A profile of cybercrime in Latin America

We take a look at cybercrime in Latin America, in terms of why it's unique and why businesses should be paying attention.

When we think of cyberattack capabilities on an international scale, many of us - especially in the west - are probably inclined to think about state-sponsored activity originating out of places like China, Russia, and Iran. While it's certainly true that these countries are ramping up their cyberwarfare proficiency and do pose significant threats to organisations around the globe, it's always worth considering that attacks aren't merely isolated within the borders of these high-profile cyber-advanced nations, and state-sponsored groups aren't always to blame.

There are a range of international geographies within which cybercrime - perpetrated by independent hackers as opposed to nation states groups - is becoming increasingly sophisticated and posing more and more of a threat. One region that has traditionally been overlooked when it comes to cybercrime is Latin America. As a result, much of the activity within LATAM has largely snuck under the radar.

The truth is, though, that Latin America has an increasingly sophisticated and entirely unique ecosystem of cybercrime, spurred by a range of political, economic and technological elements that are making the practice more attractive to both new and established adversaries.

Threat intelligence firm IntSights recently published a report - the Dark Side of Latin America - that looks into the culture of cybercrime that is currently quite prevalent within Latin America. The report explores how things like cryptocurrency, organised crime, and governmental strain are creating a cybercrime ecosystem that is causing devastating damage to businesses within the region and beyond.

The state of cybercrime in LATAM

There are a range of factors in Latin America that are each contributing to a perfect storm of cyber-criminal activity. This includes an unstable geopolitical situation, economic struggles, government corruption, internet censorship, bribery, and organised crime, the latter of which presents a particularly challenging set of unique issues due to its prevalence in the region as a whole.

As well as this, there has been an influx of internet connectivity and digital services getting switched on in LATAM, especially when it comes to things like ecommerce and online banking. This has also acted as a catalyst for cybercrime, in that the tools are increasingly accessible, and the local populations are more susceptible to attacks. 

"Additionally, we found that Latin America has been rapidly adopting new technology over the past five years. We're talking about huge populations that spend a lot of time on mobile devices and laptops and on the internet in general," says Charity Wright, former NSA offensive operative and Cyber Threat Analyst at IntSights.

"So, we see like a sharp increase in ecommerce, retail and online banking. And because it's relatively new, and it happens so fast for so many people in this region, we find that they have a general lack of security awareness."

Compounding this, many of the organisations within Latin America are not doing a very good job of protecting customer or employee data. Wright says a big reason behind this is down to a lack of funds, which is made worse by the fact that firms are experiencing widespread fraud, with cyber-criminals making off with millions of dollars in some cases. Additionally, though, a lack of data regulation is also to blame.

"Data privacy legislation is lagging in the region. Governments are just overwhelmed trying to deal with the ‘bigger fish' like organised crime, bribery and corruption. It's very easy to buy off corporate leaders and law enforcement, and so governments are really struggling to implement regulatory or data privacy laws like GDPR or PCI," Wright explains.

"Brazil has a privacy law due to be implemented this year, but the act of actually getting it implemented and enforcing it is going to be very difficult. Additionally, it could mean pretty harsh fines on these organizations that are already struggling to make a profit. So that is one aspect that's really holding them back right now."

Threat actors within Latin America are also fairly distinct from many of their international counterparts, as they're not state-sponsored, they have lower levels of education, and they're moving towards cybercrime out of necessity, seeking mostly financial gain to - in many cases - pull themselves out of poverty.

"In the case of Latin American threat actors, they are definitely financially motivated. Sometimes it's just a matter of survival. But when you get up to the organized crime level, I mean, it's a totally different world. They run their own world, essentially."

Cryptocurrency and organised crime

One of the biggest findings of the IntSights report is the extent to which organised crime groups like cartels are working together with hackers within Latin America. These groups use their immense wealth and power to recruit hackers into their often-luxurious lifestyles, using them to steal more money from enterprises, which then cycles back into their organised crime rings to facilitate other kinds of physical crimes. A lot of the time, this recruitment is done via dark web forums.

"What we have observed is that in the dark web forums, especially Spanish language, or Portuguese, we'll find a new profile pop up, and they'll start asking questions and start scoping out who's experienced and who are kind of the leaders in those platforms. A lot of it is based on trust, especially in the deep and dark web, so they go after the kind of the kingpin in each hacking group and start from there," Wright explains.

"A lot of what happens is in private.  While they'll ask publicly about, for instance, who has access to a certain bank or institution, and they'll look for somebody with technical skills like coding, they'll then say, ‘message me on telegram', with the conversation progressing in private from that point on."

