In late 2012, Latin American hackers were introduced to a new cyber toolkit, PiceBOT. The kit included malware that hackers could use to steal financial information from unsuspecting Internet users and potentially target their bank accounts. PiceBOT cost just $140 and was made widely available to hackers. But more significant than its low cost was the fact that it was developed in Latin America, most likely in Peru, Mexico or Guatemala. Analysts saw PiceBOT as proof that the region’s cyber underbelly had reached a new level of sophistication. “More and more, malware will be homegrown and used against governments, the private sector and citizens,” stated a 2013 Organization of American States report on cyber security in Latin America and the Caribbean.
In the weeks after PiceBOT was introduced, security experts registered attacks on customers in Chile, Peru, Panama, Costa Rica, Mexico, Colombia, Uruguay, Venezuela and Argentina. While the size of the financial damage caused was unclear, the PiceBOT attacks were seen as another sign of a rise in cyberattacks in the region in recent years, analysts said.
Experts note that Latin America is fertile ground for attacks because coordinating illicit cyber scams is far less costly than doing so in Europe or the United States. And the scams pay off due to the often weak defenses employed by governments and corporations in the region. A large survey by ESET Security Report found that more than half of businesses in Latin America and the Caribbean had suffered a cyberattack in 2012, mainly by malware, phishing and denial of service.
Cyberattacks have been aimed at governments and politicians as well, which have seen websites taken down or defaced with increasing frequency. Hacktivists — a neologism combining hackers and activists — have attacked government websites from Argentina to Mexico, defaced websites affiliated with a Nicaraguan reelection campaign and disabled Guatemala’s congressional website, among other attacks. The Organization of American States’ May report found that governments in the region experienced an increase of between 8% and 12% from 2011 to 2012. At least two countries saw a 40% increase in the number of attacks, the report said.
Now, governments and businesses are beginning to treat the threat with greater urgency. “Clearly, governments in Latin America have started to pay attention with increased vigor to hacking and politically motivated cyberattacks,” notes Andrea M. Matwyshyn, a professor of legal studies and business ethics at Wharton and an affiliate of the Center for Technology, Innovation and Competitionat the University of Pennsylvania Law School. The increase in attacks has brought “a shift in public awareness. Every country needs to come to terms with the importance of the issue.”
A Global Problem
Cybercrimes have affected corporations and governments across the globe for years. But today’s most commonly employed attacks are little more than a decade old. The first denial-of-service (DoS) attack, a commonly used tactic that floods computer networks with data thereby rendering websites functionless, is believed to have taken place in 2000.
Since then, much of the cyber security attention has been focused on North America and Europe because countries on those continents were among the first to develop widespread access to the Internet and to push e-commerce. But as Internet access spreads through developing countries, including those in Latin America and the Caribbean, problems with hacking are expected to grow.
“The truth is that cyberattacks have increased throughout Central America and the Caribbean,” says Alonso Ramírez, the cyber security manager for Central America and the Caribbean for Deloitte & Touche, a U.S.-based company that assists clients primarily with audits, financial advisory, taxes and consulting. “From the Deloitte Cyber-Lab [which monitors activity], we have determined that protection services against cyberattacks have increased by 70% over the last year. This increase shows two things: First, the attackers found a new area to run their malicious code; second, cyber threats are more sophisticated than those used five years ago.” South American countries have also reported an increase in attacks. Brazil, Mexico and Argentina are reportedly the most frequently hit countries.
While denial-of-service attacks remain the most commonly employed weapon, hackers are also increasingly using techniques such as pharming — a word that blends the practices of the farming and phishing hacking techniques. In pharming cases, hackers are able to redirect traffic from one website to a fake website to steal sensitive information, such as user names and passwords. The technique is of particular concerns to banks. Mexican banks, for example, estimate they lose as much as $93 million each year to such schemes.
Meanwhile, governments have been slow to keep up with the sophistication of hackers. A 2013 draft report on cybercrimes published by the United Nations Office on Drugs and Crime found that 90% of countries have started to put in place “structures for the investigation of cybercrime and crimes involving electronic evidence.” However, developing countries “are not well resourced and suffer from a capacity shortage.”
In confronting hackers, governments are taking on a global network. “To act, hackers require access to the global connectivity of the Internet, so we therefore conclude that the hackers themselves are global,” Ramírez says.
That globalized coordination is especially apparent when it comes to hackers, who pose a unique challenge because they are often drawn to the practice as a way of protesting laws, government decisions or corporate policies. Hacktivists loosely affiliate themselves around global labels — such as Anonymous, the group known for its iconic Guy Fawkes mask — making them difficult to track. Facebook and Twitter accounts suggest that a single country can have scores of active Anonymous groups, each with a floating rotation of members. Groups such as Anonymous “are of a hydra composition, changing from operation to operation and target to target,” Matwyshyn notes.
