Escolha uma Página

BrasilExposed: the Brazilian internet security crisis

BrasilExposed: the Brazilian internet security crisis

In hacker terminology, the exposed English word refers to the individual whose most important personal information – CPF, RG, address, telephone numbers, membership and even names of neighbors – has been posted on the web so that any Internet user can see them will.

The act of revealing someone’s private data was invented by virtual activists as a form of revenge against rapists, thieves, murderers, coup plotters, corrupt politicians, and other types of citizens who were supposed to be fragile in the face of the internet. But times have changed, and today, giving exposure to someone is already a common practice even among those who have not and have never had a sense of justice in their actions.

A few hours after the publication of the article about the controversial site, which divulged registration data of almost any Brazilian individual, Info Digital received a complaint from a source who preferred to remain anonymous. In the confession, the Internet user drew our attention to the trade of confidential data that happens freely on the internet, through which such groups get the information necessary for the exposed.

This group offered information of Brazilian citizens to foreigners interested in applying scams in our country.

“The Federal Revenue Service and the Federal Police pretend to ignore the truth about the crisis in the data security policies that we live in and the press needs to know. I’m 17 years old, I’ve already had access to the national database of SUS and DETRAN. I sent reports to the PF about what has happened twice and they ignored my emails. Recently a blogger, my friend, had the data leaked by posting a story on my site.

According to the individual, the episode occurred after the publication of a document on the site quoted that proved the illegal activities of a virtual gang. This group offered information of Brazilian citizens to foreigners interested in applying scams in our country. Based on this complaint – and bearing in mind that cases of electronic fraud and evasion are increasingly common in Brazil – Info Digital decided to check how the security systems of public agencies and national private equity companies are doing. Unfortunately, as you can see in this investigative report, the confidential data of millions of Brazilians are totally unprotected in the online world.

Information traffic

In this matter, we will not go into the merits of Deep Web. It is extremely easy to find this type of criminal practice in sites that we access daily on the surface, including on the social network Facebook. Dozens of pages and groups, all ruled by groups of anonymous hackers, market their illegal services without a shred of discretion.

Crime Dictionary

The underworld of illegal data-trading seems to have created its own language to facilitate communication among its members, just as gang members use various codes and symbols to identify themselves among other participants in their own tribe. A credit card specialist (so-called “CCs”), for example, is called a carder, while a hacker focused on bank fraud identifies himself as a banker. Orange accounts used to sign negotiations are known as laras.

These cyber-crime professionals offer products in groups with less descriptive names, such as Market 171 and PR1V80; Yet most of these virtual clubs are public, proving that their members are not afraid of being charged.

Finding passwords for accessing databases, though, is a little more complicated. This type of product is not marketed in groups nor offered “in bulk”, perhaps because of the difficulty involved in obtaining them for resale. Some hacking pages, however, are known to serve as “consultants” to others or even to donate logins from time to time. The main one, as Info Digital has learned, is the one labeled The Ins4ne – which, although it publicly expresses opposition to government corruption, encourages a black market based mainly on the adultery of civil servants.

Founded and directed by the individual identified as Smiti Coube, The Ins4ne is so organized that it even counts with a CNPJ – it is registered with the Federal Revenue Service as Smith Training and Services LTDA, acting under the number 03.092.167 / 0001-18 And based in Santana de Parnaíba, in the interior of São Paulo. At the beginning, the page made logins donations to the National Registry of Users of the Unified Health System (CADSUS), but gave up offering such information for free.

CNPJ The Is4ne

The group still queries data through requests that are negotiated directly by Facebook. Disguised as a supposed interested party, Info Digital contacted the page to find out how the process was done and we were told that credentials for the IRS database cost only $ 140. The Ins4ne representative also assured that the logins were ” True “and that some people trade fake passwords that are deleted shortly after being activated.

False profile of our character

Meet Our Character

William Brilhantino is 21 years old, was born in Itu and currently lives in São Paulo. He enjoys programming, industrial rock and the arts of the Spanish painter Pablo Picasso. Also known by the pseudonym “Mr. I “, William wants to gain ample access to the personal data of any Brazilian and does not go to great lengths to reach this goal, negotiating sensitive information through Facebook, Skype and even obscure forums hosted in the Deep Web.

Negotiating with suppliers

From The Ins4ne’s apparent disinterest in selling such credentials, we decided to go after other “suppliers” and “consultants.” Our first negotiation was signed with the profile Moc Consultations, which was offering its services in a public group on Facebook. The entire conversation was maintained through the social network itself, without any concerns from the vendor in using more secure forms of contact (such as encrypted emails or decentralized communication services). After adding it to our friends list, we ask ourselves how database acquisition works.

