PG - The Brazillian DeepWeb. How Brazilian fraud groups work on Telegram and WhatsApp

morning SL afternoon I know it's morning um welcome to bides Vegas this is still Proving Ground if you were here from before you'll know that and if you're new to the room welcome um so second up on the track today we have Thiago borini um who is going to be there's this big title on the screen bazilian Deep Web I'm very excited for this it's something I know nothing about so it's going to be great before you get going quick thing we need to thank the sponsors because sponsors bring the money um so we'd like to thank sponsors especially our Diamond sponsor Adobe and our gold sponsors choose three um I'll do all of them because I like

sponsors prism Cloud semra blue cat Plex track Toyota conductor one it's their support along with our other sponsors donors and volunteers that make this possible Thiago my friend floor is yours over to you thank you so much I my first time in presentation besides the first time presentation English it's my natural language is Portuguese because I many words lost during the presentation but I talk about the how to Brazilian guys using obak for OB skating the IP address or tracking for cyber investigations okay but my first name is Cho bini uh today I head of cyber trash intelligence in Brazilian company the name is AER and today and one guy for organizers security besides in s Paulo I invited

all for participate in the next year uh speaker in many events in Brazilian and another count in Professor for postgraduate courses in Brazil but I talk him because the Cyber criming and not about me uh what challenges the Cyber criming in in ch years in the I believe in the next years okay the first problem is relating the Cyber enforcement tracking the Cyber criminals in the trans National because the one guy have in Brazilian another gu sended the Span in the Russian guy creating the provider in USA the crime unique and for congrate the problem uh cyber crime today using the Emer Technologies in Brazil is most common guys using AA for create a deep

fake um for um bypass selfing recognizes bypass on boarding um bank accounts and bypass TFA and authentications and and 5gs networking is another big problem another problem recognizing the in investigate this cber crime is different because the are traditional investigators the law enforcements I needing learning again because the one guy do not working the same time is in the cyber space the cyber crime working different okay and after the co pandemic and I talk in the our crimey working in the home of in same that all peoples and the another problem because in speically in Brazil the law enforcement agents not having peoples not having investment not having technology is a big problem I thinking

talking one guy cyber investigate the Cyber investigate nothing um do not identify the ISP related the IP address for example hey what the law enforcement do not identify one IP address is very easy but one problem in Brazil and then another problem established the public sector and private sector join for coopera and share information relating this cyber crime because it's today is very necessary the current scenarios involve the data breach attacks involve attack focus in the financial transactions uh today attackers or TR actors can know the business and the application for me is very important information because the this uh teolog creating a most sophisticated attacks because not using just technolog the thre actor can know

the business know the process can know our rol is involved in the financial transaction is uh creating the many things idea for creating our um many types the fraud scams and in Brazilian it's very Abus is a social engineer technical in Brazilian the guys is is very good low for example one Brazilian m is most common 200 megabytes like as a service pack for analy and the but the social engineering inv involved in the all processes is very complex involve a fake number involve a fake SMS fake WhatsApp Messenger uh fake website for creating the all um store for the V the the car uh then is most common creating the guys creating the more focused in the RP

CR Army and and other um applications like as uh sap um sales force anything and not M created for Windows or Linux or Mac OS just m created for attacker the application it's a very important information but uh what the TTP attacks many people think that tractors work in the only DP but in Brazil is very very different because the most common thre actor focus in the cyber crime and the fraud scams talking about just uh subject in the WhatsApp telegram Tik Tok the most common Instagram R and all and social medias for example my company collects today more or less 3 Millions messages WhatsApp per day only cyber fraud groups it's a very very

volumetric data uh two samples the first sorry for because the frud scan is is right in the Portuguese but the first screen for screenshot H the fra focus on the Coca-Cola if the people send it to message Jan peoples the Coca-Cola send the guy one refrigerator who what what the hell and the second uh example is that many common in Brazil the guy got the WhatsApp picture create a take a number and send a message to many contacts hey M I change my number uh it's my new phone number how are you I I locked my account banking I needed the U pay one bill or I I need to um pay my friend is possible to create an

