RSA‘s claims that Brazilian hackers stole billions by redirecting “boletos” attracted some attention to the Brazilian hacking scene and electronic fraud in the country. Brazilian frauds are very localized and peculiar, so for that reason I have decided to write a primer on the subject.
I might forget to list some things — hopefully not any important ones. But if you have any suggestions, please contact us. This should be a living document, at least for a while.
Table of contents
- The hacking scene and defacements
- Enter the trojans
- Notorious incidents
- Organization and money laundering
THE HACKING SCENE AND DEFACEMENTS
It is hard to talk about the hacking scene because everyone looks at the “scene” from a different angle. This is by no means a comprehensive description; we will only look at what may provide an interesting perspective on current cybercrime.
Defacements and police inaction
What matters to us is the explosion of the website defacement scene in the early 2000’s. At the time, several Brazilian groups exhibited a lot of activity, competing for top spots in defacement archives such as Zone-H, Alldas.de and Delta5, which was a Brazilian mirror that eventually had to archive its own defacement. The groups organized themselves in Internet Relay Chat (IRC) rooms in public and popular Brazilian chat networks, such as BrasNET and BrasIRC.
There were even times when the groups came together to see who would hack the most websites in a single day. Groups contrary to these competitions would try to use Denial of Service attacks to take down the mirror websites for the day, so as to not allow any independent verification of the attacks and removing the incentive for them to happen.
These IRC networks were popular. For a time, BrasNET had more online users than web chat rooms in popular internet portals in the country. The hackers had no intention to hide and many left their IRC information on every defaced web page. The networks themselves tried to not pick a fight with these groups — attacks were not infrequent, and ultimately BrasNET was taken offline due to an extortion incident involving a DDoS attack in 2007.
There was no law to curb this activity. Except for a few cases, which involved DDoS attacks against major ISPs or other large companies inside the country, law enforcement action was non-existent. Many people gained knowledge and Brazilian defacers even started to produce or make use of local tools.
This report from 2001 [pt] talks about the phenomenon. It says that a certain Brazilian group, Silver Lords, leads the ranking at defacement mirror website Alldas. At the time, when most people in the country were still on dial-up, the report says that there are about 50 hacking groups in Brazil.
Eventually, these people – most of whom were teenagers — got attracted to the idea of buying things by using stolen credit cards.
The path to carding
Perhaps on the heels of IRC channels such as “DiGratis” (ForFree), which offered passwords to access websites and even internet for free — such as toll-free numbers for dial up users, with working passwords –, Brazilian defacers soon started to get and use stolen credit card numbers to get free goods.
The mentality for some was that the people were never hurt by those frauds. Instead, big banks and other financial institutions absorbed all losses and, with the profits they had, they would not miss the money.
Reasons aside, a shift started. All the skills learned for defacement were now useful to get tangible goods. For many, this was the first time that was happening in their lives. The tricks they had learned, to hack servers and use them for all kinds of things, now had a new, profitable purpose, while the legal market was looking at hiring programmers for less than US$ 400 a month.
From card to banking
There are no written and proven theories about how those scattered hackers started to move on to stealing on a professional and organized level. Nevertheless, there is one theory that this transition was led by people already involved in organized crime in Brazil.
They would be the same people that were already involved in card skimming. Card fraud is huge in Brazil with over US$ 500 million a year being lost to card frauds, despite the fact that Brazil is a leader in adoption of chipped cards — a measure that was very urgent in the country precisely because of how commonplace skimming is.
Unlike pure cybercrime, card skimming involves heavy investments on making the actual devices, as well as the counterfeit cards. The Brazilian gangs were so well established it is believed they had people inside Correios, the Brazilian postal service, to capture cards and passwords in transit.
On that vein, I have heard that those early carders and hackers got offers in which they would get goods, money or services in exchange for programs or hacking services that would be involved in stealing credit cards or, as it soon happened to be, banking credentials. Those masterminds would take care of the laundering, making the job safe for them.
Nowadays, Brazilian cybercriminals do seem to act independently, or have the resources to do so. As it was before, IRC is where they still get together to exchange information and find their mules, but this time special-purpose networks are used. The most common ones are Fullnetwork and Silverlords1.
Old-school malware and ‘electronic poetry’
This section is based on research done by virus analyst Fabio Assolini
Brazil made its share of not-for-profit malware in the late 90’s and early 2000’s. Vecna, a member of the 29A group, famous for making breakthrough malware code, was Brazilian. In an interview to the Barata Elétrica e-zine in 1999, Vecna said he perceived viruses as “electronic poetry.”