According to Ramírez, for some it is “in fashion” to be hacktivist. “They see themselves as ‘cyber Robin Hoods’…. These groups focus on state organizations and private institutions; virtually all of the organizations that, from the perspective of the hacktivist, threaten freedom of expression, social security and the planet in general,” he adds. In Latin America, hacktivists have taken down government websites in Argentina, Brazil, Colombia, Nicaragua, Guatemala, Chile and others, often threatening governments with attacks as well. In almost all cases, the hacker groups mounted the attack in support of a particular cause.
In Chile, for instance, the group Anonymous took credit for defacing the Ministry of Education website in support of ongoing student protests that swept across the South American nation. In Nicaragua, Anonymous targeted the controversial reelection campaign of President Daniel Ortega after he sidestepped a constitutional ban on consecutive presidential terms in 2011.
“Politically motivated hacking received widespread media attention in 2012 and information provided by the [countries] suggest that this form of cyber incident is indeed on the rise in the region,” the Organization of American States report stated. “Two countries reported coordinated cyberattack campaigns in response to legislative initiatives to strengthen copyright enforcement and reform tax codes. In both cases, hacker forums became saturated with plans to launch large-scale cyberattacks on governmental infrastructure unless the bills were vetoed.”
In messages on social media sites, such as YouTube, the groups regularly mention that they are not affiliated with a political party or with a party’s agenda. What unifies them, however, seems to be distrust in governments, corporations and organized religions, and a belief that the Internet should stay free.
The attacks can be costly. For example, two hackers affiliated with Anonymous in Great Britain were sentenced to prison terms earlier this year for attacks against PayPal and MasterCard after those companies had stopped processing payments for the group WikiLeaks. The attacks cost those companies roughly $5.6 million.
A Time for Action
Ramírez says that this year and next are key for governments and businesses that want to better defend themselves against hackers. “Organizations must take charge of their safety … as hackers seek new tricks to manipulate information.”
The Organization of American States concluded that Latin American countries are moving in the right direction. “Much work still needs to be done, however, to keep pace with those seeking to corrupt critical networks and abuse personal information,” the report said.
Governments and corporations should consider new laws to protect customer information and secure bank cards. Universities should also provide tracks specifically for the study of cyber security, Ramirez suggests. “In the coming years we will see globalized laws to stop cybercrimes, and a greater investment in cyber security and prevention and defense against attacks, along with rigorous privacy and high recruitment standards for security staff to prevent the leakage of confidential information,” he notes.
Johanna Mendelson Forman, a scholar-in-residence at American University’s School of International Service in Washington, D.C., said in a recent report that Latin American countries need to consider three immediate fixes: public education campaigns about cybercrime, investment in education to train cyber security workers and a legal framework to provide for criminal prosecutions of crimes when they do occur.
Many countries in the region have put frameworks in place that take into account the threat of cybercrime. But even countries with those frameworks have experienced trouble implementing the new laws and finding the institutional capacity to enforce them. The lack of enforcement and legal capacity to prosecute cybercrime “complicates the work of security forces — police and military that are unable to go after cyber criminals due to a lack of clear rules and definitions of the crimes committed,” Forman wrote in a May report.
However, in formulating new laws and a legal framework for prosecuting cybercrimes, governments must balance the notion of free speech on the Internet. Laws intended to regulate the use of the Internet often raise questions about free speech, especially on social media sites such as Twitter and Facebook.
In 2009, a young Guatemalan protester took to Twitter and urged his countrymen to withdraw their funds from a state-owned bank, which had been alleged of being implicit in a government corruption scheme. The protester, Jean Anleu, was arrested for “inciting panic” under a Guatemalan law. The case, which was thrown out by an appeals court because it lacked merit, illustrated the fine line governments must walk when formulating such laws.
Social media sites are exports of the United States, Matwyshyn says, and as such they were born under the U.S. understanding of free speech. “The strong tradition of free speech in the United States is embodied in these companies,” she notes. When such services start to become widely used in foreign countries, they may challenge norms. “Different countries have different definitions of free speech and freedom of expression,” Matwyshyn adds.
While a patchwork of laws exist, the general lack of a legal framework, leaves hackers and illicit groups with little fear that they will be prosecuted. “One of the main impediments to curbing illicit cyber activity in 2012 was the lack of adequate legislation and robust cyber security policies,” the Organization of American States report noted. “Paired with inexperienced cybercrime investigators and the shortage of prosecutors who specialize in technology-related offenses, many countries are facing difficulties deterring and prosecuting hackers and other cyber criminals.” Countries surveyed for the organization’s study said they lacked professionals who had been trained in cyber security, including detecting threats and preparing networks to thwart attacks.
While the issue is gaining attention within the governments and among the citizenry, Forman said Latin America needs to put forward a coordinated effort to address cyber security.
“Cybercrimes, like other forms of illicit activities, are not going away,” she wrote in her report. “Urgent action is needed if the Americas want to remain a major economic engine of growth in the 21st century.”