We were informed that it was necessary to pay a monthly fee to have access to a panel that centralizes the CADSUS, IRS, Equifax (a famous US credit bureau) databases and others. The cheapest “plan” costs R $ 150 and entitles to 70 SERASA consultations; There are more complete and consequently more expensive panels. Upon realizing the interest shown by our character, the merchant offered us a test login that could be used for strict five minutes.


No bitcoins …

Other than you probably imagined, payments for such obscure services are not made by safe methods traditionally employed by cybercriminals, such as bitcoins. In our negotiations, data marketers did not think twice before reporting data on orange-account deposits at Banco do Brasil, Itaú, Bradesco and Caixa Eletrônica Federal.

It was enough to see that the scheme works perfectly. The Moc Queries system is extremely easy to use: When you log in to the dashboard, you are presented with the databases available for your account. We went directly to the CADSUS and it was enough to inform the full name of our “victim” so that the system returned all its data registered in the SUS, including parents name, full address, documents, telephone number and so on.

SUS card

The system also has a tool capable of generating the cards we all present in public hospitals, with the right to the citizen’s unique registration number. This card can be printed (black and white or colored) or saved to PDF on your computer. We were able to generate cards from half of Info Digital’s newsroom, including from our content vice president – an indisputable proof that any Brazilian citizen is exposed to the criminal scheme.

Fraud guaranteed or your money back

Of course, in the midst of a negotiation involving sensitive data, mistrust is mutual between seller and buyer. The customer is almost always afraid to pay and not receive, but in our experience, merchants have been very receptive and generous, offering test periods for the systems offered. One of them even promised “full support” to the consumer, guaranteeing a new login if the purchased credential stops working.

We went beyond. We continued our bogus negotiations and succeeded in testing the services of two other data marketers. The first one, identified on Facebook as Rui Fernando, asked for a one-time fee of R $ 90 to have lifetime and direct access to CADSUS, without intermediate systems. We also talked with Phoenix José dos Santos, who, unlike his competitors, first asked how much we wanted to pay.

For R $ 600, we could buy a credential for the database of the National Department of Transit (Denatran). Another trial period and another surprise: Phoenix also uses the King of Queries system, the same one used by Moc Consulates. Subsequently, we discovered that Phoenix is, in fact, the supplier of such a panel. When logging into the central, however, only the databases of Detran and CADSUS were active. We tested the first one and, only informing the CPF of the victim, we got access to all the data of your vehicle.

King of the Consultations

Network Queries:
The deal off Facebook

In later research on the subject, we find that this type of criminal activity also occurs outside social networks. After a simple search in Google, we come across the site Red Consultions, which features a neat design and two distinct panels for those who want to consult data of Brazilian citizens. The cheapest of them (Basic) costs $ 100, while the advanced (Complete) goes for $ 200.

Using the mask of William Brilhantino, we added the profile of Skype informed on the site (redeconsults) and we were attended by Roberto Souza, who promptly answered our doubts about his system. When asked if we would not be doing an illegal act when buying access to such databases, Roberto replied that his panel “is legal to some extent.”

Network of queries

A protection called a “panel”

As you may have guessed, cybercriminals have found two distinct ways of offering access to databases. Some of them commercialize the logins that should be used directly in the database itself. Others have developed a much more practical technique for marketing this information: they develop panels that centralize databases in one place, such as the Network Queries and the King of Queries.

This method has many advantages. Firstly, the cybercriminal can provide greater peace of mind to their consumers regarding security, since the client’s IP is not registered in the database consulted. In addition, with only a single CADSUS credential, for example, you can offer it to numerous customers at the same time, since the SUS system is displayed on the panel as an embedded window.

Next, the Internet user tried to justify the trade of information by citing Serasa, a company that is legally released to provide this type of service to credit institutions (ie legal entities, not physical ones). After ensuring that we would be in complete safety if we contracted his services, Roberto assured us that he would release the chosen panel immediately after the identification of the payment, which could be made by deposit or bank transfer.

We close the contact and give a check on the whois data of the domain We found out that he was registered by an individual named Rodolfo Morales, a resident of the city of São Paulo. The email used to make the purchase of the domain, however, belongs to the citizen named Emerson Teixeira Kunz. Info Digital tried to contact the cell phone number in Whois, but it was not answered. We also could not locate any of the names mentioned.

