Threat actors in Brazil are going after targets both within and outside the country, with much of their focus on U.S. businesses.
Threat actors in Brazil are going after targets both within and outside the country, with much of their focus on U.S. businesses.

Brazil has emerged as a primary center of financially motivated e-crime threat activity, according to a just released report from FireEye.

Threat actors in the South American country are going after targets both within and outside the country, with much of their focus on U.S. businesses.

For instance, FireEye examined one Brazilian cybercrime group that specializes in payment card fraud operations which puts to use a number of strategies to take advantage of already compromised payment card credentials. These actors share or purchase data dumps online, hack merchant websites and comprome payment card processing devices. They then use this material to generate further card information and launder and monetize their illicit gains with online purchases of goods and services, as well as ATM withdrawals.

FireEye detected the group's actions, including several steps to disguise their activity.

On a daily basis, members use a number of tools, including CCleaner, to delete any trace of their process. They wipe browser sessions, temporary files, Clipboard, URSs, cookies, etc., and other evidence of their actions that might be tracable by law enforcement.

Putting to use such tools as Technitium MAC Address Changer, the actors also change their system's MAC address to avoid detection. Additionally, to further assure anonymity and disguise their criminal operations, the group uses Tor, or proxy-based tools similar to Tor, as well as virtual private network services that route IPs through several countries.

As might be expected, the group's preferred virtual currency is Bitcoin, which effectively hides identities.

FireEye researchers observed the group's use of several strategies to distribute payment card credentials. Often these data dumps are shared via social media forums. Further, they often purchase payment card data via a number of illicit online marketplaces, dubbed "dump shops," including "Toy Store," "Joker's Stash" and "Cvv2finder." Here they can sort through millions of assets flush with card data and make their purchases based on requests filtered to select just which fields they need.

The group also enlists SQL injection (SQLi) tools to search for and then commandeer vulnerabilities in targeted e-commerce sites, from which they can lift entire databases.

As well, the group can alter point-of-sale (POS) terminals to siphon out magnetic stripe and EMV chip data.

"Payment card fraud has been extremely profitable for malicious actors for years," the report stated. "Given its profitability and actors' investment in this type of fraud, we see no indication of actors moving away from this type of activity for the foreseeable future."

Further, the FireEye researchers conclude that because the profits are so high, the bad actors will continue to evolve to keep pace with any obstacles placed in their way.