Another individual or group identified as AleVirus programmed several macro viruses for Microsoft Word. Opaserv, a worm which spread through Windows shares in Windows 95/98 systems, had at least six versions with Portuguese swear words as filenames and other behavior which leads to a Brazilian origin; the worm spread considerably in Brazil, as well. At one point, it was the 3rd most common malware in the world.
In 2005, Marcos Velasco created a Symbian Bluetooth worm. Velasco, a well-known Brazilian virus collector, got into an argument with anti-virus experts regarding whether his code was new or just a modified Cabir variant. Ultimately, his malware was recognized in a different family and named Lasco.A.
ENTER THE TROJANS
My timeline of events might be wrong here. Many “security” websites in Brazil focused more on hacking than on reporting events and facts about cybercrime. At most, they would interview defacers to talk about their groups, goals and methods. Or the fact they still had lives outside of computers.
The amount of malware research in Brazil was also very small.
As such, while it’s easy to talk about what the malware does, it is difficult to have an accurate grasp of exactly how and how fast developments happened, or when. With that in mind, let’s move on.
The Delf family and early trojans
Brazil had a countrywide taste for a specific programming language. That language was Delphi. As such, malware was often made in Delphi and, for that reason, many anti-virus companies categorized them as “Delf” trojans. They were so unimpressive this generic name was all they got.
They were simple keyloggers triggered by the title of windows. So when the trojan found a window with the title of a certain bank, it would turn on its logging. When it was done, the credentials would be sent to criminals, sometimes by e-mail. This was very crude and, in fact, some of the trojans would send e-mails using SMTP to the very same account they used to send the e-mail from. This meant you could extract the username and password from the code and have access to the criminal’s mailbox. Depending on the ISP used, you could even change the password and disable the malware’s reporting capabilities. The lack of update features meant this could trash the malware permanently.
The trojans started to come in different flavors and get different names, such as Bancos, Banbra and their most-used alias: Banker. They incorporated many new features and banks started to respond.
- Clicklogging. The bank’s response to keylogging was the introduction of “virtual” keyboards, making people click on numbers to input their password. The trojans began to take screenshots of the area around the mouse click to get the password.
- Videologging. Some banks implemented very user-hostile features, like moving the numbers of the virtual keyboards. The numbers switched places every click. They hoped this would happen before the malware had a chance to log the click. To counter this, the criminals started to record videos of the computer screen.
- Fake browsers. The malware would close down the victim’s browser and open a custom browser whenever the user visited a targeted website. This was very noticeable, but it allowed the code to easily obtain the targeted information.
- Encoding. Early Brazilian trojans were easy to analyze. Authors started to obfuscate parts of the code — especially the window titles they would target — and use file packers to make it harder to know what the malware would do.
- Geo Localization. Malware URLs would not load for people outside Brazil. Instead, they would be presented a picture of girls in bikinis. This kept many anti-virus companies from accessing the malware, as they did not have researchers based in Brazil. This advancement came as Brazilian criminals stopped using free hosting services to distribute malware, migrating to hacked servers or servers and domains paid with stolen money.
- Size reduction. Some early trojans were as large as 20 Megabytes, which meant some people would give up on even downloading them due to the size. In response, trojan campaigns switched to “dropper” files — small programs that only downloaded the actual malware. Code quality increased, resulting in smaller and less-buggy programs.
- SQL databases. Some trojans could connect to databases. Although better than e-mail, some still used credentials capable of reading the databases, revealing all stolen data with a password present in the virus body.
- Dynamic credentials. The trojans started to download configuration files which could be updated. This quicky evolved into modular capabilities and components that could be updated as well.
- Special .br domains. Taking advantage of stolen personal data and of the fact it is possible to have a .com.br address working for 30 days without payment, criminals registered many domains for malware distribution and typosquatting.
- Infighting. Brazilian malware tried to remove not only the security components installed by the banks, but also competitor malware.
Brazilian trojans are seeded through e-mail. They employ many kinds of social-engineering tactics: promotions, messages that seem to have arrived at the wrong person and carry a secret, secret admirers, photos of people being sexually unfaithful, among others. Like in other parts of the world, Brazilians also make use of current events.
However, for a time, Brazilian malware also incorporated worm features. They could spread through Microsoft’s MSN Messenger and Google’s Orkut social network, which was very popular in Brazil. This worked incredibly well. This contributed to a great change in 2006, as shown in this graph published by Linha Defensiva at the time:
We at Linha Defensiva manually counted infections in every log file posted in our forum. In January 2006, only 7% of all infections were Bankers. By December, the number was 49%.
