Brazilians Continue Under Heavy Phishing Attack with Banco Itau, Bradesco Impersonations

Fraud attempts are on the rise and Brazilians are in the cross hairs. Fraudsters use a variety of baits and send countless mails with attached phishing forms or misleading links to steal users’ critical financial data such as password, username, credit cards number, email address security code. Filling in the form gives crooks pretty much everything they need to access cash in the compromised accounts, impersonate the victims or use that data in fraud or spam campaigns.

One such fraud attack targets clients of Banco Ita in Brazil with alleged official bank notifications informing them that the bank upgraded the tokens it uses for online account authentication. All they need to do is follow a link provided in the message to access the accounts and request the new device. Unfortunately, the link redirects users to an unauthorized location with the purpose of collecting all their login information.

Fig. 1 Bogus e-mail allegedly sent by Itau Bank

A second ongoing fraud campaign aims at Banco Bradesco Financiamentos with fake e-mails to inform customers Bradesco is performing an account update. It says the user needs to click a certain link and follow all the requirements listed there, including to log into the personal account and type in authentication data and account private data.

Fig. 2 Counterfeited e-mail allegedly sent by BancoBradesco

For Itau and Bradesco customers, phishing is not the only threat coming their way. There are also e-mail messages advising people to download a banker Trojan advertised as iToken. Once launched, this Trojan (identified by Bitdefender with the generic detection name Trojan.Banker.Delf) displays a fake utility window that asks the user to update certain Itau bank files. The Trojan then steals the authentication data and the one-time passwords generated by the iToken and sends the gathered information to a predefined list of e-mail addresses.

Fig.3 Bogus utility window asking users to update Itau bank files

In most cases these scams are not sent out of the blue because this would make them seem out of context and users might be inclined to look for more details, blowing the campaign’s cover. To make the con more credible, most phishing campaigns and fraud attacks are based on ongoing, real actions and campaigns launched by the targeted banks.

For instance, if a bank announces account updates or a new security system, crooks immediately create emails to impersonate an official announcement informing users of the real-life action. They will also attach counterfeited login form or a link towards a rogue location to steal their personal data.

Fig. 4 Example of a phishing form

Every time you have any suspicions regarding your online card account data, call your bank and have all recent transactions blocked at once. They will direct you through the steps necessary to have your card re-issued.

Another type of financial fraud – closer to a Nigerian scheme – targets users from the business sector who experienced problems wiring money or using bank draft. The messages offer an alternative solution through an international payment ATM. The user will receive a dedicated ATM card worth 10 mil US dollars with a maximum withdrawal limit of 15,000 a day. The user only needs to contact a certain person (the e-mail contains the person’s contact data) and provide him with name, current address, phone number, short description of the person and activity.

As a rule, always avoid giving out credit card information, especially when you need to disclose your PIN or CVV info. Banks and other institutions working with money never ask clients to change IDs or passwords via e-mail. When in doubt, call or pay them a visit to make sure. Also, install anti-virus software and keep it up to date.

Phishing, alongside keylogging, continues among the most common ways of stealing passwords. Customers in Brazil need to pay extra attention to when and where they reveal their authentication data as they are constantly under heavy phishing attack.