The Cybercrime Carnival in Brazil: Loose Cyberlaws Make for Loose Cybercriminals

Brazil loses over $8 billion a year to Internet crime, making it the second-largest cybercrime generator in the world.

Limor S Kessem, Sr. Cybersecurity Evangelist, IBM Security

May 15, 2015

5 Min Read

Just about a decade ago, bringing up Brazil would make most people draw up an associative mental image of colorful festivities in a city where Christ the Redeemer spreads his arms over densely populated favelas and beaches.

Today, Brazil also happens to be the second-largest cybercrime generator in the world, ranking No. 1 in Latin America and the Caribbean as both a source and target of online attacks. Malware and online fraud patterns in Brazil are developed and used by local cybercriminals and gangs who specialize in targeting its payment and services schemes.

In numbers, Brazil loses over $8 billion a year to Internet crime, which is the No. 1 economic crime in the country, compared to the rest of the world, where cybercrime is ranked fourth.

With about 54% of the country's 200 million citizens already using the Internet, cybercrime is a lucrative endeavor for small-timers, nouveau cybergangs and mafia bosses diversifying their portfolio.

One indication for cybercrime success rates comes from Febraban, the Brazilian Banking Federation, which says cybercrime causes 95% of losses for Brazilian banks. The facilitator of this crime is the unique Brazilian underground black market, which surpasses the Russian-speaking underground in both size and activity. Criminals in this bustling Wild West aren't considered sophisticated in technical terms, not versed in the art of online stealth, and apparently not even trying to hide in underground venues. As a matter of fact, their favorite is social networking sites.

It makes one wonder – what’s going on in Brazil that's different from the rest of the world? What makes cybercriminals in this one country be so brazen and successful all while using use very basic malware and stealth capabilities? There are a few factors that help them along:

  • Unwitting Victims: A very large online population, most recently started using the Internet and online services – with low or nonexistent levels of security awareness.

  • Special Security Needs: It is simple to target payment schemes and anti-fraud solutions that are not adapted to the specific cybercrime in the country.

  • Weak Deterrence Factor: The country has weak cybercrime laws with slap-on-the-hand-level punishments.

Homegrown and Locally Served
On top of having their own turf to experiment on, Brazil's cybercriminals entered the online crime world a little after their Russian- and English-speaking counterparts already founded a vivid black market for cybercrime services and commodities. That lowered the entry barriers and sharpened the learning curve for local cybercriminals who use the knowledge to attack local banks, payments, and online services.

Almost all malware used in Brazil is made for local attacks. If you’re asking yourself why Brazilian cybercriminals rarely use advanced malware such as Zeus, Cridex or Dyre, the answer is simple — why shoot a fly with a cannonball?

So, while the scope of services Brazilians receive online are equal in their quality and diversity to the ones offered in North America and Europe, the territory lags behind in terms of security. This in turns raises crime rates, but it’s not the only factor. The biggest issue is that criminals are not afraid enough of the potential retribution to give it a go… or a hundred.

Underground? What Underground?
In a rather glaring difference from what one would see in the typical English- or Russian-speaking underground, where stealth and anonymity are of paramount importance, cybercriminals in Brazil hang out in the open. In many ways, cybercrime in Brazil is handled like social networking: in public social networking groups, and even in person.

If not for a lack of legal deterrence, why would criminals communicate where they can easily be tracked by law enforcement, down to their exact location, including transcripts of every word they ever exchanged with their peers, just in case supportive evidence was needed? Let’s have a quick look at the legal situation.

No Laws But Their Own
According to the Business Software Alliance, existing criminal laws in Brazil are out of compliance with international standards for digital crime. The Brazilian Chamber of Deputies has only ever approved two cybercrime bills, passed in November 2012, threatening delinquents with fines and up to two years in prison. Almost laughable considering the potential profits gangs can earn within that same time frame can reach $3.75 billion.

There are 40 additional bills related to fighting cybercrime awaiting approval in the Brazilian Congress, which only proves how wide the gap is between the need for deterrence and the available response from a government that is perhaps ill-prepared to deal with a very large and rapidly evolving cyber landscape.

Time is of the Essence
The growth of the cybersphere in Brazil is fast and exponential, and with it, local online crime keeps expanding. A country known for its traditionally high crime rates, time is truly of the essence for Brazil to rise against the hike in virtual crimes, before things get worse.

It is important to note that although it is now dealing with large volumes of small time cybercrime, Brazil may still be in the midst of a grace period of sorts. While local criminals defraud Boleto payments one at a time, organized cybercrime from Eastern Europe can easily shift its focus to the Brazilian Real, and hit with a major heist the like of the Carbanak operation.

The good news is that fighting criminals who do not even hide is going to make life easier for law enforcement. But it will take new laws to bring suspects to justice, and more serious implications for perpetrators to shy away from cybercrime.

Will this not just make Brazilian criminals step up their sophistication levels? Maybe, but it will sharply dwindle volumes, shutting out the actors that lack deep technical savvy or the understanding of advanced threat detection.

Approving new laws, growing and empowering e-crime police forces, and bringing criminals to justice, are of the utmost importance in this battle. These measure must come in lockstep with the enhancement of technology-based deterrents across all financial service channels, and must be based on very minute adaptation to Brazilian cybercrime.


About the Author(s)

Limor S Kessem

Sr. Cybersecurity Evangelist, IBM Security

Limor Kessem is one of the top cyber intelligence experts at IBM Trusteer. She is a seasoned speaker and a regular blogger on the cutting-edge IBM Security Intelligence blog. Limor comes to IBM from organizations like RSA Security, where she spent 5 years as part of the RSA research labs and drove the FraudAction blog on RSA's Speaking of Security. She also served as the Marketing Director of Big Data analytics startup ThetaRay, where she created the company's cybersecurity thought leadership. At her leisure time Limor tweets hot information security items @iCyberFighter<>, dances salsa, and enjoys practicing Brazilian Jiu Jitsu.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights