Navigating Cybercrime Currents in Latin America: Strengthening the Region’s Defenses

Criminal activity in the region: Global schemes, with a heavy touch of local

Gather all, gather ye! Group-IB experts are here to uncover trade secrets from the dark side—cybercrime insights on unseen TTPs, hidden infrastructures, and strategies of the most nefarious threat actors. The fight against cybercrime is a constant ordeal, but the shadows grow weaker with each shore we conquer.

Group-IB’s two-decade-long perseverance, technological and human expertise know no bounds — from shore to shore, land to land, we extend and stand with people, governments, and businesses as their shield against evolving crime.

As we navigate the ever-shifting tides of the cyber world, our journey takes us to Latin America – a land of vibrant cultures, economic growth, and boundless digital potential. But beneath the surface, in the depths of this digital ocean, lurk threats that evolve with unsettling speed. Here, cybercrime is not just surviving; it is adapting, learning, and embedding itself into the very fabric of daily life.

Like skilled illusionists, scammers craft intricate deceptions that even the most vigilant can be ensnared. From phishing and document fraud to counterfeit insurance firms and fake loan providers, cybercriminals exploit both human psychology and technology. They don’t just deceive; they build trust. BScammers exploit leaked personal data and local systems like CPF numbers in Brazil, RUTs in Chile, and CUILs in Argentina – they make their schemes eerily convincing.

But just as threats evolve, so do defenses. At Group-IB, we trace the unseen paths of cybercriminals, uncovering their hidden infrastructures and dissecting their methods. The fight against cybercrime is an unending voyage, and every discovery brings us closer to weakening the shadows. In this article, we set sail through the digital underworld of Latin America, exposing cybercriminals’ techniques, motivations, and ever-shifting strategies – and, most importantly, what can be done to stop them.

From The Shores of Brazil: A Loan Mirage

Brazil is the second most vulnerable country to cyber attacks. Many illicit criminal groups are perpetrating localized threats, a popular pick of which is scam loan schemes. Upon investigating the region, we encountered a sprawling network of scam loan schemes, luring victims through Facebook and disguising themselves as one of four prominent financial organizations.

These scam loan schemes are designed to lure victims based on brand trust, featuring well-known celebrities or public figures to appear credible.

Clicking on these ads opens another made-up gateway for the victims to interact with. They’re directed to a fake website, expertly crafted to mimic an official platform. Here, a chat interface connects users with what seems to be a “friendly customer representative.”

Interestingly, Group-IB’s experts’ analysis shows that scammers frequently use legitimate chatbot platforms, like Typebot.io, to create these convincing interactions. By playing on the credibility of a reputable service, they develop sophisticated scripts that closely resemble real customer support conversations. This approach illustrated authenticity in their schemes and underscored a significant issue: exploiting legitimate tools for harmful purposes. In 2024 alone, Group-IB discovered at least 97 domains targeting four major brands, each crafted to ensnare unsuspecting victims.

One such domain, https://chat.brasil-atendimento.site/cred, surprises us with the sophistication scammers can achieve. Visitors are asked to verify their CPF (Cadastro de Pessoas Físicas) number—a unique identifier essential for accessing financial services in Brazil. This verification process is accompanied by additional information, such as the victim’s date of birth and their mother’s name, which adds an element of legitimacy to the interaction. The site’s fake chat interface employs self-hosted Typebot instances to facilitate conversations, giving the impression of a professional customer service channel.

The site asks users to confirm their birthdate and mother’s name, providing at least three confirmation options. Interestingly, no traffic is observed going to or coming from external sites or APIs, indicating that the malicious domain might be storing this information internally. Users can proceed with the loan request after a few attempts to select the correct mother’s name.

It’s important to note that no other information is verified at this point, which enhances the illusion of legitimacy and makes the scam appear more convincing while avoiding real-time data checks.

For instance, the scammers simulate a loan approval process once the correct details are submitted. Victims are led through steps where they must provide additional information, such as account or PIX numbers, without any validation mechanisms. Ultimately, they are told that the loan is approved – but with a catch – to “secure” the loan, they must buy an insurance policy or offer collateral, like a vehicle.

