World Cup Brazil 2014: How cybercriminals are looking to score

Starting this week, 32 national teams and thousands of football fans will descend on Brazil for the 2014 FIFA World Cup. Right now the teams are fine-tuning their strategies in order to outwit their opponents – and so are the cybercriminals.

Cybercriminals are already using various attack techniques to exploit the World Cup theme, including fraudulent domains selling fake tickets, fake giveaways, and several phishing and malware campaigns. They are also using methods like credit card cloning and ATM scams to attack those attending the games in Brazil. These cyber attacks have only intensified as the tournament approaches and they all have the same end-goal: to steal your money.

One part of this story is the attacks that happen online. These include professional phishing attacks that use digitally-signed malware, malicious email scams, SSL-certified phishing domains and a lot of social engineering. Phishers are notorious for compromising a legitimate site and using it to host their malicious page, e.g., anotherwebsite.com/paypal_phish_page. Professional phisher can even prepare an attack in such a way that the average user would find it very difficult to tell if a page is legit or not.

And that’s exactly what Brazilian phishers are now doing – registering domains with names of well-known local brands, usually credit card companies, banks, online stores, etc. These phishing domains had a very professional look and feel and in Brazil alone, Kaspersky Lab is detecting and blocking on average about 50-60 domains like this per day. But aren’t the only ones exploiting the theme of the World Cup – these attacks are appearing elsewhere in different languages and with different targets.

The phishers have not stopped there: they have also registered domains and started buying SSL certificates from Certification Authorities such as Comodo, EssentialSSL, Starfield and Register.com. This results in phishing domains with a “verified’ SSL certificate, which are often challenging for an ordinary user to recognize. To make matters worse, phisher also create fraudulent pages in mobile formats, so they can steal data from users who clicks the link on their smartphone.

Digitally-signed, but malicious
Leading up to the World Cup, Brazilian cybercriminals are buy SSL certificates and creating campaigns that distribute digitally-signed malware. These files often appear in messages that say a person has won a ticket to a World Cup match. Then to “claim” the ticket, the person is asked to download the ticket to pring. However, the link points to a digitally-signed Brazilian Trojan banker like Trojan-Banker.Win32.Banker.bplh.

Breached database, personalized attack
Cybercriminals are also sending personalized emails supposedly sent by a well-known online ticket sales system also informing people that they’ve won a ticket to a World Cup match. These emails include personal data such as names, dates of birth and addresses. The information was allegedly taken from a breached customer database of unknown origin. These messages also point to a website that asks users to download a file, which turns out to be yet another Trojan banker.

The other part of the story involves attacks that happen to those attending a World Cup match. These happen most commonly on corrupt ATMs and Point of Sales (PoS) devices in Brazil. This country has some of the most creative criminals specializing in credit card cloning, using skimmer devices, fake signage and, of course, a lot of malware.

PoS devices are very common in Brazil; in fact, credit cards are the preferred way to buy goods. As a result, cybercriminals look to take advantage. One way they accomplish this is when people hand over their cards to the staff in restaurants and stores. Criminals can easily clone the card behind closed doors without the patron seeing.

Another way Brazilian cybercriminals are cloning credit cards is through malware. They export PoS malware from Eastern Europe and use it locally, to infect machines and sniff credit card numbers. One example is the “Chupa Cabra malware”, Trojan-Spy.Win32.SPSniffer, a malware family with several variants developed in Brazil and seen in the wild since 2010.

This Trojan affects PoS and PIN pad devices, both of which are very common in the country. The Trojan infects the computer and sniffs the data transmitted through a USB or serial ports. Usually PIN pads are equipped with security features to ensure that security keys are erased if a device is tampered with. However, Track 1 data (credit card numbers, expiration dates, service code and CVV) and the public CHIP data aren’t encrypted in the hardware of old and outdated devices. Capturing this data is enough to clone a credit card. Although operators are aware of the problem, the continued emergence of new variants of this malware allows these attacks to remain effective.

ATM skimmers and jackpot malware
Brazil is among the countries that has most ATMs worldwide, according to the World Bank. So there are more than 160,000 opportunities for fraudsters to install a skimmer (also known as “Chupa Cabra devices”). Most skimmers can be foiled by covering the key pad with a person’s hand while entering a PIN, but there are some who take skimming to a whole new level and install an entirely fake ATM.

Another interesting trend in Brazil and Latin America is “jackpot” malware, such as Ploutus in Mexico. In these cases, cybercriminals infect the ATM using a USB stick and the malware makes it possible to remove all the money from that ATM.

Whether you are planning to travel to Brazil for the World Cup or follow it online, your best protection is a keen eye – don’t trust any messages you receive, and double-check before clicking links. Never accept or ask for help from strangers when using ATMs, even if they don’t look suspicious, and wherever possible try to pay using a wireless PoS device – they’re a bit more secure than the older ones connected to serial or USB ports.

Don't miss