Know the databases offered

The number of databases offered by cybercriminals is gigantic – either in the form of a panel or with logins of the system in question. In the category of public agencies, we had the opportunity to access the following databases: National Registry of Users of the Unified Health System (CADSUS), Federal Revenue Service, National Social Security Institute (INSS), National Traffic Department (Denatran) Bolsa Família and Integrated System of Human Resources Administration (SIAPE).

On the part of the private companies, the following brands were found in ads: Confirme Online, InTouch, Credilink, Natt do Brasil, Locate People, Vivo, Oi, Equifax, On Way, Phone Network, SeekLoc, BCFone, BCI Tecnologia BCI), SAFE-DOC, Serasa Experian, Boa Vista Services, PROCOB, Previnity and ZipCode. It is worth noting that most of the panels also offer generic tools, such as death, membership, National Registry (RG), ZIP code, membership and even the History of Consignments (HISCON) of the retiree or INSS.

Credit Bureau: The Limit Between Legal and Illegal

As you may have guessed, almost all private equity institutions whose brands are involved in such criminal activities are credit bureau companies, also known as Credit Protection Services (SPC). Supported under the code 8291-1 / 00 in the National Classification of Economic Activities (CNAE), these companies are authorized by law to collect and store in secure data of any Brazilian citizen.

However, by the same regulations of the area, credit bureaux should only offer their “products” to legal entities that also conform to a series of rigid rules so that the transaction can be considered legal. The only possible customers for companies in this industry are basically other companies in the banking, credit recovery or advertising sector. The scenario complicates, therefore, when such a database begins to be used by individuals and legal entities not authorized by law to access such registration information.

A new method for an old offense

This is not the first time that the personal data of millions of Brazilians are offered to those who have the money to pay. Between the years of 2010 and 2012, reports published by media outlets reported the sale of CDs containing detailed information of citizens who had declared their income to the Revenue. The media was marketed in the light of day and in busy streets of São Paulo, with special emphasis on the Rua Santa Ifigênia and Rua 25 de Março streets.

Thus, the trafficking of databases on the Internet can not be considered an unpublished crime, but an upgrade to an old crime. The new method offers a number of advantages to criminals: in addition to exposing themselves less, they are sure to please the consumer regardless of their needs. In addition, from the moment you acquire the login to a given database, you can get fresh and updated information in real time (the CDs sold in 2010 stored data for the Federal Revenue database of 2006).

Illegal negotiations in Brazil

Searching for the source of the crimes:
the LACEN case

After gathering evidence that the crime exists, Info Digital decided to investigate how cybercriminals can obtain such data. We were interested, above all, in the leakage of credentials from the Unified Health System. The leak of credentials through employees responsible for maintaining databases is a valid possibility, but in reality, most information traffickers hijack logins that belonged to ex- Required system employees.

At least that’s what happened with the test credentials we got with the cyber-criminal Rui Fernando. To reach this conclusion, Info Digital first realized that the establishment code needed to log in was, in fact, the registration number of the National Registry of Health Establishments (CNES). In this case, CNES 3157237 is linked to the Central Laboratory of Public Health of Santa Catarina (LACEN – SC).

Rui Fernando

In contact with the institute, we asked about the operator whose name was used to perform the login: Viviane. We were informed that, in fact, there was an employee with that name on the spot, but who did not work in the laboratory any more. Her credentials, however, were still active. Could it be that those responsible for network infrastructure at such health facilities have never realized something wrong?

On the telephone with our team, João Carlos Lima, LACEN – SC ‘s network administrator, said that his team never noticed strange activities related to the use of their employees’ credentials. “The logins of our collaborators are blocked as soon as they are disconnected from the institute,” said the Santa Catarina, amazed by our illegal access to the database.


Suspected corruption of employees

Obviously, the testimony of João Carlos Lima did not convince us, so we continue to investigate to find out how cybercriminals obtain access to SUS databases. To do this, we have changed the approach and, through a new fake profile on Facebook, pretend to be a merchant interested in partnering with a new data provider.

It’s our closing …

Our second character used for investigative purposes goes by the name of Roberto Locks. Unlike William, his only goal is to make money from data traffic. He is currently looking for some commercial partner infiltrated into public agencies and who can offer fresh credentials periodically.

We entered a group that serves as the stage for various negotiations – including credit cards and fake bank pages and on-demand consultations. Then our character published a fairly objective ad as bait to attract potential corrupt officials of the Unified Health System.

If someone here works in SUS having access to CADSUS to provide logins, please contact inbox. I want to start a business. I pay very well.

