In recent weeks, Perception Point researchers have closely been tracking and studying a Brazilian cyber threat group they call “GeoMetrix.” This group is responsible for running various phishing campaigns, mainly targeting individuals in Brazil and Spain. They are also likely profiting off of their phishing tools by selling them to other bad actors. In this blog, we review the key aspects of GeoMetrix’s tactics and operations.
Over the course of July 2023, Perception Point researchers observed an increase in phishing email campaigns crafted in Portuguese and Spanish. These emails are designed to impersonate legitimate Spanish and Brazilian banking institutions. The ultimate goal is to trick unsuspecting users into clicking an embedded link contained within the email:
Once the user clicks on this subtly inserted URL, they are redirected to the threat actor’s control panel site. The site then proceeds to conduct a geolocation scan of the user. If the user’s location aligns with the threat actor’s targeted geography, critical user data – IP address, physical location, and email address – is logged into the attacker’s ‘click panel.’
Following this, the user is further redirected to a malicious URL. This malicious URL conceals one of the following payloads:
The diagram below showcases the execution flow of the campaign:
In the course of our in-depth analysis, we identified ten active click panels, each sharing a common structure:
The geofencing mechanism involves three essential checks:
If the user successfully passes all three checks, their data will be logged on the click panel, and they will be redirected to the malicious URL. If any check fails, the user will be redirected to a benign search engine, like Bing.
As highlighted earlier, our investigation led to the discovery of ten different click panels, each featuring a ‘success click’ counter (“Liberados”). By aggregating the number of ‘success clicks’ across all panels, we found that the number of infected users has exceeded a staggering 15,000 victims.
In our investigation, one campaign stood out in particular, impersonating Banco do Brasil. The email in this campaign was well-crafted, alerting the recipient about a large amount of digital coins due to expire the next day and suggesting that they use them immediately.
This seemingly harmless email led victims to a cleverly designed phishing site, closely resembling Banco do Brasil’s login page.
On the left of this page, users are asked for a key and password. Submitting these details begins a series of phishing steps aimed at stealing personal banking information. But what is perhaps more interesting is the right side of the page, featuring something called a “BB Code.”
The “BB Code” is a feature from Banco do Brasil designed to make money transfers easier and safer. It works by scanning a QR code with any banking app and confirming the transaction on the user’s phone. This then transfers the money to the desired recipient.
The cybercriminals behind the phishing campaign have exploited this feature, using it to trick victims into transferring money directly to them. By making the process seem easy and secure, they have identified a convincing way to steal money from unsuspecting victims.
