Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

5/17/2011
09:59 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Cybercriminals Target Online Banking Culture In Latin America

Botnets and malware creation are on the rise in the region, which also could host first big wave of smartphone malware writers

Latin America is no longer just a victim of cybercrime -- it's becoming a haven for cybercrime operations and the creation of malware.

The region, which has traditionally been infamous for housing an inordinate number of infected machines, is now creating more botnets, with Trojans targeting Latin America's popular online banking culture.

Researchers at Kaspersky Lab recently studied a crimeware kit for botnets that was customized for Latin American targets and appeared to be built for attacking online banking customers in Peru. Jorge Mieres, a security expert with Kaspersky, says the Sistema de Administracion de PCs Zombi (Zombie PCs Administration System) is a specialized version of the pervasive SdBot botnet malware. The botnet was first created in late 2009, he says.

"This botnet is further evidence that Latin America is influenced by this type of cybercrime. And although developments in Latin American crimeware -- that we have found so far -- do not compare with more sophisticated ones, [such as] from the area of Eastern Europe, it is clear that the production of local malware and collateral activities that stem from these types of activities targeting Latin American users is on the agenda," Mieres says.

The so-called SAPZ botnet initially infects victims via phishing attacks. It redirects the victim to a phony version of the Banco de Credito de Peru, where it installs the Trojan and then steals users' financial information and credentials. "Every time the user enters the bank's home site from his/her browser, Web traffic is redirected to the malicious server that hosts a clone of the real site. When this happens, unsuspecting users enter their data into the fake page and thus the info is stolen by the hacker," Mieres says.

Researchers at ESET's Latin American lab also have witnessed a botnet and banking Trojan uptick in the region during the past year or so. Sebastian Bortnik, coordinator of awareness and research for ESET Latinoamrica, says the Latin American SDbot has been around for at least two years. He says it's actually more common to see popular crimeware kits like Zeus or SpyEye spreading there. Even so, last year ESET found a Mexico-based crimeware kit called MiniBitNet.PHP, a.k.a. Mariachi Botnet. "This particular botnet kit build a piece of malware that propagates through USB devices -- the main vector for malware in Latin America -- and P2P networks. It was designed to perform DDoS attacks," Bortnick says.

Banking Trojans are widespread in Latin America: One out of 20 machines in Brazil was infected with some sort of banking Trojan this year, according to new data from ESET. Around 27 percent of malware found in Latin American machines steals some type of information from the victim's machine, and 20 percent of malware there is related to botnets or backdoors. More than 40 percent of malware in Latin America spreads via USB devices.

"We have been seeing these changes in the attacks in Latin America, moving to more cybercrime-related attacks. Crimeware kits developed in the region are growing slowly, but, specifically, banker Trojans are a massive attack, with more rates of infection than the rest of the world. These kind of Trojans are created to steal credentials for accessing [online] banking websites," Bortnik says.

Why Latin America? Gunter Ollmann, research vice president at Damballa, says the region is an attractive target due to the transient nature of the working population, which has made online banking a way of life. Brazil and Argentina have the highest percentage of online banking activity in the world, for example.

Two major problems exacerbate the cybercrime problem, he says: Most Latin American countries don't have laws that make hacking illegal, and the roving workforce from the region means many citizens rely on online banking for paychecks and other transactions. "South American banks, [for example], have streamlined the process because much of the population is a migratory workforce located in different countries," he says. That has made the region a ripe target for attackers.

"Online banking systems [that support] the population of migratory workers [so they are able] to automatically transfer funds between banks and internationally between banks is a common practice. [Online banking systems] are designed to facilitate that," Ollmann says. That provides cybercriminals with the opportunity to steal online banking credentials and commit bank fraud: "Banking Trojans are really paving the way," he says.

While the banking systems are relatively sophisticated -- namely Brazil's -- there's little legal protection against attackers. "Similar to Eastern Europe, the general education is quite high [in the region], but job opportunities are more difficult," Ollmann says. That makes malware development and cybercrime attractive careers there, he says.

Damballa tracks about 200 botnets based on SDbot, he says, and one in five have ties to Latin America.

Latin America could well become the incubator for smartphone malware and attacks: Online banking via smartphones is on the rise, Ollmann notes. "Just as banking Trojans made a splash for malware attacks against online banking ... Latin America is also going to trailblaze in the development of smartphone malware," he says.

And the quick adoption of these technologies basically leaves them unsecured. "In this context, the incorporation of technologies is sometimes does in a hurry, so thats an opportunity for attackers since security levels arent often the most optimal," ESET's Bortnik says.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17612
PUBLISHED: 2019-10-15
An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
CVE-2019-17613
PUBLISHED: 2019-10-15
qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
CVE-2019-17395
PUBLISHED: 2019-10-15
In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
CVE-2019-17602
PUBLISHED: 2019-10-15
An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
CVE-2019-17394
PUBLISHED: 2019-10-15
In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.