transaction financial transaction for me send uh 100 uh real in many people just trus in the message do not check if the real number is correct or hey my daddy is you need you change a phone or not I I talk for my my students and then many people's lost the smartphone is a phone hey call the guy hey you change your phone or not but in Brazil is much common that people ah yes s pict is okay trusty very good and the another problem oh sorry it's lots of words uh WhatsApp is C is talk about the C in many WhatsApp groups is very common uh in WhatsApp c groups is very common you um buy or sell

anything um credentials um fake documents fake abs um scams for bypass FAA authentication um in Brazilian is common uh using the orange account banking like as a fake uh account banking is The Firm on the laundry and one guy creating the um a bank account just for money laundry it's a big problem in Brazil because the all people's create it's a business one guy buy for example uh one people uh in dollars $200 for people creating in the T banks same account but these accounts just used for Mony laundry and it's refor the partnership between the private sector and the public sector for share information and the second slides for example you by the driver licensing uh fake driver

licensing um faking and financial transaction um bill fake credit card and anything drugs uh guns um anything people's uh credit cards a basic information so not interesting uh all day I see many messages s like as and what protection just guy use I think using the OB us T VPN Proxes Cloud computer or but not using nothing the first experiment uh I have a three questions for response there the the first question if the UPS SEC is different between the WhatsApp guy telegram guy or Discord guy is have Upsy difference between the platform or the same is the first question second question the trctor type if you the track director focus in the M development have what type of sa the a

guy creating just creating a ficient scan what dos the guy it's a second gu second question and how many threat actors use dsack and what most common upack used for all guys started my research focused in Brazilian groups and the strategy involved the web buug link uh can web buug with tracker okay uh I started a conversation this guy this guy selling fake money okay if you buy 100 you receive 1,000 in the paper money uh I talk to this guy hey I need buy your money but your money is trust or not because I buying the another guy is not trusting see I'm I fake money I buy I send it to guy one link after gu just clicking the

link I collect the all information the guy for example IP address uh ja location IP um user agency uh operation system anything for my surprise it just guide not using VPN not using proxy T relay hosting anything oh good very good uh it's possible identify system operation browser anything uh just JP is related only the IP address okay not a GPS just a okay in Brazil is have um financial transaction the name is PS like as a instant transaction Financial I believe in the USA have the same technology but the another name and the p is possible I change uh I send the money to people using the cell phone number email address uh cpf cpf

like as a social number and then you have a two random keys and my first think hey if the guy not use UPS it's possible this guy use the same phone number for creating a bank account okay I test for my surprise the guy created this account Banking and and the this same phone number and they expose the just a banking here the name the guy here the social number okay for Brazilian compliance Brazilian as LH L gpg like as a ggpr uh OB skated is three first numbers and the two last numbers the social number but if you have six middle number is possible identify to guys in many data Brides okay I've got this number

checking data breach this all data relating this guy address full name dat of BU M uh all phon allos uh all employees anything social medias that's good the case uh I thinking the second trctor this trctor selling then scan for remove to a fa authentication in the bank in braz for example uh is cases many if you stalling the cell phone the guy removed to Second uh Factor authentication and enable to factor auriation another device for us the account Banking and then movement the all transactions the Sammy social engineer hey just working I have and big database contain the social number cpf and then password almost 50 15 business I send my database if you can know remove it to fa

authentication the all Financial obtain that scan is splitting between me and two they okay oh I send it to you my database okay another web bug or IP tracker if my surprise again the IP address um providers a user agencies and the phone number oh phone name model in the last Comm uh just IP is a VPN process what you do nothing it's a clear IP address okay okay I think our guys is losers or noish uh okay I simplify my my research just create the fake database uh involved the credential database a fake creation a fake another database Rel credit card numbers and then distribut two links in the man graphs hey just free database credential

for you for us and then free database for credit card for us okay and for my surprise again many guys click in the link and collect the all information uh the our IP address collecting 92% not have anything upside involved just a clear P then 5% using VPN and 3% using host host the guy using the cloud computer uh instance Amazon Google Cloud anything for us though telegram or Whatsapp web okay but zero guys using Proxes all artar G oh good for investigat is better scer uh but I think if just Brazilian scenario not CR is is a same or as different okay send the same link for groups involved in Latin not include the

