Thursday, 30. June 2016

Brazilians Migrate to Telegram, Cybercriminals Follow Suit

Staple product offerings like online banking Trojans and tutorials for aspiring cybercriminals are still being peddled in the Brazilian underground market. While old crimeware remain the same, we observed that these young and brazen cybercriminals (two words that aptly describe the Brazilian cybercriminals of today), have switched communication platforms. After the temporary shutdown on WhatsApp last December, cybercriminals changed messaging tools to avoid unwanted attention from law enforcement agencies. Although this shift may be coincidental, the secure messaging features of Telegram, a cloud-based messenger similar to WhatsApp, may make it ripe for abuse.

Brazilian courts required WhatsApp to provide information in relation to criminal investigations at the end of 2015. A court order was issued to telecom providers to block access to WhatsApp, due to failure to abide, forcing users (including cybercriminals) to look for new means to communicate with others. Prior to enforcing the order, WhatsApp had 93 million users in Brazil. This has since dwindled when users moved to  Telegram.

From WhatsApp to Telegram: Why?

Popularity sometimes comes with a price. Such was WhatApp’s and is now Telegram’s case in Brazil. Cybercriminals have long been abusing WhatsApp and similar chat apps for illicit business transactions. So what made Telegram a likely substitute?

Users find Telegram appealing due to features such as seamless multi-device access, “secret chats” with a self-destruct timer wherein you can indicate when the messages will be deleted, file-sharing of different file types of up to 1.5 GB, and “chat groups and channels.” We believe cybercriminals opted for Telegram because, like WhatsApp, it encrypts the messages sent over its network. That said, law enforcement agencies can’t easily prove the illicit nature of cybercriminal transactions conducted via the service. Users can also create and chat with large groups of people at the same time, much like forum pages, where a lot of cybercriminal deals and communications occur.

Telegram can host groups with up to 5,000 members. The only thing users had to do is create a nickname (without ties to an email address) to join a group. In the course of doing research, we found two Telegram groups, with around 10,000 users in total, engaging in suspicious activities such as selling hacked accounts and credit card details, among others. Nicknames don’t necessarily make for easy identification compared with email addresses.

Fig1_telegram_group

Fig2_telegram_group

Figures 1 and 2. Telegram groups engaged in suspicious activities

Telegram lets users create “channels” where they can choose to hide their phone numbers even to other members. For bad guys, this translates to “anonymity.” Members who want to buy any of the product offerings in these “channels” can just send the administrator (most likely the seller) a private message to avail of crimeware.

What products are offered on Telegram channels?

The product offerings sold in the channels we’ve seen include stolen credit cards and credentials to hacked Netflix accounts. What’s interesting though is that these wares are available for free. Peddlers may just be trying to build a reputation of notoriety, hoping to be recognized as the best hackers.

Fig3_stolencc

Figure 3. Stolen credit/debit card data, including proof of validity, posted on a Telegram channel

In some channels, cybercriminals even encouraged group participation, asking successful users of stolen credentials to show proof via screenshots. We also saw a “personal” channel whose solo owner complained about how other groups copied his materials.

Fig4_stolennetflix

Figure 4. Sample stolen Netflix credentials

Fig5_proofstolenCC

Figure 5. Proof that the stolen credentials work


Fig6_listofstolen

Figure 6. List of stolen credit card credentials

Another staple find were phishing pages, one of which spoofed a popular online store in Brazil. We also saw ads for fake pages.

fig10_fakeamericas

Figure 7.  A post advertising a fake page of Americas, an online shopping store

(Translation: Americas Fake Page
For those whose requested me
There is)


fig11_code

fig12_code

Figures 8 and 9. Codes of a sample phishing page pertaining to an online store in Brazil

Going mobile

With the growing number of smartphone users in Brazil, it’s not surprising that the people behind the suspicious Telegram channels target mobile users, too. We’ve seen various rogue apps with different capabilities offered in these channels. Some of these malicious apps are premium abusers and have capability of generating credit card information.

Fig7_apks

Fig8_fakeapps

Figures 10 and 11. Fake apps that offer free streaming services

(Translation: Soon I’ll share few accounts with you. Let’s start your cracked Spotify downloads.
– Image –
Cracked Spotify APP to use limitless, you can unlimited hear musics with no ads! Your just have to login with a new created credential. Or login with a Facebook account. )


Fig9_ccability

Figure 12. Sample app with credit-card-credential-generating capability

What’s in it for young, bold  cybercriminals?

Based on some posts we found, the sellers of stolen credentials are still in high school, most likely younger than 20 years old. We’re not sure if they work alone or in groups. But most are certainly self-taught/self-starters, obtaining knowledge and skills by joining and participating in forums–judging by the number of hacking/carding tutorials and how-to guides they share with other group members.

fig13_proofofage

Figure 13. Proof of a Brazilian cybercriminal’s age

(Translation: Folks, I’m going to school, at 6:30 PM I’ll send more ccs, tks)

Brazilian underground players considered cybercrime as their lucrative job due to the quick monetary gains. It doesn’t help that any aspiring cybercriminal can easily learn the ropes through a myriad of cybercrime training manuals shared or sold underground or available in the Deep Web.

Conclusion

The use of the Surface web and popular messaging tools shows how unfazed these Brazilian cybercriminals are to go against law enforcement. We believe this may change in the future especially if there is collaboration between Brazilian law enforcement and security researchers. In the same manner, we have notified Telegram about the abuse in their service.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Brazilians Migrate to Telegram, Cybercriminals Follow Suit