Brazil’s cybercrime evolution – it doesn’t look pretty

BrazilThe frustration in the security industry is nothing but palpable. Imagine spending time – and I mean lots and lots of time – researching malware and the cybercriminals behind the act, only to watch them get away scot free.

Dmitry Besthzhev and Fabio Assolini, representing Kaspersky Labs in South America, touched upon this issue in their presentations at the Virus Bulletin conference in Barcelona.

Besthzhev’s paper, entitled “A look at the cybercrime ecosystem and the way it works”, looked at how specific geographical locations like Brazil are a hotbed for cybercrime – specifically taking advantage of the online banking system.

And it’s easy to see why. According to Besthzhev, the laws which could be used in Brazil to fight computer crime were written in the 1940s!

Although there is a computer crime bill that has been pending in the Brazilian congress since 2005, this has proven unpopular with some local politicians as they believe it could be used by police to spy on them.

As a result, cybercriminals in Brazil seem free to steal from individuals and banks without suffering the consequences. The few hackers who have been arrested are those who have committed such a huge scale of cybercrime that it was possible to arrest them under existing laws such as larceny and conspiracy.

Underground one-man-band cyber-operations have evolved into full blown businesses with authentication requirements, resellers and distributors, etc.

The head honchos of specific cybergangs flaunt their vast immoral earnings from banking Trojans and spear phishing attacks to openly to recruit “employees” and business partners to grow their evil empire even further.

Brazilian passportThe internet is, of course, an important part of the phishing gangs’ operations – with stolen information uploaded to online databases.

Naturally, the last thing the criminals want is for their ill-gotten gains to be stolen from under their noses by other gangs – and so the criminal portals require more than just usernames and passwords to gain access, but also demand authentication such as passport details.

Besthzhev argued that the anti-virus industry should become more proactive about identifying those responsible for malware attacks, and handing the information over to the authorities.

Nice idea in principle, but let’s not forget where anti-virus companies’ skill set is. Security companies are not bounty hunters or regulatory bodies. They protect businesses and users by using advanced and proactive techniques to mitigate malware.

That said, many responsible security companies, such as Sophos, F-Secure, and Kaspersky, do donate time, expertise and resources to the authorities to help put cybercriminals behind bars.

Perhaps what is needed is an independent body made up of legislative and security experts from around the world to establish advice and guidelines, and help those countries which are considered safe havens by cybercriminals.

Oh ya, now we only need to find someone to pull that one together…

KeyboardFabio Assolini’s research – “Bonnie and Clyde: The crazy lives of the Brazilian bad guys” – focused more on the malware distributed by South America’s cyber thieves.

Brazil has long been reputed as the king of the banking Trojan. Interestingly, Assolini’s research suggests that many of today’s banking Trojans specifically target Brazilian IP addresses, and are not interested in victims based in other countries.

This means that should you find yourself on an infected webpage, the malware will check your IP address, and if it is not Brazilian, it will not try to infect you.

So, instead of ending up on a malware-infected page, a computer outside of Brazil may see a 404 “page not found” error or a webpage showing pictures of young girls in bikinis.

Brazil is a country with a reputed 73 million computers connected to the internet. More than half of these are used for online banking. Purely focusing on Brazilian victims can mean rich pickings for cybercriminals, who managed to steal a whopping $900 million in 2010.

Like his colleague, Assolini felt that the lack of strong legislation was a problem:

"The lack of any real legislation dedicated to combating cybercrime, in addition to high levels of police corruption, provide the icing on the cake."

Clearly, there’s an important lesson that can be learned from this. Computer security companies need to take a truly global outlook on threats. If you hunt for malware purely from the perspective of your labs in the USA you might be blissfully unaware that a webpage poses a risk to your customers in Brazil.