Given the array of evidence gathered during our investigation, we are led to speculate that GeoMetrix may be profiting from one of the following business models:
GeoMetrix appears to be more than a mere threat actor. There is a strong possibility that it serves as a platform that enables others to conduct malicious activities, including phishing and malware distribution. This underlines the ever-increasing complexity of the cyber threat landscape and emphasizes the need for enhanced cyber defenses. As we deal with these multidimensional threats, we must continually update our knowledge, improve our defenses, and remain alert to new tactics.
For more information on how to protect your organization against cyber threats, request a demo today.
“Googlebot”,”Googlebot-Mobile”,”Googlebot-Image”,”Googlebot-News”,”Googlebot-Video”,”AdsBot-Google([^-]”,”$)”,”AdsBot-Google-Mobile”,”Feedfetcher-Google”,”Mediapartners-Google”,”Mediapartners (Googlebot)”,”APIs-Google”,”bingbot”,”Slurp”,”[wW]get”,”LinkedInBot”,”Python-urllib”,”python-requests”,”libwww-perl”,”httpunit”,”nutch”,”Go-http-client”,”phpcrawl”,”msnbot”,”jyxobot”,”FAST-WebCrawler”,”FAST Enterprise Crawler”,”BIGLOTRON”,”Teoma”,”convera”,”seekbot”,”Gigabot”,”Gigablast”,”exabot”,”ia_archiver”,”GingerCrawler”,”webmon “,”HTTrack”,”grub.org”,”UsineNouvelleCrawler”,”antibot”,”netresearchserver”,”speedy”,”fluffy”,”findlink”,”msrbot”,”panscient”,”yacybot”,”AISearchBot”,”ips-agent”,”tagoobot”,”MJ12bot”,”woriobot”,”yanga”,”buzzbot”,”mlbot”,”YandexBot”,”YandexImages”,”YandexAccessibilityBot”,”YandexMobileBot”,”purebot”,”Linguee Bot”,”CyberPatrol”,”voilabot”,”Baiduspider”,”citeseerxbot”,”spbot”,”twengabot”,”postrank”,”TurnitinBot”,”scribdbot”,”page2rss”,”sitebot”,”linkdex”,”Adidxbot”,”ezooms”,”dotbot”,”Mail.RU_Bot”,”discobot”,”heritrix”,”findthatfile”,”europarchive.org”,”NerdByNature.Bot”,”sistrix crawler”,”Ahrefs(Bot”,”SiteAudit)”,”fuelbot”,”CrunchBot”,”IndeedBot”,”mappydata”,”woobot”,”ZoominfoBot”,”PrivacyAwareBot”,”Multiviewbot”,”SWIMGBot”,”Grobbot”,”eright”,”Apercite”,”semanticbot”,”Aboundex”,”domaincrawler”,”wbsearchbot”,”summify”,”CCBot”,”edisterbot”,”seznambot”,”ec2linkfinder”,”gslfbot”,”aiHitBot”,”intelium_bot”,”facebookexternalhit”,”Yeti”,”RetrevoPageAnalyzer”,”lb-spider”,”Sogou”,”lssbot”,”careerbot”,”wotbox”,”wocbot”,”ichiro”,”DuckDuckBot”,”lssrocketcrawler”,”drupact”,”webcompanycrawler”,”acoonbot”,”openindexspider”,”gnam gnam spider”,”web-archive-net.com.bot”,”backlinkcrawler”,”coccoc”,”integromedb”,”content crawler spider”,”toplistbot”,”it2media-domain-crawler”,”ip-web-crawler.com”,”siteexplorer.info”,”elisabot”,”proximic”,”changedetection”,”arabot”,”WeSEE:Search”,”niki-bot”,”CrystalSemanticsBot”,”rogerbot”,”360Spider”,”psbot”,”InterfaxScanBot”,”CC Metadata Scaper”,”g00g1e.net”,”GrapeshotCrawler”,”urlappendbot”,”brainobot”,”fr-crawler”,”binlar”,”SimpleCrawler”,”Twitterbot”,”cXensebot”,”smtbot”,”bnf.fr_bot”,”A6-Indexer”,”ADmantX”,”Facebot”,”OrangeBot”,”memorybot”,”AdvBot”,”MegaIndex”,”SemanticScholarBot”,”ltx71″,”nerdybot”,”xovibot”,”BUbiNG”,”Qwantify”,”archive.org_bot”,”Applebot”,”TweetmemeBot”,”crawler4j”,”findxbot”,”S[eE][mM]rushBot”,”yoozBot”,”lipperhey”,”Y!J”,”Domain Re-Animator Bot”,”AddThis”,”Screaming Frog SEO