Brazilian phishers, who already try to steal frequent-flyer program points to fly for free or buy gas, have now set their sights to steal numbers and passwords of cards that companies give to their employees as benefits, allowing them to buy specific goods or services, such as food, gas or public transport.
Local news outlets have already reported on several citizens complaining that their cards had been “zeroed”. It is now known that some of these attacks might have started with a fake e-mail message presenting itself as a notice by Sodexo, the issuer of such cards.
These kinds of voucher or cards are very popular in Brazil: companies use them to subsidize food costs for staff, and they operate as a payment card in partner stores and restaurants. The balance is steadily spent as users buy their food, and all transactions are protected by individual passwords.
The card operators also enable users to check or top-up the balance online, and this is the window of opportunity that Brazilian phishers are exploiting to steal data – and the cash on these cards.
The phishers start the attacks by sending malicious messages informing users that their cards have been blocked and need to be unlocked.
The link in the message points to a phishing site which looks identical to the legitimate card site, asking for the card number, CPF number (SS number) and, of course, the password:
This is all the info the phishers need to clone the card and steal the balance. The data can be exploited or sold on, with a database appearing on the same domain that shows details of the victims of these attacks:
Traditional criminals also have been aiming to steal these cards using more “conventional” means. Brazilian police arrested at least 20 individuals suspected of involvement in the cloning of luncheon voucher cards using devices known as “chupa-cabras” (skimmers) to steal the data. They then used the balance to buy food and home appliances.
Sodexo said they’re working with authorities to investigate these fraud attempts and that they don’t send any email message requesting information or credentials from their card holders.