Few things make my eyes sparkle like talking about Latin America. Back in 2018, I had the privilege of being able to travel and hitchhike there for more than three months and discover its beautiful lands and people. Ever since, I’ve been dreaming about going back to enjoy breathtaking views and the best empanadas of my life, and my friends are well aware of that―I haven’t talked about anything else since I’ve come back to Europe! 

Now I can’t go back there for obvious reasons, so the only way I can still talk about Latin America is through my job. That’s why today I’ll be analyzing the main cyber threats to Latin American (LatAm) financial services. This is a crucial sector for the present and future development of this region. 

The population’s reliance on financial services for day-to-day activities contributes highly to this sector’s importance. Also, as we’re all well aware, financial services is one of the sectors most targeted by threat actors, because of the high rewards associated with a successful cyber attack. 

The cyber threats to the financial services sector are similar all over the world. However, every region (every country, to be honest) has its own peculiarities that need to be taken into account when drafting a comprehensive analysis. For example, institutional fragilities, such as the lack of cybercrime legislation, joint law-enforcement actions, and international cooperative frameworks, turn this region into an attractive target for cybercriminals. 

Additionally, political factors, such as dire socioeconomic inequality and booming Internet use, all help make this region particularly fertile for money laundering, carding, and financial malware, among other prevalent activities. 

There’s a lot to talk about so, without further ado, ¡vamos a investigar!

What are the main cyber threats to financial services?

Trends in LatAm cybercrime are tied to rapid digitalization and weak cyber-security governance models that paved the way for opportunistic threat actors. 

The main likely threats to financial services organizations are ransomware-based extortion and compromise via initial access brokers (IABs), banking trojans, and fraud and social engineering campaigns. 

Let’s cover those threats in detail!

Ransomware and initial access brokers

In the past year, we’ve extensively covered the ransomware threat in all its forms. For example, we’ve monitored the development of the ransomware-as-a-service model, we’ve provided quarterly updates on its evolution, and we’ve discussed rebrands and affiliate schemes

In 2021 alone, Digital Shadows (now ReliaQuest) reported ransomware attacks affecting more than 100 organizations operating in Latin America. Figure 1 shows the number of attacks across all sectors, and includes all the victims that have been named on data-leak sites.

Latin American countries most targeted by ransomware in 2021 

Ransomware operators gain access to organizations in a variety of ways; one of the most prevalent we’ve observed is via Initial Access Brokers. Ransomware gangs are increasingly using IABs’ advertisements to efficiently find and infect new victims, scaling up their malicious operations. 

In 2021, Digital Shadows (now ReliaQuest) reported more than 60 IAB advertisements of access to LatAm organizations. The average price was $1,464 and Brazil was the most targeted country, closely followed by Argentina and Chile. 

Majority of IABs preferred remote desktop protocol to gain access

Fraud and social engineering campaigns

Social engineering campaigns, such as phishing, business email compromise (BEC), and smishing, are an evergreen choice for cybercriminals to gain an initial foothold in an organization’s network. Whether criminals are looking to gain access to a victim or extract personally identifiable information (PII) or financial data, social engineering is traditionally one of the most reliable methods. And the phishing threat is ever more pressing in regions like Latin America, where cyber-security awareness is not widespread and the population is more vulnerable to such attacks. 

In a recent blog, the Phight against Phishing, one of our analysts painted an in-depth picture of the various shapes this social-engineering threat assumes, and how to best defend against it. Phishing using email or domains that mimic an organization’s assets is often the most popular―and dangerous method. These  campaigns are often simple to conduct, involve few overhead costs, and elicit increasingly high payouts. Why would a threat actor not conduct them?

Banking trojans

A few years ago, banking trojans and other malware were among the major cyber threats worldwide, but they’ve been replaced by other threats recently. However, these tools are still extremely popular in Latin America and present a significant threat to its financial services sector. 

Threat actors frequently deploy banking trojans to steal bank-account and payment-card information. Although heavily used against banking entities, these trojans have also targeted payment-card providers, mobile-service providers, payroll-service providers, webmail, and e-commerce organizations. In other words, everything that may lead to an illicit financial gain for threat actors.

Banking trojans are usually spread via email phishing and spam campaigns that deliver malicious documents, eventually resulting in the trojans’ deployment. Once a victim’s network, system or device has been infected, any transactions conducted while the malware is active could be compromised. 

Harvesting financial information and credentials can open the door to many other cyber attacks, making it one of the most profitable actions a threat actor can perform.  

A view of popular banking trojan TrickBot threat profile on SearchLight™


Who’s targeting LatAm financial services?

Latin America has significant peculiarities as a threat actor target. Cybercrime is a much more pressing threat than foreign advanced persistent threat (APT) groups, compared to other regions in the world. And as I mentioned, the combination of this region’s political/economic instability and organized crime groups has made Latin America a ripe environment for opportunistic, financially motivated cybercriminals. 

Organized crime groups and drug cartels have been quick to exploit some of this region’s endemic weaknesses, setting up profitable schemes and targeting vulnerable groups. 

Along with conducting the cyber activity described in the section above, cybercriminals are closely working with other crime groups to launder money obtained via illicit means by using cryptocurrency mixers

Cyber attacks by APTs are sporadic and unlikely to target private organizations operating in Latin America. However, Microsoft recently reported on a China-based threat actor dubbed NICKEL targeting governments, diplomatic entities, and non-governmental organizations (NGOs) across Central and South America, likely for cyber espionage purposes.

Additionally, some APT groups’ preference for supply-chain attacks means LatAm private organizations can be indirectly affected: Their suppliers’ networks can be compromised via exploitation of issues in hardware, software, or firmware. This could lead attackers to gain access to third-party companies and access sensitive information or pivot to other systems. 

How to handle the LatAm financial services cyber threat?

Building a thorough threat model for your organization is crucial to strengthen your security measures. Although the threats described above cover the main risks of operating in the Latin American financial services sector, every organization needs a tailored outlook of its main threats based on its assets, resources, and capabilities. 

Here are some general mitigation techniques to help limit the impact of malicious activity in this sector:

  • Allocate resources to mitigate cyber threats. Take a risk-based approach to review potential threat actors and their tactics, techniques, and procedures. Distribute your resources accordingly and update your threat model as the landscape evolves.
  • Update and patch. Organizations should make sure their firmware and operating systems are updated with the latest patches. Using vulnerability intelligence solutions can help identify the most pressing security flaws in your environment.
  • Practice defense in depth. Your most crucial assets must be protected by several layers of security controls―when one fails, another can keep you safe. Roll out strong password policies and two-factor authentication, encrypt sensitive data with robust protocols, run social engineering awareness programs, and use detection and prevention security mechanisms.
  • Be wary of scams and phishing emails. Don’t click on any links in suspicious emails. Threat actors often try to convey urgency or trigger curiosity or fear in these messages, to lure victims into opening malicious attachments.
  • Avoid untrusted networks. Corporate users should use virtual private network (VPN) tunneling when connecting to company networks and corporate accounts, especially on public Wi-Fi. Multi-factor authentication can also help combat account compromises.

If you’re interested in knowing more about your organization’s risk exposure across the open, deep, and dark web and technical sources as well as Digital Shadows (now ReliaQuest)’ cyber-threat intelligence solutions, get a customized demo of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) here. You’ll learn about any impersonated domains or phishing schemes targeting your company’s name and brands, as well as exposed PII or other data, to help shrink your attack surface online.