Spider”,”MetaURI”,”Scrapy”,”Livelap[bB]ot”,”OpenHoseBot”,”CapsuleChecker”,”[email protected]”,”IstellaBot”,”DeuSu”,”betaBot”,”Cliqzbot”,”MojeekBot”,”netEstate NE Crawler”,”SafeSearch microdata crawler”,”Gluten Free Crawler”,”Sonic”,”Sysomos”,”Trove”,”deadlinkchecker”,”Slack-ImgProxy”,”Embedly”,”RankActiveLinkBot”,”iskanie”,”SafeDNSBot”,”SkypeUriPreview”,”Veoozbot”,”Slackbot”,”redditbot”,”datagnionbot”,”Google-Adwords-Instant”,”adbeat_bot”,”WhatsApp”,”contxbot”,”pinterest.com.bot”,”electricmonk”,”GarlikCrawler”,”BingPreview”,”vebidoobot”,”FemtosearchBot”,”Yahoo Link Preview”,”MetaJobBot”,”DomainStatsBot”,”mindUpBot”,”Daum”,”Jugendschutzprogramm-Crawler”,”Xenu Link Sleuth”,”Pcore-HTTP”,”moatbot”,”KosmioBot”,”pingdom”,”AppInsights”,”PhantomJS”,”Gowikibot”,”PiplBot”,”Discordbot”,”TelegramBot”,”Jetslide”,”newsharecounts”,”James BOT”,”Bark[rR]owler”,”TinEye”,”SocialRankIOBot”,”trendictionbot”,”Ocarinabot”,”epicbot”,”Primalbot”,”DuckDuckGo-Favicons-Bot”,”GnowitNewsbot”,”Leikibot”,”LinkArchiver”,”YaK”,”PaperLiBot”,”Digg Deeper”,”dcrawl”,”Snacktory”,”AndersPinkBot”,”Fyrebot”,”EveryoneSocialBot”,”Mediatoolkitbot”,”Luminator-robots”,”ExtLinksBot”,”SurveyBot”,”NING”,”okhttp”,”Nuzzel”,”omgili”,”PocketParser”,”YisouSpider”,”um-LN”,”ToutiaoSpider”,”MuckRack”,”Jamie’s Spider”,”AHC”,”NetcraftSurveyAgent”,”Laserlikebot”,”^Apache-HttpClient”,”AppEngine-Google”,”Jetty”,”Upflow”,”Thinklab”,”Traackr.com”,”Twurly”,”Mastodon”,”http_get”,”DnyzBot”,”botify”,”007ac9 Crawler”,”BehloolBot”,”BrandVerity”,”check_http”,”BDCbot”,”ZumBot”,”EZID”,”ICC-Crawler”,”ArchiveBot”,”^LCC “,”filterdb.iss.netcrawler”,”BLP_bbot”,”BomboraBot”,”Buck”,”Companybook-Crawler”,”Genieo”,”magpie-crawler”,”MeltwaterNews”,”Moreover”,”newspaper”,”ScoutJet”,”(^”,” )sentry”,”StorygizeBot”,”UptimeRobot”,”OutclicksBot”,”seoscanners”,”Hatena”,”Google Web Preview”,”MauiBot”,”AlphaBot”,”SBL-BOT”,”IAS crawler”,”adscanner”,”Netvibes”,”acapbot”,”Baidu-YunGuanCe”,”bitlybot”,”blogmuraBot”,”Bot.AraTurka.com”,”bot-pge.chlooe.com”,”BoxcarBot”,”BTWebClient”,”ContextAd Bot”,”Digincore bot”,”Disqus”,”Feedly”,”Fetch”,”Fever”,”Flamingo_SearchEngine”,”FlipboardProxy”,”g2reader-bot”,”G2 Web Services”,”imrbot”,”K7MLWCBot”,”Kemvibot”,”Landau-Media-Spider”,”linkapediabot”,”vkShare”,”Siteimprove.com”,”BLEXBot”,”DareBoost”,”ZuperlistBot”,”Miniflux”,”Feedspot”,”Diffbot”,”SEOkicks”,”tracemyfile”,”Nimbostratus-Bot”,”zgrab”,”PR-CY.RU”,”AdsTxtCrawler”,”Datafeedwatch”,”Zabbix”,”TangibleeBot”,”google-xrawler”,”axios”,”Amazon CloudFront”,”Pulsepoint”,”CloudFlare-AlwaysOnline”,”Google-Structured-Data-Testing-Tool”,”WordupInfoSearch”,”WebDataStats”,”HttpUrlConnection”,”Seekport Crawler”,”ZoomBot”,”VelenPublicWebCrawler”,”MoodleBot”,”jpg-newsbot”,”outbrain”,”W3C_Validator”,”Validator.nu”,”W3C-checklink”,”W3C-mobileOK”,”W3C_I18n-Checker”,”FeedValidator”,”W3C_CSS_Validator”,”W3C_Unicorn”,”Google-PhysicalWeb”,”Blackboard”,”ICBot”,”BazQux”,”Twingly”,”Rivva”,”Experibot”,”awesomecrawler”,”Dataprovider.com”,”GroupHigh”,”theoldreader.com”,”AnyEvent”,”Uptimebot.org”,”Nmap Scripting Engine”,”2ip.ru”,”Clickagy”,”Caliperbot”,”MBCrawler”,”online-webceo-bot”,”B2B Bot”,”AddSearchBot”,”Google Favicon”,”HubSpot”,”Chrome-Lighthouse”,”HeadlessChrome”,”CheckMarkNetwork”,”www.uptime.com”,”Streamline3Bot”,”serpstatbot”,”MixnodeCache”,”^curl”,”SimpleScraper”,”RSSingBot”,”Jooblebot”,”fedoraplanet”,”Friendica”,”NextCloud”,”Tiny Tiny RSS”,”RegionStuttgartBot”,”Bytespider”,”Datanyze”,”Google-Site-Verification”
