Tuesday, 18. November 2014

Localized Tools and Services, Prominent in the Brazilian Underground

In our monitoring of the global threat landscape, we tend to notice that countries sometimes are affiliated with a particular cybercriminal activity. One classic example is Brazil, which is known for its association with banking malware. As we noted in a previous blog entry, “[0]nline banking theft is especially rampant in the country, whose history of hyperinflation has once led to an early adoption of online financial systems and a large online banking community.” However, we felt like something was missing. What would explain the growth of these activities in Brazil?

Several factors may have contributed to this growth. For example, Brazil has a lack of concrete laws and limited law enforcement agency resources that address cybercrime in the country. Additionally, the technological and consumer landscape in Brazil, which has a 50% Internet penetration rate, and a 69% credit card penetration rate, has made the country all too appealing for cybercriminals.

However, another factor may have also contributed to Brazilian cybercrime: the existence of a flexible underground market with different offerings, ranging from banking Trojan development to online fraud training. The latter is highly notable as this is the most unique item in the market, which may not be found in other underground markets.

In Brazil, it’s possible to start a new career in cybercrime armed with only US$500. Would-be cybercriminals are supported and helped by tools, forums, and experts from the dark side of the Internet. These bad guys do not fear the authorities and their groups get bigger in a short span of time.

These criminals use a wide array of tools and services for their communication. These include IRC channels, Deep Web forums, and private servers. Social networks and encrypted text chat software, including those for mobile, are also heavily used by the bad guys. In short, cybercrime communication is made easy, which makes law enforcement efforts more difficult.


Figure 1. A sample post in an underground forum, translates to “Can anyone help me with credit card stealing? I’d like to start working on this.”

Our paper, “The Brazilian Underground Market: The Market for Cybercriminal Wannabes?,” discusses at length the tools and services sold in the Brazilian black market. The paper also talks about the characteristics that set it apart from other underground markets. For example, Russian and Chinese cybercriminals hide in the deep recesses of the Web and use tools that ordinary users do not such as Internet Relay Chat (IRC) channels. Meanwhile, Brazilian cybercrooks use more popular means like Facebook, YouTube, Twitter, Skype, and WhatsApp for organizing and advertising.

Another key feature of Brazilian online threats is that they mostly target local victims. These threats are developed locally, sold to local criminals, and used to target fellow Brazilians. Because of this ‘localization’ there is no good way to get threat intelligence unless we immerse ourselves in the Brazilian landscape.

By providing information on the kinds of threats or attacks offered by the Brazilian underground, we hope to help companies and users to defend themselves. We also aim to help law enforcement agencies and researchers get intelligence on cybercrime operations.

This is part of the Cybercrime Underground Economy Series of papers, which take a comprehensive view of various cybercrime markets from around the world.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Localized Tools and Services, Prominent in the Brazilian Underground