The number stayed constant. By April 2008, Bankers were still 46% of all infections we counted. This was the same every month, so we stopped counting — that’s the last information we have.
This, however, was not just because of the worm features. Bankers were simply getting more aggressive, with several campaigns sent every week. Given the different themes, people would fall for one or another.
The hackers also began to experiment with other approaches. These included the usage of (very simple) exploits and Java applets inserted into hacked web pages of all kinds.
Today, even though the worm features are mostly gone, there are probably multiple banker campaigns daily, and very popular websites get hacked to include banker downloads.
Big strides and automation
The Brazilian Banker family, despite its name, could also log and steal credit card information. With time, though, they started to go much beyond that and the usual banking.
New targets included:
- Hosting companies — The hackers’ new-found interest for hacking web pages to spread the trojans meant they wanted credentials to hack web sites. Website hosts became targets.
- Government portals — Most notable one among them being Infoseg, the Brazilian government’s database that is used by law enforcement. According to TV reports made by SBT, it’s possible to purchase a password to Infoseg for about R$ 5,000 or US$ 2,270.
- Personal data and credit protection services — They had much use for more personal data to register domains and banking accounts. Though Infoseg was a good target, not many people had access to it. As such, they started to target information services by companies such as Experian and Equifax. Identity theft for fraud (such as borrowing money) does happen in Brazil, but given how easy it is to obtain personal information in the country, any connection to cybercrime remains unclear. That said, criminals do register companies or accounts using stolen data as a form of harassment against enemies or people they do not like; José Genoino, a politician now in prison for corruption, was targeted in 2013.
- Internet services — Email accounts, social networking services — everything is targeted. It allows the criminals to obtain more e-mail addresses and use the stolen profiles to also spread more trojans in the future.
In order to keep code compact with the growing list of targets and defense measures, trojans started to change their tactics. The complicated keylogging gave away to the redirection of URLs and in-browser sniffing. Here are some techniques employed:
- Browser Helper Objects — In Internet Explorer, a component of the malware is loaded directly inside the browser as a BHO entry.
- Local redirecting — The code detects when a page is being loaded and redirects the browser to a fake, local page. To do this, some Bankers installed a proxy server in the local machine. This was a rare approach.
- DNS changes — The system’s DNS services are changed, allowing for the redirection of the banking websites. The most sophisticated attacks install an additional Certificate Authority (CA) on the system, allowing the fake website to present a “valid” certificate, signed by the now-trusted CA.
- Hosts file changes — The malware would simply change the computer’s hosts file to redirect targeted websites.
The criminals also added new automated features. These are perhaps the most advanced actions in the trojan family.
- The trojans incorporated real-time control panels that reported token codes to the attacker as they were entered. The attacker had a limited window to exploit the code. The control panels incorporated sound and other features to alert the criminals that a time-limited code could be used.
- Real-time data manipulation, such as destination account for transfers. When the user tries to see his balance, the malware keeps the data as the user expected it to be, hiding any changes made by the malware.
- Once logged into the banking website, the malware takes control of the browser to make transfers or payments as if it were the user. Every page the user sees will be tampered with so as to hide the fraud. The user may find itself authorizing (through unique passwords) a different action than the one he was performing. This bypasses “computer registration” and 2FA. New versions also defeated the CAPTCHAs added as a countermeasure.
- Before actually transferring funds, the malware may actually use the bank’s online credit service. In other words, the funds stolen are actually borrowed money.
- The latest fraud are the boletos, reported last year by Linha Defensiva. The malware changes the boleto as it is rendered in the web browser. Even if the victim prints the boleto and pays somewhere else, they might still be victims.
Brazilian criminals also use phishing e-mail messages. Because banks implemented security measures, however, the usual targets are credit, debit or other cards
Phishing pages usually contain a promotional offer or other such campaign. In some cases, the offer may be a product with a large discount. The page can be very similar or identical to a known online store, making the victim think they are actually buying something. However, only the credit card number will be stolen.
In other cases, the product might be sold only through a “boleto,” which is pretty much a bank transfer. In other words, there is no chargeback. Once the victim paid the boleto, the money will be in the criminal’s account the next day. They can then cash out and never deliver the product.
While the trojans are usually spread by e-mail, infected websites and the occasional social network spam campaign, some incidents show the criminals do use other tools at their disposal.
Google Adwords was the first advertising service to be abused by Brazilian criminals. This was first reported by the website Infoguerra. Brazilians criminals were able to place advertisements on Facebook as well.
