Threat Intelligence Blog

Posted April 21, 2016

To wrap up our cyber crime series with LIFARSLookingGlass Cyber Threat Intelligence Group (CTIG) Senior Threat Analyst Emilio Iasiello and LIFARS Marketing Manager Michal Nemcok* discuss emerging cyber crime marketplaces. Be sure to read our previous posts on China, and Russia and Eastern Europe if you missed them.

Latin American Cybercriminal Underground

Latin America and the Caribbean have some of the fastest growing Internet populations in the world, with more than 350 million combined users as of 2015. As a result, spurred growth has opened up Latin America to cybercriminal activities originating from and operating in the region. With increased activities comes a need for an eco-system in which these actors can converse, buy and sell goods and services, and exchange information.

The cyber crime underground in Latin America continues to grow due to a combination of growing actor capability as well as poor cybercriminal legislation and ineffective law enforcement investigations. This is likely due to a number of factors that include limited budgets dedicated to combatting cyber crime, lack of security consciousness and awareness among the public and private sectors, limited information sharing practices among appropriate stakeholders, and a user populace that is generally uninformed of the nature of the criminal cyber threat.

According to one Latin American periodical, in 2015 there was a noticeable increase of Latin American hackers using more sophisticated methods to steal intellectual property and private information. The chemical, manufacturing, and mining sectors were cited as high profile targets for these criminals. Spear phishing continues to be a preferred vector of attack. Brazil, Colombia, and Argentina were the top three sources of spear phishing e-mails in Latin America at an estimated 74 percent in the region, and 3.2 percent globally.

Of note, the Trend Micro report intimates that these burgeoning criminals are actively following the activities of their counterparts in other regions of the world, observing their campaigns, and learning from their mistakes. For example, Latin American cybercriminals use free hosting services to carry out their attacks, rather than hijacked servers. This is due to the success law enforcement has had in tracking and taking criminals down.

Additionally, the report found that Latin American criminal actors extensively use Orkut (a social networking site operated by Google) and Internet Relay Chat (IRC) services that have mostly served as marketplaces for the exchange of money and criminal goods and services. Money mules supported these activities as a way to obfuscate the identities of the criminals involved in these endeavors.

Brazil Cyber Underground

Of the countries representing Latin America, the Brazilian cybercriminal underground may be the most pervasive and active. Recent reporting indicates that Brazil is at the center of cybercriminal activity in the region. One report claims that data theft in Brazil accounted for $4.1 billion to $4.7 billion in losses in 2013, although cybercriminal statistics can be unreliable.

According to a 2014 Trend Micro study, the Brazilian underground is continuing to mature, despite the development of unique or sophisticated tools or tactics. Evidence suggests that Brazil is the second-largest cyber crime generator in the world, ranking No. 1 in Latin America and the Caribbean as both a source and target of online attacks. Perhaps what makes this underground more distinct than others is how Brazilian cybercriminals leverage the opportunities presented by social networks such as Facebook, YouTube, Twitter, and Skype. This comes as little surprise for a country that has seen an Internet growth of 11.5 percent in 2015, and an almost 60 percent penetration rate among its domestic population, which is the largest in Latin America.

The Brazilian underground offers the following goods and services to prospective clientele:

  • Banking Trojans45 percent of all banking transactions in Brazil occur in the digital domain with 130 machines per 100,000 adults – a greater density of ATMs than the United Kingdom, France, or Germany. As a result, Trojan-based techniques are popular and being used to steal user credentials from botware, including domain name system (DNS) poisoning, fake browser windows, malicious browser extensions, and malicious proxies.
  • Business Application Account CredentialsCredential theft, particularly for popular business services, is an increasing occurrence as confidential data is a premium in Brazil. For example, such services offered by Unitfour’s inTouch and Serasa Experian have been observed being sold in the underground. Unitfour’s online marketing service, InTouch, has the capability to keep and access potential or existing customer personal information, which made it a target for cybercriminals. Such is the case with Serasa Experian.
  • Online Service Account Credential Checkers:Tools used to validate account numbers for online services, which are obtained by getting log in information from phishing campaigns.
  • Phishing Pages: Cybercriminals copy everything on the legitimate pages they wish to phish and change the destination of the collected data, such as routing all information to a free webmail account that the cybercriminal owns. This is how victims are redirected from legitimate websites without noticing.
  • Phone Number Lists: Cybercriminals who sell spamming software and hardware also offer offer mobile number lists. These can be lists of individual numbers or for a small town. Phone number lists are often used in phone-based scams.


The continued professionalization of the cybercriminal marketplace reveals that even within the vast global underground, regional markets are differentiating themselves from one another by the types of goods and services they are selling. As reputations become solidified in the Deep Web, more experienced criminals may start to patron those markets that are known to sell the specific types of malware/tools/services that they are specifically seeking. Furthermore, prospective purchasers do not necessarily have to be criminally motivated as cyber crime and cyber espionage operations continue to adopt similar methods of operation by borrowing tactics, techniques, and procedures (TTPs) from each other in fulfillment of their activities. Both state and non-state groups can leverage these resources, further blurring the lines when it comes to attributing their source. While customizable malware such as Stuxnet, Gauss, and Flame may indicate state involvement, a state’s or a state’s proxy use of easily accessible malware typically associated with criminals (e.g., Zeus) will likely reduce confidence in that attribution conclusion.

This completes up our series on global cyber crime undergrounds. Contact us for more information on how the LookingGlass Cyber Threat Intelligence Group (CTIG) can cover your threat intelligence needs.

*Michal Nemcok is the Marketing Manager at LIFARS, an international Incident Response And Digital Forensics firm. His background is in IT and IT security with focus on security-related marketing and content editing. He’s done extensive research into topics such as Hacking-as-a-Service and APT campaigns. He works directly with the Incident Response team to keep his hand on the pulse of the latest trends in real-world investigations.

Additional Posts

Weekly Phishing Report: April 25, 2016

Phishing Report: Top Targets Week of April 17 – April 23, 2016 In this week’s phishing report, ...

Weekly Threat Intelligence Brief: April 19, 2016

This weekly brief highlights the latest threat intelligence news to provide insight into the latest ...