Traditional organized crime gangs are now making efforts to succeed in financial cybercrime in Latin America.
According to research by IntSights into cybercrime activities in central and south America, persistent cyber-criminals are operating extensive schemes targeting banks, hospitality services,and retail businesses for their credentials and financial assets.
As the attackers were deliberately changing their tactics and infrastructure but tended to use the same profiles, the IntSights research team were able to detect locations. This included one attacker who was based in Colombia, who was originally from Venezuela and had escaped from poverty and government censorship to pursue cybercrime as a career.
As well as dealing with economic struggles, political corruption, internet censorship, and the rise of organized crime, cybercrime has emerged in Latin America as attackers are specifically focused on financial gain.
Speaking to Infosecurity at RSA Conference in San Francisco, IntSights’ cyber-threat intelligence advisor Charity Wright said that the intelligence team were initially tipped off by the appearance of multiple phishing sites “but what we found was that it was a single person and he was building a team.” He turned out to be called Charles or Carlos, who was the attacker originally from Venezuela, and “he found a way to make money by scamming people out of their credentials for their bank accounts.”
The research found that he was using fraudulent sponsored adverts on search engines and social media to lure people into giving up their details. “He mostly evangelises his tactics and techniques to other people in Latin America,” Wright said. “He teaches other people about what he does, and also targets American banks.”
Wright said that there are four major threat landscape factors that are contributing to the cybercrime emergence in Latin America:
- Economic instability
- Social factors like poverty
- Corruption and bribery
- The population growth, and use of technology
This all adds to a combination of a need to make money, combined with a “new” user base of technology, and governments and law enforcement who are either overlooking this issue because of dealing with larger crimes, or turning a blind eye to smaller fraudulent crimes. “They are making millions of dollars now,” Wright added.
She also said that a lack of legislation is another factor, as while Brazil leads the way with over 40 different data privacy regulations in place, it is currently consolidating these into one overarching policy called Lei Geral de Proteção de Dados (LGPD), forecasted to be implemented in August 2020.
This law will be similar to GDPR and will focus on keeping companies accountable for their customers’ data, with non-compliance potentially resulting in a 2% annual revenue penalty, which Wright said would be crippling for retailers and banks that are already struggling to fight fraud and cybercrime.
“So all of the other factors considered, none of the enterprises are being held accountable for the protection of data of their users and employees,” she said. “There is a lot of skepticism, but I am advising businesses in the region to stay ahead of this because if they do not understand what is expected of them and how to plan for it and do it, they are going to face fines. They cannot afford to be non-compliant.”
In terms of cyber-criminal actions that verge on state-sponsored attacks and intelligence gathering, Wright said that there are some hacktivist-style groups, but these are not as prevalent as the low-level threat actors with some technical skill. “Those with technical skill are being recruited into cartels and organized crime groups, the rest of them are just really good at fraud.”