#latamhackers Series: Week 1 - Phishing
This post is a part of our #latamhackers series, a 5-week series about some of the top techniques used by hackers in Central and South America.
Why focus on Latin America?
Latin America is becoming highly digitalized. Much like the rest of the world, the development and use of technology in this region has created large-scale vectors for exploitation. This is evident in Brazil’s surging rates of online banking fraud, Mexico’s ranking as the 9th most targeted country globally, and recent three-fold increase in regional cyberattacks targeting small and medium-sized enterprises.
Due to the region’s growing interconnectivity, threat actors are emerging and orchestrating sophisticated attacks. These advanced persistent threats (APTs) are worthy of research and discussion. Not only are these groups reinventing the criminal landscape in Latin America, but their methods of technical exploitation play a significant role in today’s global digital warfare.
Overview of Our #LatAmHackers Series
During our 5-part series, Phishing for Answers will detail the most utilized hacking techniques in Latin America. Each post will include a summary of the technique, a recent example, and recommended mitigation measures.
Here is the list of techniques:
Spearphishing
Commodity tools
Reliance on user execution
Geographical targeting
Overseas tool expansion
Week #1: Spearphishing
Summary:
Spearphishing, a phishing attack that sends malicious emails to targeted users, is the most favored initial access technique used by Latin American hackers. These threat actors send emails embedded with malicious macros. When a victim interacts with these emails, either by clicking a link or downloading an attachment, the attackers access the systems and deploy malware. Latin American cybercriminals are learning to tailor these phishing messages to individual victims, such as HR-related themes for corporate employees or politically-charged headlines for activist organizations.
Example:
In March 2022, shortly following the Russian invasion of Ukraine, researchers discovered a massive phishing campaign against entities in Nicaragua and Venezuela. The APT Machete (a.k.a. Ragua), believed to be based in Latin America, infected victim devices via a malicious Microsoft Word document. This document contained a legitimate article published by the Russian Ambassador to Nicaragua entitled “Dark plans for the neo-Nazi regime in Ukraine” (translated from Spanish: “Planes oscuros del regimen neonazi de Ucrania”). Clearly, Machete was attempting to capitalize on the Russo-Ukrainian conflict and entice victims to interact with the document.
Alexander Khokholikov, Russian Ambassador to Nicaragua (Source: Twitter @akhokholikov)
Phishing document sent by MACHETE to victims (Source: Check Point Research)
Mitigation Measures:
Phishing depends on user actions and decisions. Therefore, awareness trainings are an extremely effective countermeasure. Employees must know how to exercise constant vigilance, detect suspicious emails, and report them to internal IT teams. It is also advantageous to integrate phishing tests with these trainings. Finally, organizations should consistently assess their own access control lists (ACLs) and firewall rules to limit external spam from reaching employee inboxes.
Coming Up - What Will Technique #2 Be?
Next week, the #LatAmHackers series continues with a discussion of the next technique – use of commodity malware. Stay tuned for our next post to learn all about how cybercriminals in the region have used open-source tools to infect USB drives, steal passwords, and even control webcams and microphones.
Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-02304-1.©2022 The MITRE Corporation. ALL RIGHTS RESERVED.