It was not five minutes before we were contacted by the first one. Rodrigo Alves, as the subject identifies himself on the web, denied working in any SUS post; However, guaranteed to have “a top contact” that would offer him credentials periodically through a pendrive. This episode reinforces the idea that employees in the service of the Unified Health System, who of course work by operating credentials to CADSUS, are responsible for the leakage of the databases. It would not be wrong to assume that the same happens in the Federal Revenue and in Denatran.

Rodrigo Alves

Real website and profile present different identity for the user who identified himself as “Rodrigo Alves”.

What can you do with this material?

Info Digital spoke with Omar Jarouche, Statistical Intelligence manager at ClearSale (a company specializing in the development of e-commerce anti-fraud solutions) to find out exactly how cadastral data leaked by these criminals are used.

“In fact, it is very easy to get this information on the internet,” agrees Jarouche, especially highlighting the strong credit card sales market (InfoCCs). “To enable a phone line, issue a credit card or even take out insurance, all you need is someone’s cadastral data.”

“Sometimes the fraudster wants to open a checking account in a bank just to get a proof of address and later acquire a chip to engage in other criminal activities, such as a kidnapping,” he explains. The executive says ClearSale is in the habit of tracking down this type of illegal activity and even has “spies” within groups to stay abreast of the latest techniques used by gamblers. When questioned about how such logins end up leaking out of private companies, Omar says he believes it is mostly intrusive or flawed security techniques.

“People do not have to worry about hiding or erasing their information from the internet, because that’s something that can not be done. The important thing is that companies need to protect themselves against misuse of this information, “ he explains.

“That way, we are choking this market [of data traffic]. If the criminal can no longer buy over the internet, enable a card or get a phone line, this type of criminal activity tends to decrease, “ he says.

How fraud detection is done

ClearSale uses an interesting method to detect e-commerce fraud and avoid issuing credit cards with third-party data. Once a purchase is made in a partner store, the company’s automated systems receive transaction information, cross-check this data on a single basis and a system, and compile a score based on the likelihood that it will or will not be a fraudulent action.

If the score is low, the purchase (or request for a credit card) is automatically approved. If it is high, the transaction is redirected to a team of operators that performs a manual check, thoroughly checking the buyer’s data and comparing them with purchase history, consumer profile, etc. If necessary, a telephone call is made so that the client (or fraudster) himself confirms some cadastral information.

Currently, ClearSale is responsible for protecting 80{890c36218bbc94bcbe8f5d159f212155cbf0c932418a12ec06828c4a996999c1} of Brazilian e-commerce, serving around 2,000 e-commerce sites and conducting more than 300 million anti-fraud checks each year. At least 6{890c36218bbc94bcbe8f5d159f212155cbf0c932418a12ec06828c4a996999c1} of transactions need to undergo manual sorting.

Responses from ministries,
authorities and private companies

Info Digital tried to contact the Ministry of Health and the Ministry of Finance press offices, but the agencies did not consider the matter until the closing of this report. On the other hand, the direction of the National Traffic Department (Denatran) informed that, in the face of the denunciations presented, it will send a letter to the Federal Police requesting that the case be formally determined so that those responsible are punished according to the laws in force.

Unitfour, the credit bureau responsible for the InTouch system, claims to invest heavily in information security and has ensured that cybercriminals do not have access to their database. “We did tests on the websites you pointed out and we verified that this is not our product and there is no query pointing to our servers,” comments Wellington Galvão, the company’s managing director. “What happens is that because of the strength of our brand in the market, these criminals take advantage of that to get more sales on their pirated sites,” he says.

Boa Vista Serviços has stated that, if confirmed, the complaints raise a breach of service agreement between the company and client companies, which requires the adoption of appropriate measures already foreseen in the contract itself. In short, the credit bureau rules out the possibility of system invasion, stressing that “all reinforcement and security measures are taken to prevent undue access by contouring existing security locks.”

The brand also emphasizes that the contract explicitly states that the registration information of its database must be used by client companies “in the pursuit of its activities, as well as to subsidize the granting of credit, the sale of term, the conduct of business Or of commercial and business transactions that imply financial risk, being forbidden to carry out consultations for purposes other than those foreseen or prohibited in the current legal order.

The direction of the National Traffic Department (Denatran) informed that, in the face of the denunciations presented, it will send a letter to the Federal Police requesting that the case be formally determined.

We also contacted Telefônica | Vivo, which reported that it was not aware of the practice of marketing or improper use of its customers’ registration data. “The company has security controls on access to customer data, with defined processes that monitor and combat attempts to use violations, mitigating the risks of information leakage,” the brand explained in an official statement.

