This time of year is the season for attacks and fraud involving Brazilians' bank accounts. But there are good practices that can protect anyone from social engineering techniques and financial malware. In this post, you will find guidelines to avoid falling into the traps of cyber gangs.
Brazil is a country marked by the presence of various banking malware and social engineering tactics, which are more common at this time of year.
Cybercriminals rely on SMS messages, emails and fake portals to obtain banking credentials from unsuspecting users. Along the same lines, they create malware that mimics legitimate banking applications to steal data and divert funds from their targets' accounts.
Social Engineering - Phishing
The barrier of entry to fool a target is much lower when compared to the complexity of developing malware. For this reason, many common scams do not involve malicious software. Instead they seek to trick the victim into giving them the information necessary for others to access their account. This practice is technically called phishing. Below we detail how to avoid these scams according to the vector used (SMS, email messages, fake portals).
SMS Messaging
Although disused for interpersonal communication, text messages are still widely used for legitimate purposes. Financial institutions, for example, forward notices about suspicious purchases, balances, and bill payments via SMS. As access to this feature is feasible for any cell phone, it is the simplest attack vector for criminals. As people are already used to receiving legitimate messages from the bank by this means, they are not surprised when they encounter forged messages. The following example provides some tips on aspects that give away a fake message.
Consider this message:
The first point of attention in the image above is the sender: it is a personal cell phone number, including the area code (62). Check the messages that your bank sends. The sender is not a phone number, but a sequence of 4 or 5 random digits accompanied by the country code (+55 for Brazil).
Let's look at the content itself. It is a message that seeks to create a sense of alarm in the reader. This is common to all types of fraudulent contact, regardless of the medium: the idea is to take advantage of the sense of urgency so that the victim does not have time to think about whether something in the communication is suspicious.
Do not act in a desperate way. In case of suspicious purchases, the bank's default behavior is to block the transaction if no confirmation comes from the customer. In a normal situation, the 599.90 charge would not be authorized just because you did not access a link.
The link itself is the next tip. Never click on links sent to you by banking institutions, even legitimate communications. The risk of clicking is always greater than the time lost by adopting an alternative checking method (such as manually checking the information in your app, website, or via a phone call, for example).
Pay special attention to shortened URLs, such as bit.ly or t.co. These are used because text messages have a character limit. They also have the bonus of disguising the real URL, which in many cases has nothing to do with the legitimate website of an institution. If you are morbidly curious, use Virus Total or Any Run to access the content, but never fill in your details at these addresses.
E-mail messages and websites
An email message has several fields that can be scrutinized to determine whether the correspondence is legitimate or not. This practice is technical, so it is beyond the reach of the general population - this is why phishing messages are so effective in their attempts to steal data.
Instead of taking an investigative approach, we recommend adopting a zero-trust stance. Do not access content delivered via email, no matter how legitimate it may seem. This goes for links as well as attachments. For security teams, tools such as MX Toolbox provide an interface that makes inspecting email headers more readable and user-friendly.
E-mails that seek to compromise bank accounts do not only rely on malware, it is also common to use fake pages. The following example is taken from the PhishTank portal, which concentrates URLs reported for phishing.
The complexity of the fake portal is low: it is a simple form to fill in data from the victim's card. Underneath the scenes, a Javascript routine sends the information filled in to a destination controlled by the cybercriminal.
Avoiding phishing
The roadmap for dealing with social engineering techniques, regardless of their vector, is to confer as little trust as possible, always. This is exemplified in the following steps:
- Never access any content contained in the communication - links or attachments, for example;
- Never reply to messaging communications, be they via e-mail or SMS;
- Never give your data through any channel, especially if you did not initiate the communication yourself. The bank called you asking for your CPF? Hang up the phone and call the Call Center yourself;
- If you need to check on an undue or blocked purchase, use your bank's app or call the Service Center.
Avoiding banking malware
Due to the mass adoption of smartphones, Brazilians tend to interact with financial activities through apps. There is an app to access the bank, an app to shop at the favorite digital store, etc. The approach of criminals to attack these channels is similar to phishing, in that it is based on the art of deceiving the target - in this specific case by spreading fake apps. A recent example covered by the Hacker News portal details a fake Itaú bank app discovered later this month (December/2021). Cybercriminals create an application whose sole purpose is to access data from legitimate apps on the phone and exfiltrate it. The first step, just like for phishing messages, is to create something that passes itself off as legitimate.
The example above tries (albeit poorly) to imitate a legitimate Itaú bank app. The second screen demonstrates how the malicious app works: it relies on the user granting permissions to access sensitive data from other apps. Here too we advise you to adopt a zero-trust stance: be judicious with the permissions you grant. Don't know why an app needs access to a certain functionality? Deny the permission. Don't know what a certain feature means (in the Hacker News example, the malicious app asked for access to Android accessibility functions)? Deny the permission.
Our general recommendation is to always tend toward distrust. This also extends to the source of the apps you install. Avoid side-loading, the technical name for installing apps outside the Play Store and App Store. If you have been referred to a website to install an app, look for it in your phone's app store rather than downloading it from the domain in question. Found an .apk file as a means to install it? Ignore it and search for it in the app store.
Conclusion
The least technically savvy means of financial scams is social engineering. Even in cases where malicious software is created, it is common for it to disguise itself as a legitimate application and require the user's express permission to act maliciously. Exploiting 0 day mobile vulnerabilities is the purview of sophisticated groups and espionage companies at a national level; it is unusual to find such attacks on the general population and with a basic objective such as stealing banking data, cloning credit cards, and making inappropriate purchases. Our general tone for this report is one of advice for many types of social engineering and malicious software : be suspicious, share as little information as possible, and check any information passed through alternative channels.
If your own judgment fails, antivirus software can serve as a safeguard. The cell phone is a big part of our daily lives, protecting it as we do personal computers makes perfect sense.
IoC - Commitment Indicators
_lTAU_SINC/synchronizer
Package name: com.app.packagesinkinstall
SHA256: 3500c50910c94c7f9bc7b39a7b194bac6137cef586281ee22f5439bb2d140480
Professional, responsive аnd eager to provide hіgh topp quality
goods