The pandemic played an important role in the adoption of digital payments in Latin America and this success has caught the attention of criminals who are developing mechanisms to carry out fraud by exploiting the most popular new real-time payment methods in the region, such as PIX ( adopted in Brazil), Yape and PLIN (Peru) and MercadoPago (widely adopted in Argentina and other nations). New research from the team Kaspersky discovered groups in Telegram that they sold fake applications to simulate online transfers and thus deceive the cashiers and leave the establishment without paying. The versions of these applications are mainly available in Brazil, Argentina and Peru.
According to the study of Kaspersky “The state of use and security of digital payments in Latin America”, a third of Latin Americans began using digital wallet services during the period of social isolation. The countries that showed the greatest adoption of this technology were Guatemala (50%), Panama (46%), Peru (41%), Costa Rica (37%), Mexico (34%), Colombia (30%) and Argentina (21%). %). Brazil and Chile are at the bottom of the list with 16% each, but they are also the places where the technology was already most popular before the pandemic.
The data shows how popular the payment methods have become, and this fame has not gone unnoticed by cybercriminals. Research carried out by experts from Kaspersky shows how scammers use fake apps to leave stores without paying for products. In this new scheme there are two types of criminals: those who create apps that simulate payments and people who buy these fake programs to go to stores, make their purchases and try to deceive the cashier.
“In the same way that bees are attracted to flowers, criminals are always looking for new ways to make money without working. In this new scheme that we discovered, digital payments that occur in person, that is, in stores and businesses, are exploited. There are two techniques that are used in this fraud: in addition to the fake application that simulates the payment, there is also social engineering, which are techniques to manipulate a situation by exploiting human errors,” explains Leandro Cuozzo, security analyst in the Global Team of Research and Analysis for Latin America at Kaspersky.
The mistake in this case is trust, and even a little naivety on the part of the cashier. The expert explains that the fake application is created with the aim of looking like the legitimate application and simulating the process step by step, but no transactions are carried out and the application is not connected to any payment system. In this context, the fraudster must carefully choose his victims. “The ideal are commercial establishments that operate with offline payment systems or disconnected from management systems. Another important point is a place with many customers, since a long line will be a favorable pressure for criminals who try to deceive the cashier with a transaction that does not exist.
Just as there are two types of criminals in this scheme, monetization occurs in two ways. Anyone who uses the app earns directly from products purchased without payment. Criminals who create fake apps win in two ways: by selling the app through a subscription model and with support to help scammers with social engineering techniques carry out the scam. In some cases, it was also identified that an extra payment was charged to access new features that increase the effectiveness of the scam.
“In one version we analyzed, the store fraudster can send an SMS to the store owner with a false confirmation that the payment has been made. To acquire this premium service, payment for 50 messages was required. In another communication analyzed during the investigation, the criminal said that the attacked payment system had reached Bolivia – and other markets that would soon be covered were Colombia and Chile,” says Cuozzo.
For the security analyst Kasperskythese scams are growing rapidly due to the massification of digital payments and the ease of handling fake applications. To protect yourself, Kaspersky warns of the need to train employees of businesses in the region: “The person who is installing the fake application intends to commit fraud and will probably uninstall our product in order to use the fake program. Therefore, protection against this scheme must occur inside the store,” Cuozzo highlights.
For merchants and store owners, Kaspersky advises:
– Do not complete the purchase process without verifying that the payment was made successfully. Even if the store is full. This is the bug that scammers are exploiting in this scheme.
– Be alert to social engineering techniques. This scam is not the only one that takes advantage of these types of traps.
– Establish policies to control payments in terminals to prevent employees from being deceived.