as Russia and eastern Europe. Most of the malicious activity by Brazilian actors is within Brazil against Brazilians. The primary reasons are geography and language, and very strict money moving laws. But this does not mean that Brazil lacks hacking capabilities, nor that the rest of the world can ignore Brazilian hackers.
In its latest regional analysis of hackers and hacker communities, Recorded Future’s Insikt intelligence group describes Brazilian hackers as ‘pirates’ — continually changing targets and tactics to get the easiest money. “When companies react to their activity by increasing security controls, they move to another business.”
The Brazilian criminal underground is more like the Chinese rather than Russian underground. Chinese cybercriminals tend to rely on apps such as QQ and WeChat for their discussions; while Russia is characterized by formal, well-organized, threaded forums. “The Brazilian forum platform of choice is dynamic, changing based on broader social trends and law enforcement efforts. Currently, the forums of choice are WhatsApp and Telegram.”
The report highlights four characteristics of Brazilian hacking: carding, spam, mass pharming, and the ability for the top tier hackers to bypass two-factor authentication. These have evolved within a fairly unique hacking community. For example, Recorded Future notes that Brazilian hacking gangs are organized more like terrorist cells — with different cells having different responsibilities — than the more common self-contained gangs found elsewhere. It means that taking down one cell has little effect on the overall cybercrime activity.
Carding is illustrated by a successful attack against Tesco Bank in November 2016. Tesco lost a total of £2.26 million from 20,000 of its 136,000 current accounts. A ‘final notice’ from the UK’s Financial Conduct Authority (FCA) fined Tesco £16.4 million. It had taken the bank more than 36 hours to locate and block (ineffectively) the source of the attack. It wasn’t until more than 60 hours after the start of fraudulent transactions that the bank put a block on all online transactions. By this time, it was known that the activity was coming from Brazil.
The FCA report concluded, “The attackers most likely used an algorithm which generated authentic Tesco Bank debit card numbers and, using those ‘virtual cards’, they engaged in thousands of unauthorised debit card transactions.” This is typical of Brazilian hackers. “There is strong activity of credit cards generated by algorithms, referred to as ‘geradas’,” reports Recorded Future. “They look for companies that donít validate cards appropriately, which they call ‘cardeaveis’, or ‘susceptible to carding’, and exploit them.”
Spam has always been a popular method of distributing phishing and malware. But as spam security has improved, the hackers have adapted by combining spam with pharming. Pharming involves subverting DNS name resolution, and forcing users to visit the right website address on the wrong server. While this began as attacks on individual computers, such attacks are easily detected and prevented by good anti-malware.
So, the pirates of Brazil adapted again and turned to attacking customer-premises equipment (CPEs); that is, the routers provided by the ISPs. Since most users never change their routers’ default password, it is relatively easy to deliver spam with local network URLs that change the DNS settings of the local router.
Over time, alternative methods of router exploitation were used. In 2014, a router attack employed both methods. A spam campaign sent users to a website containing scripts that would attempt to brute force the routers credentials (reported by Kaspersky Lab), while separately the attackers (or possibly other attackers) compromised a local media site and set it up to hack routers and change their DNS configurations (reported by Sucuri).
“In September 2018,” notes the Recorded Future report, “360 Netlab reported two incidents (September 4 and September 29) involving more than 85,000 routers in Brazil. Affected companies involved all major local banks, web hosting companies, and Netflix — a common credential for sale in Telegram channels.”
An example of Brazilian malware bypassing a bank’s 2FA — described by Kaspersky Lab in 2016 — involved a dormant compressed RAT with an associated browser watcher. If the watcher detects a target bank being accessed, the RAT would decompress and notify the C&C. This allowed the attacker to take over the bank transaction in real time. The screen view shown to the victim is locked and the attacker is able to request any information necessary — such as the separate SMS 2FA token. While the victim thinks he is dealing with the bank, he is actually dealing with the attacker — who proceeds with his own bank transaction hidden from the victim.
Two primary factors have tended to keep Brazilian hackers off the world stage (in comparison to, say, Russian and Chinese hackers). The first is the relative cultural isolation of Brazil. The language is a Brazilian form of Portuguese, surrounded by Spanish-speaking countries; while moving money across international borders, even within Latin America, is difficult. “The processing of international payment orders,” explains Recorded Future, “is treated as a currency exchange transaction. As such, additional controls against money laundering and tax evasion are applied, making moving money across country borders harder.”
The second is that among the global regions previously analyzed by Recorded Future (such as Russia, China and Iran), Brazil has no known track record of international state-level cyber espionage.
But despite the Brazilian nature of Brazilian hacking, it would be a mistake to completely ignore the potential extranational threat. The top tier hackers have displayed a willingness and ability to rapidly adapt to new conditions, and could potentially expand their activities beyond the occasional foray outside their own country to more persistent activity.