Home router hacking
Perhaps their most impressive feat was the hacking of ADSL home routers in 2011 and 2012. The details of the attack are too many to write here, but you will find all the information in the linked post. The numbers related to this attack are not very reliable: two of the three largest DSL providers denied any attack.
Only one ISP said they identified a few hundred compromised routers.
The number of infected routers could have been as large as 4.5 million. If correct, this would mean that 1 out of every 3 DSL connections in Brazil were compromised by this attack. This number is very unlikely for many reasons, but there simply is no other number and CERT.br, which produced this number, did not want to talk about this issue when I asked them in 2012. CERT.br’s own data points to only 300,000 infected routers by January 2012, which is probably a more accurate figure.
DNS cache poisoning
Explaining DNS cache poisoning goes beyond the scope of this article. The most recent case is reported [pt] to have happened in late April this year. The earliest publicly documented case was in April 2009.
The redirected pages may lead users to a page prompting for a malware download or directly redirect the bank’s website.
In 2010, a SMS message with a link to a Windows banker trojan was sent. No other similar incident is known and so far there are no known Banker trojans for smartphone systems such as Android, iOS or Windows Phone.
There are other common frauds in Brazil that start with SMS messages. These usually involve convincing the victim they have received something, but will need to somehow pay to actually receive it — a 419 or “Nigerian” scam. They are not directly related to cybercrime, but are mentioned here for completeness.
Malware targetting ATMs has been found in use in Brazil. Some attacks take advantage of the fact the computers inside older ATMs are not well protected, making it possible to simply connect a USB device and send commands to the ATM.
ORGANIZATION AND MONEY LAUNDERING
One important aspect of financial fraud is no doubt how the stolen money is laundered to actually be used by those who stole it.
The simplest way to do it is to recruit mules, known as laranjas in Brazil, that will approach a banking ATM and withdraw the money.
However, there are safer approaches. One of them is to offer to pay a bill, such as electricity bill, for less than what should be paid. The criminals will use stolen credentials or an infected computer – through an automated attack — to pay the bill. They will net everything they charged for the “service.”
Taxes, goods, anything can be paid through this method. It’s possible to find messages advertising services in which one can “clear all debts” by paying less than the owed amount. It is unclear if this is related to the cybercrime’s money laundering operations.
It’s also interesting to note the laranjas are providing a “service.” Malware code, spamming, page design and malware hosting are other “services” one can pay for in the Brazilian underground. At one point, Brazilian criminals had a website where they could register their dealings with many other service providers of the underworld, thus recording everyone’s reputation.
To not go through with a deal — by not forwarding the money or paying for the services that one contracted — is known as a “calote” in Portuguese (“default”). The criminals usually call it simply “lote.”
Brazilian criminals also dealt with “lotes” committed by coders, in which the coder would program the the malware to send stolen data to a secondary address. This practice is known as “caixa 2.”2
CONCLUSIONS AND COMMENTS
Brazil is its own little world when it comes to internet fraud. Brazilian malware is home-grown and few if any code is shared with other countries.
According to the Brazilian Bank Federation (Febraban), criminals steal around R$ 1.5 billion, or US$ 680 million, every year through electronic fraud. The largest chunk of that are credit card frauds, with “only” US$ 136 million related directly to internet banking transactions.
Cybercrime law in Brazil is still in its infancy and few arrests were made. It is known several criminals went back to the activity after being arrested for the first time.
Police inaction, however, led to an ever-growing skill pool. The buggy, limited malware samples of 2004 and 2005 became solid password stealers capable of compromising a wide range of services. Despite being known mostly for their banking fraud capabilities, these trojans target government agencies and other services; recently, one security company, unaware of this, thought that a regular Banker sample belonged to an Advanced Persistent Threat (APT) campaign.
Brazilian malware is ever evolving, and we can only expect new grounds will be explored. The lack of security researchers in the country, however, means that Brazilian fraud is still hard to understand and many details remain unknown, with the banks being at the forefront of security research.
Altieres Rohr is a Brazilian journalist and founder of Linha Defensiva. He has covered information security since 2004.
- As for what this implies, your guess is as good as mine. The Silver Lords name was taken by other, unrelated individuals as a form of tribute soon after it disbanded, in 2001. It’s interesting to note that some of the people in these networks participated in Anonymous operations in Brazil. If they don’t just see it as a cover, they might still believe they are the little guy making a stand against the banks in an unfair country that does not give them opportunities and fair rewards. ↩
- Caixa 2 or slush fund is the term used to describe secondary, unreported and likely illegal sources of money, for example in political campaigns. ↩