Staple product offerings like online banking Trojans and tutorials for aspiring cybercriminals are still being peddled in the Brazilian underground market. While old crimeware remain the same, we observed that these young and brazen cybercriminals (two words that aptly describe the Brazilian cybercriminals of today), have switched communication platforms. After the temporary shutdown on WhatsApp last December, cybercriminals changed messaging tools to avoid unwanted attention from law enforcement agencies. Although this shift may be coincidental, the secure messaging features of Telegram, a cloud-based messenger similar to WhatsApp, may make it ripe for abuse.
Brazilian courts required WhatsApp to provide information in relation to criminal investigations at the end of 2015. A court order was issued to telecom providers to block access to WhatsApp, due to failure to abide, forcing users (including cybercriminals) to look for new means to communicate with others. Prior to enforcing the order, WhatsApp had 93 million users in Brazil. This has since dwindled when users moved to Telegram.
From WhatsApp to Telegram: Why?
Popularity sometimes comes with a price. Such was WhatApp’s and is now Telegram’s case in Brazil. Cybercriminals have long been abusing WhatsApp and similar chat apps for illicit business transactions. So what made Telegram a likely substitute?
Users find Telegram appealing due to features such as seamless multi-device access, “secret chats” with a self-destruct timer wherein you can indicate when the messages will be deleted, file-sharing of different file types of up to 1.5 GB, and “chat groups and channels.” We believe cybercriminals opted for Telegram because, like WhatsApp, it encrypts the messages sent over its network. That said, law enforcement agencies can’t easily prove the illicit nature of cybercriminal transactions conducted via the service. Users can also create and chat with large groups of people at the same time, much like forum pages, where a lot of cybercriminal deals and communications occur.
Telegram can host groups with up to 5,000 members. The only thing users had to do is create a nickname (without ties to an email address) to join a group. In the course of doing research, we found two Telegram groups, with around 10,000 users in total, engaging in suspicious activities such as selling hacked accounts and credit card details, among others. Nicknames don’t necessarily make for easy identification compared with email addresses.
Figures 1 and 2. Telegram groups engaged in suspicious activities
Telegram lets users create “channels” where they can choose to hide their phone numbers even to other members. For bad guys, this translates to “anonymity.” Members who want to buy any of the product offerings in these “channels” can just send the administrator (most likely the seller) a private message to avail of crimeware.
What products are offered on Telegram channels?
The product offerings sold in the channels we’ve seen include stolen credit cards and credentials to hacked Netflix accounts. What’s interesting though is that these wares are available for free. Peddlers may just be trying to build a reputation of notoriety, hoping to be recognized as the best hackers.
Figure 3. Stolen credit/debit card data, including proof of validity, posted on a Telegram channel
In some channels, cybercriminals even encouraged group participation, asking successful users of stolen credentials to show proof via screenshots. We also saw a “personal” channel whose solo owner complained about how other groups copied his materials.
Figure 4. Sample stolen Netflix credentials
Figure 6. List of stolen credit card credentials
Figure 7. A post advertising a fake page of Americas, an online shopping store
(Translation: Americas Fake Page For those whose requested me There is)
Figures 8 and 9. Codes of a sample phishing page pertaining to an online store in Brazil
With the growing number of smartphone users in Brazil, it’s not surprising that the people behind the suspicious Telegram channels target mobile users, too. We’ve seen various rogue apps with different capabilities offered in these channels. Some of these malicious apps are premium abusers and have capability of generating credit card information.
Figures 10 and 11. Fake apps that offer free streaming services
(Translation: Soon I'll share few accounts with you. Let's start your cracked Spotify downloads. - Image - Cracked Spotify APP to use limitless, you can unlimited hear musics with no ads! Your just have to login with a new created credential. Or login with a Facebook account. )
Figure 12. Sample app with credit-card-credential-generating capability
What’s in it for young, bold cybercriminals?
Based on some posts we found, the sellers of stolen credentials are still in high school, most likely younger than 20 years old. We’re not sure if they work alone or in groups. But most are certainly self-taught/self-starters, obtaining knowledge and skills by joining and participating in forums–judging by the number of hacking/carding tutorials and how-to guides they share with other group members.
Figure 13. Proof of a Brazilian cybercriminal’s age
(Translation: Folks, I’m going to school, at 6:30 PM I’ll send more ccs, tks)
Brazilian underground players considered cybercrime as their lucrative job due to the quick monetary gains. It doesn’t help that any aspiring cybercriminal can easily learn the ropes through a myriad of cybercrime training manuals shared or sold underground or available in the Deep Web.
The use of the Surface web and popular messaging tools shows how unfazed these Brazilian cybercriminals are to go against law enforcement. We believe this may change in the future especially if there is collaboration between Brazilian law enforcement and security researchers. In the same manner, we have notified Telegram about the abuse in their service.