As a result of working so closely with hackers, the technical proficiency and capabilities of these groups is increasing rapidly. A big part of this is their use of cryptocurrency, both in regard to the how they're dealing cash and, crucially, laundering money. Crypto is particularly attractive in Latin America, as the value of local currencies can be incredibly volatile, making crypto a viable alternative. Additionally, laws and capabilities around regulating crypto exchanges and shutting down cypto-based money laundering aren't as extensive as those found in the other parts of the world.

There are several ways that threat actors are conducting money laundering operations using crypto, although one of the most widespread technique is through ‘mixers' or ‘tumblers'. These devices work by mixing potentially identifiable or ‘tainted' cryptocurrency funds with others, with the intention to confuse the trail back to the funds original source and forward to any potential exchanges or crypto entities. 

Another method is to launder through the use of unregulated exchanges, or those that don't have "know-your-customer" or anti-money laundering policies in place. These exchanges allow criminals to move large amounts of money through untracked channels, with unregulated exchanges offering no requirements for submitting registration information or proving identities for tracking purposes.

Types of attacks

Many of the attacks that are currently being carried out by cyber criminals in Latin America are being levied against large financial institutions and banks, with one of the most common methods for defrauding citizens and institutions being next-generation phishing campaigns. IntSights say they recorded one particular large-scale phishing campaign levied against several major banks in North and Latin America, including a customer, where several websites were constructed to mimic the official bank website. While IntSights issued takedowns, the attacker was persistent and pivoted to new registrars and new infrastructure.

Interestingly, these attackers were using Google and Bing adwords to lure unsuspecting targets to their phishing sites, leveraging the adword feature of being at the top of search results. Victims - who often fail to distinguish an ad from organic search results anyway - would click on an adword link that took them to a site that looks extremely similar to the bank's real website. Everything from username and passwords to two-factor authentication question data is then swiped from both individual users as well as business customers.

"What we discovered around next-gen phishing campaigns was that these guys are owning their own infrastructure. Some of them are managing their own registrar companies. So essentially, until they're caught and held accountable by law enforcement, they can just keep doing this," Wright continues.

"They're very good with web design and making mirrored websites for banks. A lot of big customers are putting in their credentials into these phishing sites."

Another type of attack includes the act of carding, where criminals use stolen credit cards to pay for bills or goods and services (such as airfares) on behalf of their ‘customers', who think they are just getting a special discount. Cybercriminals advertise these services on social media platforms, often acquiring credit card numbers through "insider" employees who work where credit cards are presented. BINero fraud is also quite widespread in Latin America, which involves the use of improperly validated bank identification numbers (the first four to six numbers on bank cards) as a means to carry out online transactions through popular retail sites.

In terms of specific malware trends, Intsights identified trojans and ransomware as the top threats targeting and coming from LATAM, with targets including both SMB and larger organisations.  The top malware strains include Catasia (trojan/spyware targeting Mexican banks), Cosmic Banker (trojan targeting banks across the region), Trickbot (banking trojan targeting SMB), Phobos ransomware (targeting third party services for entry into an organisation), and Ryuk ransomware (targeting a wide variety of organisations including Mexico's state oil firm).

Hiding in plain sight

One of the most intriguing aspects of IntSight's findings is the apathy of certain threat actors when it comes to concealing their identities. Cybercriminals in the region communicate in open-source platforms and do not put work into hiding their identities, unless they operate closely with cartels or gangs.

A lot of the time they don't even both with using dark web forums, rather opting for mainstream platforms like WhatsApp, Facebook Messenger, and Telegram, which are actually the most popular ways that cybercriminals communicate and collaborate. These platforms are generally favoured by threat actors because they are allowed by their local governments and are free to use.

IntSights tracked one known threat actor who was targeting one of its banking customers in the region with targeted phishing campaigns. They discovered that the threat actor made little to no effort to conceal his identity, with researchers able to determine exactly who he was, who he was targeting, and how he was doing it. His social media profiles and other aspects of his online presence all used his actual name.

"He's very open about it. He even teaches tutorials and does YouTube videos. They're kind of like undercover YouTube tutorials, where he makes it look like it's something like a music video, but if you wait a minute into the video, you'll actually see him start presenting his tactics and tools," Wright says.

Why are the attackers so brazen? A lot of it comes down to down to a lack of enforceable repercussions, which speaks to a historical challenge that some of the Latin American governments have had with cybercrime as well as physical organised crime.

"The higher you score and bribery and corruption, and the weaker your economy, the more likely you are to have a cybercrime problem," Wright continues.


Also read:

How cyber-criminals are exploiting Latin America's new digital economy

Pirates of Brazil: An introduction to the Brazilian cyber underground

Crypto key to currency crisis in LatAm?

An introduction to the Spanish-language underground

Lessons from Iran's 'state-sponsored' cyber warfare forum