Report Examines the Rise of Cybercrime Across Latin America

A cyber intelligence firm was asked by a Columbian bank customer to investigate the persistent phishing campaigns it had been experiencing. This triggered a wider examination of cybercrime across the whole Latin America region — and discovered a melting pot (described as a ‘perfect storm’) of social, geopolitical and economic conditions promoting a dramatic rise in cybercriminal activity.

There are several triggers. Firstly, economic problems locally centered on Venezuela but affecting the whole region and exacerbated by global trade conditions are causing genuine hardship throughout the region for many young people. Some of these people are turning to cybercrime as a means — if not the only means — of earning money.

Secondly, there is a high use of the internet among a huge population with a low awareness of cyber security awareness. This is compounded by little government security regulation forcing companies to improve their own security. This is changing only slowly, although Brazil is leading the way (it has a GDPR-like regulation expected to come into force during 2020).

Thirdly, bribery and corruption within law enforcement and government agencies is relatively high.

The one positive sign is that Latin America is not home to sophisticated APT groups. In general, these are most focused in countries that have advanced military cyber capabilities, where the distinction between APT and government groups becomes blurred or non-existent — such as China, Russia, North Korea and Iran. This is not the case in Latin America.

Instead, cybercriminality seems to divide into two groups: less experienced ‘hackers’ seeking to improve their own income, and more experienced hackers being recruited by the existing drug cartels.

The investigation was undertaken (PDF) by IntSights, with additional assistance from CipherTrace (to examine the role of cryptocurrency) and Scitum (a large Mexican MSP that could provide local knowledge). The initial investigation into the phishing campaigns led IntSights to ‘Carlo’. Carlo is not a hardened sophisticated criminal hacker. He has developed his own phishing methodology, and employs others to set up his phishing websites. When they get taken down, they just spin up new websites, mirroring banks such as the one that called in IntSights.

“Carlo,” Intsight’s cyber threat intelligence advisor Charity Wright told SecurityWeek, “is almost a Robin Hood type of character.” He does little to hide himself, and even provides tutorials and advice to other phishers around the world.

Another example of this unsophisticated form of Latin American criminality can found in the Bineros, so called for the widespread use of the BINero fraud. The BIN number is the 4- to 6-character code at the beginning of a credit card number that identifies the issuing organization. However, since not all banks accept all issuing sources, the processing software needs to be able to reject some and accept others. Perhaps because of this complexity, there is a vulnerability in the processing of credit card numbers on some websites.

The Bineros discovered that some websites will accept a transaction with some BIN numbers, without properly processing the remaining numbers of the card. “The threat actors have discovered which BIN numbers are not compatible with some websites,” said Wright. “So, they can enter the initial BIN number digits and then fill in the rest with random numbers and create a successful but fraudulent transaction on that site.” Each individual fraud may not be large, but the practice is common and widespread. There are even groups on social media like Facebook that discuss the BIN numbers that work with different websites.

But there is a darker side to the Latin American hacking scene. Drug cartels are beginning to recruit the more sophisticated hackers to help with money laundering, ATM thefts, and breaking into bank networks. “The cartels aren’t using hackers to provide an alternative to drug money, just a relatively easy additional source of income — it’s easier to use a hacker to syphon money out of an ATM than to break into one, or rob a bank.”

Some of these hackers are lured into joining the cartels by the gangs flaunting their wealth. “They lure them in with meetings at their mansions, showing their wealth and suggesting the hackers can have a similar lifestyle,” said Wright. “Everyone in the region is very financially motivated, so it doesn’t take much. But we’ve also heard reports of hackers being abducted and forced to work with the gangs. The marriage between hackers and the cartels,” she added, “will be the most pressing threat during 2020.”

Fueling this process are the huge amounts of drug money held by the cartels, and the growing use of cryptocurrency to help launder it. In 2014, an FBI bust in Los Angeles seized $90 million dollars being laundered by the Mexican Sinaloa cartel. Most of this money was in cash.

More recently, in October 2019, Molina Lee — an official of the Panamanian payment processing firm Crypto Capital — was arrested in Greece under a European Arrest Warrant and extradited to Poland. “The Polish Ministry of Justice,” says the IntSights report, “seized $350 million from a Polish bank, claiming that the funds directly tied to money laundering that Molina Lee conducted for Colombian drug cartels using cryptocurrency.”

Cryptocurrency has the effect of globalizing cybercrime. In the past, much of Latin America’s cybercrime was local, caused by language and money transfer issues. Cryptocurrency has removed the latter. Cryptocurrency tumbler or mixer services mix possibly tainted money with other money while simultaneously obfuscating the source through multiple ‘hops’ through TOR. Unregulated exchanges are also used. “Researchers estimate,” says the report, “that after cryptocurrencies have been cleaned on exchanges, 97 percent end up in countries that have extremely lax regulations, with Latin American economies topping the charts.”

With the more advanced Latin American hackers joining forces with well-established and cash-rich drug cartels, and with relatively easy international money laundering and transfer available through cryptocurrency, the danger now is that Latin American hackers will cease being confined to Latin American countries, and will begin to see anywhere in the world as a potential target.