Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

09:59 PM
Connect Directly

Cybercriminals Target Online Banking Culture In Latin America

Botnets and malware creation are on the rise in the region, which also could host first big wave of smartphone malware writers

Latin America is no longer just a victim of cybercrime -- it's becoming a haven for cybercrime operations and the creation of malware.

The region, which has traditionally been infamous for housing an inordinate number of infected machines, is now creating more botnets, with Trojans targeting Latin America's popular online banking culture.

Researchers at Kaspersky Lab recently studied a crimeware kit for botnets that was customized for Latin American targets and appeared to be built for attacking online banking customers in Peru. Jorge Mieres, a security expert with Kaspersky, says the Sistema de Administracion de PCs Zombi (Zombie PCs Administration System) is a specialized version of the pervasive SdBot botnet malware. The botnet was first created in late 2009, he says.

"This botnet is further evidence that Latin America is influenced by this type of cybercrime. And although developments in Latin American crimeware -- that we have found so far -- do not compare with more sophisticated ones, [such as] from the area of Eastern Europe, it is clear that the production of local malware and collateral activities that stem from these types of activities targeting Latin American users is on the agenda," Mieres says.

The so-called SAPZ botnet initially infects victims via phishing attacks. It redirects the victim to a phony version of the Banco de Credito de Peru, where it installs the Trojan and then steals users' financial information and credentials. "Every time the user enters the bank's home site from his/her browser, Web traffic is redirected to the malicious server that hosts a clone of the real site. When this happens, unsuspecting users enter their data into the fake page and thus the info is stolen by the hacker," Mieres says.

Researchers at ESET's Latin American lab also have witnessed a botnet and banking Trojan uptick in the region during the past year or so. Sebastian Bortnik, coordinator of awareness and research for ESET Latinoamrica, says the Latin American SDbot has been around for at least two years. He says it's actually more common to see popular crimeware kits like Zeus or SpyEye spreading there. Even so, last year ESET found a Mexico-based crimeware kit called MiniBitNet.PHP, a.k.a. Mariachi Botnet. "This particular botnet kit build a piece of malware that propagates through USB devices -- the main vector for malware in Latin America -- and P2P networks. It was designed to perform DDoS attacks," Bortnick says.

Banking Trojans are widespread in Latin America: One out of 20 machines in Brazil was infected with some sort of banking Trojan this year, according to new data from ESET. Around 27 percent of malware found in Latin American machines steals some type of information from the victim's machine, and 20 percent of malware there is related to botnets or backdoors. More than 40 percent of malware in Latin America spreads via USB devices.

"We have been seeing these changes in the attacks in Latin America, moving to more cybercrime-related attacks. Crimeware kits developed in the region are growing slowly, but, specifically, banker Trojans are a massive attack, with more rates of infection than the rest of the world. These kind of Trojans are created to steal credentials for accessing [online] banking websites," Bortnik says.

Why Latin America? Gunter Ollmann, research vice president at Damballa, says the region is an attractive target due to the transient nature of the working population, which has made online banking a way of life. Brazil and Argentina have the highest percentage of online banking activity in the world, for example.

Two major problems exacerbate the cybercrime problem, he says: Most Latin American countries don't have laws that make hacking illegal, and the roving workforce from the region means many citizens rely on online banking for paychecks and other transactions. "South American banks, [for example], have streamlined the process because much of the population is a migratory workforce located in different countries," he says. That has made the region a ripe target for attackers.

"Online banking systems [that support] the population of migratory workers [so they are able] to automatically transfer funds between banks and internationally between banks is a common practice. [Online banking systems] are designed to facilitate that," Ollmann says. That provides cybercriminals with the opportunity to steal online banking credentials and commit bank fraud: "Banking Trojans are really paving the way," he says.

While the banking systems are relatively sophisticated -- namely Brazil's -- there's little legal protection against attackers. "Similar to Eastern Europe, the general education is quite high [in the region], but job opportunities are more difficult," Ollmann says. That makes malware development and cybercrime attractive careers there, he says.

Damballa tracks about 200 botnets based on SDbot, he says, and one in five have ties to Latin America.

Latin America could well become the incubator for smartphone malware and attacks: Online banking via smartphones is on the rise, Ollmann notes. "Just as banking Trojans made a splash for malware attacks against online banking ... Latin America is also going to trailblaze in the development of smartphone malware," he says.

And the quick adoption of these technologies basically leaves them unsecured. "In this context, the incorporation of technologies is sometimes does in a hurry, so thats an opportunity for attackers since security levels arent often the most optimal," ESET's Bortnik says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Can you smell me now?
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.