Image 5: The site allows us to enter any account number (PIX number) for money transfers without any validation or checks.

Image 6: Once all the loan options have been selected and accepted, the user is indicated that they must purchase loan insurance to proceed.

Image 7: Loan insurance options are given. The first option is to buy the insurance now and receive BRL 4,600 or give their car as a warranty.

After the loan was showcased as “approved,” the site told the victims to buy loan insurance for protection if they didn’t repay. They had two choices: to “buy insurance and get the loan” or to “offer a vehicle as collateral.” We opted for the first choice, and they sent the victims to a page featuring a well-known insurance brand to complete the transaction.

The final step in the scam directs users to a payment page hosted on a different domain from the chat site. This page, which can only be accessed through a Brazilian VPN, illicitly employs the name of a well-known brand that is trusted for money transfers across Latin America. Here, users are asked to enter sensitive payment information, including their email, phone number, full name, CPF, and credit card details, such as the CVV.

Image 9: Attempts made to access from other countries are blocked.

Over the past year, our research and analysis of fake payment pages identified approximately 27 websites impersonating a well-known digital payment service in Latin America. These fake portals are disguised as legitimate platforms, tricking users into entering sensitive financial information and exposing them to potential scams.

Upon closer examination of the infrastructure behind these sites, we see how criminals strategically and meticulously construct their operations. We examined the source code of these sites and found that scammers use their own domains and S3 buckets to deploy chatbots. Resources like minio.atendimentonline.site and s3.consultarfacilonline.site are specifically designed to manage interactions with victims and orchestrate their schemes.

Further investigation into these scams highlights how criminals adapt to local conditions and the digital environment of Latin America, creating fraud schemes that seamlessly integrate into daily life—traps that locals can easily fall into, resonating through regional elements, languages, and cues. Reputable services, such as Typebot.io, only accentuate their effectiveness, making these scams even harder to detect.

Image 11: Source code of the page highlighting from where the typebot code is loaded and used.

How To Not Get Trapped: Recommendations on Building Protection

These scams are a striking reminder of the need for constant vigilance and early protection. Here are some steps that can help safeguard against such threats:

Verify the Source: If an offer appears too good to be true, it likely is. Before providing personal information, especially sensitive data like CPF, always confirm the site’s legitimacy or communication.

Education and Awareness: Knowledge is essential. Ensure that your team and clients are well-informed about prevalent scams in the region and can identify fake websites and phishing attempts.

Leverage Modern Security Tools: Employ technologies to detect fraudulent domains and phishing sites and prevent them from reaching users. Implementing multi-factor authentication will also provide an additional layer of security.

Report Fraud Immediately: If you encounter a fake site or phishing attempt, report it to the relevant authorities to help reduce its spread and protect others from becoming victims.

For Businesses

Fraud Protection

Fraud today comes in all shapes and sizes, making it essential to stay ahead of evolving tactics. Group-IB Fraud Protection, powered by an in-built intelligence platform, integrates Cyber Threat Intelligence and adversary Techniques, Tactics, and Procedures (TTPs) to give you a clear view of prominent fraud schemes in your region—mapped against the MITRE ATT&CK framework for a multi-layered approach to fraud prevention.

More than just a defense tool, our fraud protection solution detects early indicators of fraudulent activity, stopping threats before they escalate. This makes it the most comprehensive anti-fraud solution on the market.

Digital Risk Protection

Protecting your digital identity from multifaceted attacks should be a top priority for businesses. Brand impersonation, scams, data breaches, leaks, and illegal mentions constantly surface across social media, the dark web, underground forums, and other online platforms, posing serious risks. Group-IB’s Digital Risk Protection (DRP) helps you monitor, detect, and defend against these threats before they impact your organization.

As criminals continually refine their tactics, staying ahead is absolutely necessary. Understanding local nuances and the digital landscape is crucial for defending against the increasing threats. Together, we can make Latin America’s digital environment safer for everyone. For businesses keen on building a complete cybersecurity strategy, contact our experts here.