Brazil has been designated a major hub for financially motivated eCrime threat activity. Brazilian threat actors are targeting domestic and foreign entities and individuals, with frequent targeting of U.S. assets. The country routinely places in "Top Five" lists of various global cyber crime rankings, and multiple sources claim that financially motivated threat activity in the country has increased within the past few years.
In this blog we provide insight into the tactics, techniques and procedures (TTPs) of a Brazilian cyber crime group that specializes in payment card fraud operations. The threat actors, observed by FireEye Labs, use a variety of different methods to either compromise or acquire already compromised payment card credentials, including sharing or purchasing dumps online, hacking vulnerable merchant websites and compromising payment card processing devices. Once in their possession, the actors use these compromised payment card credentials to generate further card information. The main methods used by the observed group to launder and monetize illicit funds include online purchases of various goods and services as well as ATM withdrawals.
Based on extensive observation of this group's activity, we are able to characterize their operations lifecycle starting with the initial operational setup; followed by the methods used to compromise credentials or, conversely, purchase already compromised credentials; then the process of generating new cards for subsequent abuse, which includes validation and cloning; and finally the subsequent monetization strategies.