Cybercriminals are now partnering with drug cartels across Latin America to attack financial institutions and governments, leveraging a wide variety of scams and malware to make millions, according to a new report from cybersecurity firm IntSights. The company did a deep dive into attack campaigns throughout 2019 after multiple customers in Colombia and Brazil were hit with financially devastating breaches, and people reported widespread scams aimed at siphoning funds from their bank accounts.
The IntSights report highlights dozens of extensive schemes aimed primarily at banks, hospitality services, and retail businesses seeking credentials and a variety of financial assets. Due to relatively lax police enforcement, many of these cybercriminals operate in the open and on the dark web, sharing tactics with others and teaming up with criminal entities to increase the breadth and power of attacks.
Attackers use popular messaging services like WhatsApp, Facebook Messenger, and Telegram to coordinate attacks, while leveraging the anonymity and lackluster enforcement of cryptocurrencies to transfer illicitly gained funds globally.
“The marriage of violent drug gangs and the underground hacking community is a significant emerging threat as we move into 2020. The two worlds are combining their influence, skills, and experience to achieve common goals, primarily of the financial variety,” the report said.
Mexican law enforcement arrested Héctor Ortiz Solares–known as “El H-1” or “Bandido Boss”–in 2019 after he spent years recruiting top-tier hackers who built malware for his gang, named “Bandidos Revolution Team.” The malware was designed to infect ATM machines and attack Latin American banks.
According to Mexican authorities, Solares managed to make more than $5 million each month and in 2018, the gang stole $15.2 million through fraudulent transfers at five Mexican financial institutions.
Phishing attacks are also wildly popular for hackers targeting major banks across Latin America, with one attacker using fake Google and Bing adwords to direct customers to a number of websites made to look like official bank websites, according to the IntSights report.
Attackers were able to convince users to enter credentials and personal information into these fake bank websites, which were then used on the real bank website to steal money from accounts. The study added that this specific hacker shared his tactics in forums and received a number of messages asking for more information about how to conduct similar attacks.
These kinds of campaigns went hand in hand with another brand of attack called carding, where stolen credit cards are used to make a variety of purchases to cover bills, hotels, airfare, and expensive cars.
Cybercriminals are also using economic downturns to gain insider access to credit card numbers. The report notes that cybercriminals often press retail employees, particularly those working at gas stations, for stolen credit card numbers, offering commissions through WhatsApp and social media for monthly quotas of stolen customer information.
Another widely discussed tactic on Spanish-language dark web sites is BINero fraud, which allows cybercriminals to use misconfigured bank identification numbers to make fraudulent online purchases through online retail sites like MercadoLibre, Amazon, B2W Digital, and Alibaba.
As the number of internet users in Latin American has grown well past 400 million and the amount of retail e-commerce sales has soared past $50 billion, the breadth and size of attacks has grown as well.
SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)
Organized crime outfits and drug cartels have taken advantage of the deluge of online funds to not only steal money but move it easily between countries. The IntSights study said that in April 2019, Brazil’s Department of Narcotics Investigation broke up a crypto-mining operation based in Porto Alegre that was leveraging 25 cryptocurrency mining machines. These machines were working 24/7 and were worth about $65,000.
Another cybersecurity company, CipherTrace, contributed to the IntSights report and said cartels were now using cryptocurrency “tumblers” to mix unregulated cryptocurrencies with other well-known ones.
Eventually, cartels are able to trade the coins for other verified cryptocurrencies, and the people behind it take a relatively minor 3% cut of the profits. These organized crime groups use unregulated cryptocurrency exchanges to move huge sums of money without being tracked, allowing money to be moved to countries throughout Latin America that have relatively lax regulations.
The report also highlights the use of banking trojans and ransomware as the most popular malware threats plaguing Latin America. Another cybersecurity firm that helped with the study, Scitum, reported that Catasia malware has been distributed through emails purporting to be from Mexican government organizations since 2014.
These kinds of emails generally came with Word documents or .zip files attached containing malware that could use a person’s camera and microphone for a variety of nefarious purchases.
Banking trojans and ransomware top the list of malware threats targeting and coming from the Latin American region. Scitum, the leader in managed security in the Latin America region, contributed this information about the top trending malware affecting their customers in 2019.
“The most notable characteristic of this malware is that the attacker updates its functionality, often to include man-in-the-middle browser attacks. The Catasia malware has found success being hosted on otherwise non-malicious infrastructure, where legitimate business operations are also hosted. During the investigation, it was found that it only focuses on Mexican targets, despite being initially tested in Colombia,” the report said.
Since 2018, the Cosmic Banker trojan has also become wildly popular amongst cybercriminals attacking Latin American banks and specifically Mexican financial institutions in April 2019. The same group leveraging the Cosmic Banker trojan has also used other malware to attack Brazilian banks. Mexican banks have also faced a barrage of cyberattacks leveraging the powerful Emotet malware, which soared in popularity throughout 2019, according to the report.
Attackers used Emotet to hit a number of South American automotive, finance, energy, construction, retail, entertainment, logistics, and technology companies between 2018 and 2019.
Ransomware, particularly one called Ryuk, was used to shut down Mexico’s state oil firm PEMEX in November, hiding within the corporation’s system for months while it looked for vulnerable aspects of the system to attack. The study found that Ryuk was used extensively at the end of 2019 in conjunction with other tools to attack companies across Latin America.
“Ryuk is believed to be operated by the same group that manages the Trickbot malware, a group dubbed Wizard Spider, based out of Russia. Ryuk is closely tied to other malware groups and is observed as part of a complex infection chain. For example, one report explains that Ryuk is usually the last step in an attack that starts with Emotet malware delivering the Trickbot trojan. Trickbot deploys post-exploit tools such as Mimikatz and Powershell, which enables it to harvest credentials, remotely monitor a system, and move laterally within the network,” the report added. “This process enables the attacker to determine the value of a machine and assess whether it is worth deploying Ryuk.”
Part of the study delves into how political instability in Venezuela has exacerbated cybercrime in the region because of the drastic economic downturn in the country, forcing many people into a life of cybercrime they did not seek out.
A research team at IntSights tracked a specific cybercriminal to Colombia and pored through his social media profiles to find out more about his attack methods.
“Deeper exploration into the life of this threat actor revealed a more complex threat landscape, an escape from poverty and government censorship in Venezuela, and a move over the border to Colombia to pursue cybercrime as a career,” the report said.
“This discovery prompted our researchers to address these findings in a report on the political-economic devastation in Venezuela and forces that drive citizens to the underground to make money through cybercrime.”