Think, Learn, Act – Training for Aspiring Cyber Criminals in the Brazilian Underground

During our research into the underground black markets of the world, we keep stumbling upon interesting finds or detect aspects that make these regional ecosystems unique and interesting. We’d earlier observed that the Brazilian underground (as covered in our initial report titled The Brazilian Underground Market: The Market for Cybercriminal Wannabes?) was catching up to its Eastern European and Chinese counterparts.

Offers to teach fellow cyber crooks in the ways of cybercrime are a common part of the Brazilian underground. As we noted in our recently published research paper Ascending the Ranks: The Brazilian Cybercriminal Underground in 2015 we note tutorials and training kits for newbie cybercriminals can be frequently found for sale.

Various kinds of training courses and how-to guides are available. It’s almost as if online courses in cybercrime are available: for a relatively small fee, anyone can learn how to commit fraud and become a criminal.

Figure 1. Website advertising three-month long training in carding

Consider the above example. The site above is for a three-month long course in carding: the first month covers the basics (such as creating banking malware, setting up botnets, and how to properly monetize stolen card info via money mules. The second months adds card cloning, and how to create specific banking malware. The third month includes lessons in how to create crypters to protect thier malware. Total costs? 300 Brazilian reals, or over 76 US dollars.

Figure 2. Website advertising fraudulent credit card usage training

The above ad is for training in credit card approval. The focus here is on how to get transactions using fraudulent cards approved. Online stores like Amazon, Apple, eBay, and Dell are mentioned. This training includes how to carry out fraudulent transactions, how to mask one’s IP address when doing so, how to determine available balances, as well as other monetization techniques.

Figure 3. Website advertising a crypter-modification training

The above ad is for training in how to create and use crypters. The goal here is to allow a cybercriminal to make fully undetectable malware that bypasses security software. The service is quite customer-friendly: online support for the course is provided via Skype, and a 90-minute long video is provided as supplementary material. (Access to updated versions of the video is also provided for free.)

Offering such training and tutorials must be lucrative, and the demand is certainly there. Lax law enforcement in Brazil contributes toward an environment where quick returns and low risk creates an incentive for individuals to engage themselves in the online crime business. The community that is willing to help out newcomers, give them basic tools to get started, and guide them through the most important steps. It is not surprising that a lot of these individuals probably grab this unique chance to get started and create a “livelihood” for themselves in the underground.

Apart from trainings, staple products like online banking malware and keyloggers among others continue to be prevalent offerings in the underground. While not much has changed with the products and services being sold, new entrants were observed. These include Brazil’s own ‘local flavored’ ransomware that can run on various platforms such as Windows®, Linux®, Android, iOS™, and OS X™ devices as well as modified Android apps. These apps are typically seen in underground forums and changed to pay for the prepaid credits using stolen credit card credentials. Personal identifiable information (PII) querying services also figured in the underground market.

To find out more about the newest developments in the Brazilian underground and an updated list of current offerings and services to be found there, please see our recent research paper Ascending the Ranks: The Brazilian Cybercriminal Underground in 2015.