Procob states that there is and never has been leakage of your information. “As a preventive measure of access to the system, we have implemented since 2008, in all our clients, IP validation software, whose purpose is to ensure that the accesses are exclusively performed by the contractor within their work environment. We emphasize that the validation process of IP validation software is a contractual requirement and executed by a security and anti-fraud area within Procob “, explained Alexandre Pszedimirski, commercial manager of the company.

The Federal Police and the Civil Police of the State of São Paulo were also contacted by our team, but they preferred not to comment on the case.


Beyond the logins: Other products sold on the black market

Unfortunately, the obscure commerce of online fraud is not satisfied with database traffic. The same groups and criminals that sell logins through Facebook also work with an incredible array of ardis items, including email lists and fake phishing bank pages.

It is also not difficult to find who sells the “New Life kits”, consisting of a series of false documents. During our investigation, Info Digital also found those who swore to have the ability to remove points in the National Driver’s License (CNH) from those who paid enough.

The famous infocc’s

Not all cybercriminals actually market credit card clones. Many use a database along with phishing techniques (using fake pages fired at the victim’s e-mail) to capture certain credit card information and its owner. This information is marketed by the name of InfoCC.

The only method adopted by criminals to inhibit investigative action is self-help: there are a number of groups where all their members do is denounce lotters (as criminals are known to pass the leg in their own “tribe”) and Disguised as potential clients.

What does the penal code say
about all this?

To find out exactly what are the crimes involved and the penalties applicable to each criminal involved in the scheme, Info Digital sought the lawyer David Gebara Neto, who explained in detail what the Penal Code provides in similar cases. According to the professional, the public official who uses the data improperly and offers such information to third parties is inflicting the art. 155 and responds to the crime of simple theft, being able to be penalized with fine and imprisonment of one to four years.

Those who receive such data and begin to market them to other individuals (whether offering credentials or consulting) falls as recipients, and, as provided in art. 180, can also be punished with a fine and one to four years in prison. Finally, a citizen who acquires confidential information and uses it for his own benefit – committing ideological falsehood and practicing bank fraud, for example – is considered a stalwart by art. 171 and may be imprisoned for a period of one to five years, in addition to paying a fine.

Davi points out that the law still does not provide punishment for those who simply expose such data on the internet, because “this issue is still being discussed.” In addition, cybercriminals who get themselves unauthorized access to a database such as CADSUS also account for theft, as the act of breaking the security system would be the half-way crime, acquitted for the purpose of prosecuting the crime ( In this case, theft of the data itself).

The law is clear

Chapter VII, art. 155, Theft

Subtract, for yourself or someone else, something alien.

Chapter VII, art. 180, Receptacle

Acquire, receive, transport, conduct or conceal, for the benefit of others or for what is known as the proceeds of crime, or influence what third party, in good faith, acquires, receives or conceals.

Chapter VI, art. 171, Estelionato

To obtain, for themselves or for others, an illicit advantage, to the detriment of others, by inducing or keeping someone in error by means of trickery, trickery, or any other fraudulent means.

Was Brazil experiencing a
cyber security crisis?

It is interesting to note that, through the facts and testimonies gathered throughout this report, most of the security flaws – both public and private – that check the integrity of the Brazilian citizen seem to come from social engineering, not Technical aspects related to the protection used in these databases. Employee corruption and breach of contract are the most appropriate means by which sensitive information is leaked to unauthorized hands.

In addition, national legislation is not yet evolved enough to deal with such serious cases of cybercrime: these new technologies are still very new to the Brazilian legal scene, and although it is fairly easy to trace a number of such cybercriminals, they remain Impunity because of the lack of respect for virtual crimes by the competent authorities.

There is a whole underworld of electronic delinquency, a community scattered all over the country, which helps and complements itself with a single common goal: to commit fraud and to cause harm to others.

There is a whole underworld of electronic delinquency, a community scattered all over the country, which helps and complements itself with a single common goal: to commit fraud and to cause harm to others. Whoever gets information from a credit card also needs, of course, a database to get as much detail as possible from the victim; Likewise, those who practice the blow of the false abduction need an orange-bead (or lara, as they are called) to receive payment for the ransom.

Thus, the problem goes far beyond the mere existence of hacker collectives who practice that of the exposed. Although they market consultations and cause disruption to society, they do not pose as great a danger as gangs organized and specialized in the trade of information. The ease of accessing databases is a very serious public safety problem that must be thoroughly investigated by federal and civil police. Until this black market is effectively stifled, no one is safe from having their sensitive data released to any malicious individual who has $ 100 in their pocket.