Brazilian groups the WhatsApp Telegram and Discord and result is more less semant between F because then ltin using 680 not using anything upack just a clear RP they using VPN in brazing for 31% use uh guys using VPN for UPS SEC this is a important information because then I think what thre actors Brazil braz detectors do not use upak because not um not have um worry for jail or just in common or not us it for not know the OBS SEC method okay I send many um links I sear two interesting case this guy clicking the link if but if you check the ja IP address J IP point to Paris but this guy do not

permit just collecting the IP address but collecting the GPS coordinate it's good again but if you check your GPS coordination point to customer Fe what guys Le in staying in the customer feet or Paris if I check the IP address IP address Rel the VPN provider in this case it's possible the guy using VPN for access the link the VPN no in the Paris but the real location the guy isn't customer fee okay um okay the the Oscar goes true for this guy this guy perit collect don't not doesn't collecting the GPS coord coordinat but collect the self for law enforcement very good you have the IP address you have a g location you have a cell phone model you

have the self the guy that's it and the next day morning hello is that a good it's it's not unique guy I have him more less U Five Guys using the permit to collect the GPS and collect the self I have many books of self detectors Brazilian but what point of the research in two hours collect in 20 Mark 257 unit IPS and seven using the VPN 80 using Cloud uh holer like as VPS zero using proxy or uh and not identify PR difference the TTP between the TR actors the M developer um fishing development the frout guy is using the same uh method for TPS the sem opack method and the the SC repeat between the platform the guy

using the same UPS method in the WhatsApp Telegram and S okay um the last the most most concentrated uh IP address collected concentrating the in the haets haet economic concentration in Brazilian s Paulo H janeo Brazilian um p is a far uh uh States concern to the economy in Brazil okay but what the recommendations so lesson L for all track actors professional because the I need if if the guy uh fail in the upack the Cyber threat andur analysis is possible fail in the same problem working in the Cyber always validate the all aspect involved in the OB cyle if you have DNS leaking if if you using uh VPN if your VPN do not leak a real

IP or leaking the real uh user agency because the another guy is not a a kid today the tectors in Brazil is a crime organization the financial uh uh uh lot in the the worth then Financial money obtain the frauds movement that drugs guns people's trafficking and and many other problems if I don't have gun in my house but the guy have gun is if the guy ex get my real IP address creating the a real threat for my person in OBS is a very important um for all CTI professionals the second lesson uh one small flow and compromising in many cases entire investigator because if one fail one uni opportunity is lost and that they eating return for first and

then again again Infinity looping that's I need in all cases I need validate all aspect in DS for law enforcement is a good because then if the law enforcement little dedication for uh apply the same techniques it's possible between the good results because the the threat actors uh do not use using or not perate the um hide the TR tracks or traces in the the cyber space in many cases uh the tractors have the same fails same problems for example the guy use VPN but permitted the self and permitted collect the GPS coordinator hey you do not use the opset correctly okay uh in Brazilian have a many problem collected for example if you need identify one guy the polic send

the IP address for T Tel and the tel in many cases R return the data related the IP address in more less six month six month the guy is lost another C and another part of a roope then I think then just the same Strat is possible working for map cyber Predators because the Cyber Predators um I try with the another experiment sub Predators um do not per in the many cases in OB SEC and then peram they collect the GPS collect the he it's a good because there's a big problem in all the world okay for finish then almost so actors in concert about OB saki Brazilian scenarios in pun and for example if the guy going jail this

guy is stay in the jail for one or three months it's not problem because then uh you using three months for PhD create a new fraud scan creating um a new uh techniqu is anything so just a research period okay if it uh your first time uh in the jail you don't need any time just you going the policy sign in the document in okay you're free okay res is very rental that's it guys thanks for

opportunity