Brazil is seeing its second major banking Trojan campaign in two weeks.
IBM X-Force has discovered a new version of Zeus Sphinx, a sophisticated malware campaign now targeting the online banking and Boleto payment services of three of the top Brazilian banks, and one bank in Colombia, according to its configuration file.
The criminals are likely trying to capitalize on the Olympic games in Rio, first with Zeus Panda, which targeted 10 local banking and payment industry targets in Brazil. Now, a fresh version of the Zeus Sphinx malware has been uncovered; it adapts social engineering injections to manipulate users in each targeted bank.
Sphinx has been around for about a year now, launched initially in attacks targeting UK and Australian banks. According to X-Force researchers, the Brazilian iteration of Zeus Sphinx, which is dubbed Sphinx v2, most likely comes from the same developer and is customized to target local banks.
Aside from social engineering injections that ask for payment card PIN codes and PII, Sphinx v2 has been adapted to rob Boleto payments from infected victims. Boleto payments are similar to the Western Union money order system in the US.
“Boletos have been a lucrative target for Brazilian malware authors for the past few years, with one estimate attributing $3.75 billion in fraud losses to just one cybercrime faction that targeted Brazilians from 2012 to 2014,” researchers explained.
While in some cases Sphinx web-injections only ask victims to provide passcodes and PII, in others it also requires payment card PIN codes and the person’s home and mobile phone numbers—mixing digital and physical social engineering to scam victims and empty their accounts. IBM X-Force explained that in these schemes, fraudsters may start off the fraud chain by stealing online banking details, but then, in order to obtain more information, they may supplement their scams with phone calls to the victims.
“This migration of yet another commercial Zeus variant into Brazil further underscores the trending collaboration between Brazil-based cybercriminals with cybercrime vendors from other countries and underground communities—a movement which has been picking up speed in Brazil since the beginning of 2016,” IBM researchers noted.
Photo © John T Takai