Fraud and cybercrime in Latin America: an evolving threat landscape
Internet penetration is rapidly increasing in Latin America. Mobile usage is commonplace, and more people own bank accounts than ever before which means online transactions are also on the rise. This is great news for innovative Latin American companies, and consequently, cybercriminals targeting them. With higher levels of growth across the region, there are significantly increased opportunities to defraud individuals and organizations.
Our analysts predict that cybercrime is likely to increase across Latin America as a less mature marketplace and still vulnerable to older TTPs. A bellwether for this trend is usually the number of credentials our infrastructure detects geolocated to the region. We have observed almost a 77% year-over-year increase in the number of credentials belonging to Latin American markets in 2018. Compared to the second half of 2017, we observed a jump of nearly 200% in the second half of 2018.
In our recent Threat Landscape Report 2018-19, we explore the TTPs threat actors are leveraging in the region in-depth. The report more generally acts as a resource for business leaders and decision-makers interested in managing their digital risk. This short blog pulls out some topline intelligence about Latin American cybercrime. We invite you to take a look at the report for greater detail.
Der vollständige Bericht ist auch in deutscher Sprache unter diesem Link verfügbar.
Brazil experiences the greatest number of phishing attacks in the world, with nearly a quarter of the population either being targeted by or falling victim to phishing schemes in the first half of 2018. Argentina, Venezuela, and Bolivia also find themselves among the top ten countries most impacted by phishing.
In November 2018, we detected 125 phishing-dedicated crimeservers hosting phishing pages with Mexican TLDs. From December 1st 2017 to November 30th 2018, over 71% of the 1,800 crimeservers hosting pages with Mexican TLDs were phishing-related.
There are various phishing-related Crimeware-as-a-Service (CaaS) offerings within the Latin American – particularly Portuguese-language – underground. These services are typically advertised on WordPress blogs. They allow newbies to cut their teeth in the world of cybercrime while paying for the help they need, and veteran cybercriminals to outsource elements of their fraud schemes.
In addition to stealing payment card information, phishing pages are employed by cybercriminals in hopes of compromising credentials, PII, or other monetizable information.
Our analysts determined Mexico, Colombia, Brazil, Argentina, and Peru are the top five Latin American countries most impacted by malware distribution. Most of the malware families found in the TOP5 in those countries are Remote Access Trojans (RATs), njRAT, DarkComet and XtremeRAT being the most popular ones.
Point of Sale (POS)
Our analysts assess that the development and utilization of POS malware in Latin America will likely increase. Latin American users are opening more and more banks accounts and using debit cards more often. But many of these cards either have weak (static data authentication instead of dynamic data authentication) or nonexistent EMV chip technology – making the region particularly vulnerable to breaches from POS malware.
Rewards Points Theft
Illicit ‘travel agencies’ offering to fraudulently book flights, hotels, and other tourism-related activities are commonplace in the cybercriminal underground. Threat actors offering these services allow their clients to plan trips for a fraction of the actual cost – typically between 30% and 50%.
Our analysts conclude the majority of the vendors are using compromised rewards points. They may come from accounts directly related to travel services – such as frequent flyer miles or hotel rewards points – or from other accounts that include travel rewards points as a bonus, such as a bank account with a credit card that earns miles.
Obtaining carded purchases online – simply known as compras in Spanish – is popular in various Spanish-language underground communities. The scheme attracts the interest of both novice cybercriminals looking to fraudulently obtain products as well as veteran crooks that have turned obtaining compras on behalf of paying clients into a business model.
Many retailers operating in Latin America do a poor job at tracking and preventing compras fraud. Guides and vendors state it’s safe to ship multiple carded purchases directly to the fraudster’s home address, underscoring a failure on the part of retailers and e-commerce sites to track and flag fraud. It’s highly likely both new and old cybercriminals will continue to be attracted to committing this type of fraud.
Unlike compras fraud, refund fraud does not use compromised payment card information but rather relies on social engineering techniques. Cybercriminals make customer service representatives believe there has been an issue in the shipment or delivery of the purchase – such as that the package never arrived, was stolen, was empty, or that the items within the package were somehow sullied.
E-commerce will become increasingly prevalent in Latin America as internet penetration increases along with the banked population. And as more individuals use e-commerce platforms, fraudsters will continue to test how they can abuse them.
Those interested in binero fraud endeavor to discover specific bank identification numbers (BINs) that are improperly validated by online payment processors. Once a BIN and website combination has been discovered, the fraudster will fabricate the rest of the information necessary for making an online purchase – such as the remaining 10 digits of the card number – and conduct the ‘purchase’ using this invented card.
Binero fraud has gained the interest of Latin American cybercriminals, with Spanish-language forums often hosting binero-specific subforums or regularly seeing individuals sharing binero fraud guides – meaning binero fraud will likely continue across the region.
Many Latin American financial institutions have been slow to adopt EMV security measures for payment cards, leaving the region particularly vulnerable to skimming. Skimming is when threat actors use devices, called “skimmers,” to read, record, and thereby steal the track data encoded on the payment card’s magnetic stripe.
Often fraudsters will insert skimmers into point-of-sale devices or ATMs in order to surreptitiously gather information from payment cards. Fraudsters working in the service industry who regularly come in contact with high-value cards might use use pocket-sized skimmers to collect data manually from clients.
Both legitimate e-commerce sites, such as MercadoLibre in Latin America, as well as deep and dark web forums and marketplaces carry and sell skimming devices.
In this article, we touch on popular regional fraud schemes, why phishing campaigns are so lucrative for Latin American cybercriminals, and which countries are most impacted by malware distribution. It is evident a cybercriminal ecosystem is alive and well in Latin America. And with little legislation to protect against cybercriminal activity, attacks are likely to become more prevalent across the region in the years to come.
Blueliv’s real-time threat intelligence enables businesses to address these growing cyberthreats proactively by scouring the open, deep and dark web to deliver fresh and actionable threat intelligence. Our cloud-based platform – Threat Compass – turns threat data into sophisticated, actionable intelligence, helping organizations protect themselves from the outside in, in Latin America and beyond.