“.tor.”,”123planosdesaude”,”VAULTVPN”,”activescan”,”alpha2″,”amazon”,”ancombraterney”,”anti-phishing”,”antipishing”,”antispam”,”antivirus”,”avast”,”bancopastor”,”bancopopular”,”banesto”,”bankofamerica”,”barracuda”,”bb.com.br”,”bitdefender”,”bradesco”,”cajamadrid”,”chicago “,”cia.gov”,”clamav”,”clamwin”,”cleandir”,”colocrossing”,”coloup”,”consumer”,”copel”,”customer”,”datapacket”,”delitosinformaticos”,”detector”,”dimenoc”,”dnblead”,”donategrid”,”dufrio”,”easysol”,”ebay.com”,”eset”,”eveocloud”,”f-secure”,”fasano”,”fbi.gov”,”fraudwatchinternational”,”free-av”,”gfihispana”,”greenmountainaccess”,”grisoft”,”hands”,”hauri-la”,”hispasec”,”instantcheckmain”,”itau”,”iwgroup”,”kapersky”,”laarnes”,”letti”,”linode”,”mailcontrol”,”mailstream”,”mallshill”,”marimex”,”mcafee”,”mgconecta”,”microsoft.com”,”midphase”,”monitor”,”movistar”,”msn.com”,”nephosdns”,”netcraft.com”,”nod32″,”norton”,”offerzz1″,”onlinedc”,”opendns”,”owned-networks”,”panda.com”,”pandasoftware”,”paypal”,”phish”,”pish”,”prcdn”,”protectedgroup”,”quadranet”,”rodobens.com.br”,”rsa.com”,”rsghosting”,”sajonaramail”,”santander”,”scaleway”,”scotiabank”,”security”,”seguridad”,”sescsp”,”sophos”,”spamfirewall2″,”spfbl”,”symantec”,”thinins”,”trendmicro”,”trustwave”,”unicaja”,”utfpr.edu.br”,”verisign”,”veritas”,”viabcp”,”vnunet”,”vodafone”,”vultr”,”wbinfo”,”webandseo “,”zonealarm”,”.tor.”,”123planosdesaude”,”VAULTVPN”,”activescan”,”alpha2″,”amazon”,”ancombraterney”,”anti-phishing”,”antipishing”,”antispam”,”antivirus”,”avast”,”bancopastor”,”bancopopular”,”banesto”,”bankofamerica”,”barracuda”,”bb.com.br”,”bitdefender”,”bradesco”,”cajamadrid”,”chicago “,”cia.gov”,”clamav”,”clamwin”,”cleandir”,”colocrossing”,”coloup”,”consumer”,”copel”,”customer”,”datapacket”,”delitosinformaticos”,”detector”,”dimenoc”,”dnblead”,”donategrid”,”dufrio”,”easysol”,”ebay.com”,”eset”,”eveocloud”,”f-secure”,”fasano”,”fbi.gov”,”fraudwatchinternational”,”free-av”,”gfihispana”,”google”,”greenmountainaccess”,”grisoft”,”hands”,”hauri-la”,”hispasec”,”instantcheckmain”,”itau”,”iwgroup”,”kapersky”,”laarnes”,”letti”,”linode”,”mailcontrol”,”mailstream”,”mallshill”,”marimex”,”mcafee”,”mgconecta”,”microsoft.com”,”midphase”,”monitor”,”movistar”,”msn.com”,”nephosdns”,”netcraft.com”,”nod32″,”norton”,”offerzz1″,”onlinedc”,”opendns”,”owned-networks”,”panda.com”,”pandasoftware”,”paypal”,”phish”,”pish”,”prcdn”,”protectedgroup”,”quadranet”,”rodobens.com.br”,”rsa.com”,”rsghosting”,”sajonaramail”,”santander”,”scaleway”,”scotiabank”,”security”,”seguridad”,”sescsp”,”sophos”,”spamfirewall2″,”spfbl”,”symantec”,”thinins”,”trendmicro”,”trustwave”,”unicaja”,”utfpr.edu.br”,”verisign”,”veritas”,”viabcp”,”vnunet”,”vodafone”,”vultr”,”wbinfo”,”webandseo “,”zonealarm”,”vcarefilter”,”dovaleseguros”,”dedini”,”penso”,”unimedfortaleza”,”alfa”,”kiaautovale”,”mail.ale”,”barracuda.penso”,”mx.lubeck”,”datacoper”,”tcu.gov.br”,”gdh.tbi”,”dbz.ce”,”lubeck”,”citroenpremiere”,”eucatex”,”carburgo”,”fieam”,”uniparcarbocloro”,”sysbrasil”,”braspor”,”relay.eb.mil.br”,”elojasbecker”,”ferragensnegrao”,”grupogmaes”,”eb”,”luzsp”,”midiaon”,”gegnet”,”lojasbesni”