What security managers can learn from Brazil – front line in the global cyber wars, by Cristiano Lincoln Mattos, CEO at Tempest.
Brazil has enjoyed consistent economic and social growth over the last decade. Thanks to changing demographics and the economic and political stabilisation of the 1990s, millions of Brazilian citizens have joined the middle class and are encouraging a technology boom, particularly in the country’s banking sector. In fact, the Brazilian financial services industry has a history of heavily investing in technology as a business enabler, with growth of 42 percent projected by 2015.
However, Brazil has also experienced another area of growth that is less positive. The legal and regulatory framework has not necessarily kept pace with the advances in technology, resulting in an environment that is particularly attractive to cyber-fraudsters and hacktivists. In 2011, the banking sector reported losses of R$1.5 billion thanks to the prevalence of phishing, online theft, identity theft, online scams and credit card fraud. At the same time, the sector has been subject to widespread denial of service attacks and data leakage, and in February 2012, a co-ordinated attack timed to coincide with quarterly earnings reports hit all the major Brazilian banks.
Brazil is now the number one country in the world for the use of banking malware. But banking is really a microcosm of the threat landscape across the country. Fraudsters are applying what they have learned over the past ten years of attacking banks to monetise their expertise in other ways: pump ‘n’ dump trading scams, directed attacks on high-net worth individuals, airline mileage programmes, and utility bills have all been the subject of cybercriminal activity.
The malware industry
Unlike Europe, where cybercriminals usually rely on a small number of malware frameworks like Zeus or Citadel to build on, the malware scene in Brazil is significantly more diverse. Much of it is developed locally and then constantly tweaked with new techniques, making it much harder to detect and protect against the 500+ unique malware specimens that can be produced per month.
Brazil’s threat intelligence community has also identified crossover between cyber-weapons developed by nation-states and cybercrime, with Brazilian fraudsters quick to build upon engines like Flame to extend their capabilities.
Although this appears at first to be a very local problem, there are very real ramifications for organisations in Europe. As Brazil’s financial sector, government institutions and media bodies co-ordinate their efforts and develop the necessary security policies to protect themselves against the threat, the costs of executing a successful fraud go up, and the risk-reward equation proves less attractive to the criminals.
As a result, more vulnerable targets outside Brazil – that can deliver a higher return for minimal effort – become more attractive. For this reason, the cyber-fraud and hacktivist trends in Brazil should be of particular interest to security professionals at businesses in Europe.
Of the trends seen in the past 12 months, we believe the following three are the ones that are most likely to cross the Atlantic and make their debut in Europe in the next 12.
Certificates in disguise
Most software developers use digital signatures to verify their programs so that they can be installed without difficulty. But now malware writers are doing the same thing: using certificates from recognised Certification Authorities (CAs) to validate their highly damaging programs and sneak them into the corporate network under the radar of anti-malware programs.
To date, criminals have obtained valid certificates with fake company data, or by hacking into the CAs’ systems, to create files that look legitimate but are in fact Trojans or viruses. These certified files can remain undetected by anti-malware programs for days – weeks in some cases – buying the cyber-criminal extra time to do their damage.
Unfortunately, the direct solution to the problem lies largely with the CAs and is outside the hands of the companies being attacked. However, the IT industry as a whole can demand extra diligence from CAs, while individual IT managers should ensure that only they are able to install new programs or updates throughout the corporate IT estate. As always, threat intelligence is essential to keep firms abreast of the latest potential attacks.
Social malware
To date most malware attacks have been designed to exploit weaknesses in one browser only. However, the past few years have seen radical changes to the way in which people access the internet, choosing new devices, new operating systems and a wider range of browsers. And of course, they are accessing different site types – notably social media outlets. So it’s perhaps not that surprising that malware is now being written and disseminated that takes modern online habits into account.
Malicious files are now being written in the form of cross-platform plug-ins for MS Internet Explorer, Mozilla Firefox and Google Chrome. Mac OS and other Linux-based browsers remain unaffected so far. The main functionality of these plug-ins is to fake advertising modules on popular sites such as Yahoo, YouTube, Bing, Google and Facebook, and then spread their malicious code through spam from compromised accounts. This is Malware 2.0 – programs that are based on modern web technologies and use fake versions of social networks and other popular services to deliver illicit returns.
Short of blocking certain sites on the corporate network the solution once again lies with educating staff about modern phishing techniques. That includes ensuring they have the knowledge to spot fake sites, and establishing processes for reporting and responding to suspected attacks.
Fraud as a service
The basic principles of economics apply to cyber crime as they do everywhere else, and specialisation of labour is now developing among the criminal fraternity in Brazil. So, instead of developing their own forms of malicious code, there are individuals or organisations involved in hosting malware, or providing protection against takedown services, or developing the front-end screens for phishing scams, or even providing the network through which to transfer the money.
An entire underground economy that centres on servicing cyber-criminals is being developed, encompassing small-time, highly localised players as well as very sophisticated organised crime syndicates.
As a good economics student will tell you, this form of specialisation is extremely efficient when compared to a jack-of-all-trades approach. But what it means for cyber-crime is that increasingly superior attack methods will be developed, and they will become even more prevalent.
Coming to Europe
The field of cyber-crime and cyber-crime prevention is a fast-moving one. Much can happen in three months, never mind a year: it is perfectly possible that new threats will overtake these three in popularity, particularly if they prove more profitable for criminals.
Nonetheless, these are very real potential threats, and an indication of the very adaptable nature of cyber-crime. If not these specific attacks, then some variation on the theme will be seen in European markets. How long they remain, and how effective they are, depends entirely on how the targeted companies respond and how up-to-date their threat intelligence and security policies are.
Criminals will always look for a vulnerable mark, and there are plenty of those in Europe. Online fraud is successful partly because it is so easily replicated: the profits to be gained from attacking one large bank, which has plenty of IT security in place and invests heavily in threat intelligence and monitoring, can be the same as attacking 100 smaller e-commerce outfits who have less capital to siphon off, but also have less protective measures in place.
Indeed, the high levels of e-commerce in Europe and the low levels of security often involved suggest that this is likely to be a prime target for Brazilian cyber criminals – and the organisations that buy the data they steal. The longer an online business persists in the belief that it won’t be a target, the greater the chances are that it will become one. Investing in threat intelligence and security has become at least as important as logistics and fulfilment, and in an online climate where corporate reputation can be destroyed in seconds it is better to do so before an attack rather than after.
