Brazil's cybercrime evolution - it doesn't look pretty

Filed Under: Featured, Law & order, Malware, Phishing

BrazilThe frustration in the security industry is nothing but palpable. Imagine spending time - and I mean lots and lots of time - researching malware and the cybercriminals behind the act, only to watch them get away scot free.

Dmitry Besthzhev and Fabio Assolini, representing Kaspersky Labs in South America, touched upon this issue in their presentations at the Virus Bulletin conference in Barcelona.

Besthzhev’s paper, entitled “A look at the cybercrime ecosystem and the way it works”, looked at how specific geographical locations like Brazil are a hotbed for cybercrime - specifically taking advantage of the online banking system.

And it's easy to see why. According to Besthzhev, the laws which could be used in Brazil to fight computer crime were written in the 1940s!

Although there is a computer crime bill that has been pending in the Brazilian congress since 2005, this has proven unpopular with some local politicians as they believe it could be used by police to spy on them.

As a result, cybercriminals in Brazil seem free to steal from individuals and banks without suffering the consequences. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy.

Underground one-man-band cyber-operations have evolved into full blown businesses with authentication requirements, resellers and distributors, etc.

The head honchos of specific cybergangs flaunt their vast immoral earnings from banking Trojans and spear phishing attacks to openly to recruit "employees" and business partners to grow their evil empire even further.

Brazilian passportThe internet is, of course, an important part of the phishing gangs' operations - with stolen information uploaded to online databases.

Naturally, the last thing the criminals want is for their ill-gotten gains to be stolen from under their noses by other gangs - and so the criminal portals require more than just usernames and passwords to gain access, but also demand authentication such as passport details.

Besthzhev argued that the anti-virus industry should become more proactive about identifying those responsible for malware attacks, and handing the information over to the authorities.

Nice idea in principle, but let's not forget where anti-virus companies' skill set is. Security companies are not bounty hunters or regulatory bodies. They protect businesses and users by using advanced and proactive techniques to mitigate malware.

That said, many responsible security companies, such as Sophos, F-Secure, and Kaspersky, do donate time, expertise and resources to the authorities to help put cybercriminals behind bars.

Perhaps what is needed is an independent body made up of legislative and security experts from around the world to establish advice and guidelines, and help those countries which are considered safe havens by cybercriminals.

Oh ya, now we only need to find someone to pull that one together...

KeyboardFabio Assolini’s research - “Bonnie and Clyde: The crazy lives of the Brazilian bad guys” - focused more on the malware distributed by South America’s cyber thieves.

Brazil has long been reputed as the king of the banking Trojan. Interestingly, Assolini’s research suggests that many of today’s banking Trojans specifically target Brazilian IP addresses, and are not interested in victims based in other countries.

This means that should you find yourself on an infected webpage, the malware will check your IP address, and if it is not Brazilian, it will not try to infect you.

So, instead of ending up on a malware-infected page, a computer outside of Brazil may see a 404 "page not found" error or a webpage showing pictures of young girls in bikinis.

Brazil is a country with a reputed 73 million computers connected to the internet. More than half of these are used for online banking. Purely focusing on Brazilian victims can mean rich pickings for cybercriminals, who managed to steal a whopping $900 million in 2010.

Like his colleague, Assolini felt that the lack of strong legislation was a problem:

"The lack of any real legislation dedicated to combating cybercrime, in addition to high levels of police corruption, provide the icing on the cake."

Clearly, there's an important lesson that can be learned from this. Computer security companies need to take a truly global outlook on threats. If you hunt for malware purely from the perspective of your labs in the USA you might be blissfully unaware that a webpage poses a risk to your customers in Brazil.

, , , ,

You might like

One Response to Brazil's cybercrime evolution - it doesn't look pretty

  1. Vito · 922 days ago

    Of course the cybervermin are targeting Brazilian IP addresses. They're having a field day picking the rich bounty of low-hanging fruit, while the political hacks in Brasilia fight their little political turf wars. Another example of how relying on the state for protection from the bad guys is a success-proof security strategy.

    The following part of the article is pretty good comedy:

    >"Perhaps what is needed is an independent body made up of legislative and security experts from around the world to establish advice and guidelines, and help those countries which are considered safe havens by cybercriminals.

    >"Oh ya, now we *only* need to find someone to pull that one together..."

    The sarcasm is appropriate. I'm not sure what "an independent body of security experts" would do, but I'm quite sure that including legislators would muck up the works beyond all reason.

    Try this instead: Perhaps what is needed is to encourage a free market solution, in which professional security experts who have an honest profit motive in meeting a genuine market demand for their products and services earn their customers' business by educating users in a competitive market that ensures superior quality. Unlike the state, if the service providers fail to deliver, customers can dump them and hire a more competent competitor.

    The legislators already have demonstrated their incompetence in the task of protecting the interests of the people they're supposed to serve. If you rely on the politicians for a solution, what you'll get is a coercively enforced bureaucratic monopoly that will cost the taxpayers more money, and STILL won't solve the problem.

    Security is not different from other consumer needs. REAL consumer security education is done in the marketplace, through products and services that constitute proper applications of sound principles. That is a self-perpetuating solution that really works. No politicians needed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Hi. I am a social, brand and communications expert with 10 years in senior roles in the tech space. I'm currently Sophos' s Global Director of Social Media and Communities. Proudest work achievement? Creating and launching award-winning Naked Security. Outside work, I am a mean cook, an avid reader, a chronic insomniac, a podcast obsessive and blogger .