The customers of a number of Brazilian banks are currently being targeted with e-mails made to look like official communication from the banks in question, but are actually crafted to infect the recipients with a downloader Trojan masquerading as a new version of the software for their token device.
What makes this e-mail campaign special is that the criminals have gotten hold of the victim’s Cadastro de Pessoas F?Âsicas (CFP) numbers – the Brazilian equivalent of the U.S. Social Security Number – and they are using it to give an aura of legitimacy to the e-mail:
The criminals’ possession of those numbers – which are, by the way, essential if you want to open a bank account, apply for a job, receive loans, etc. – are obviously a result of a data leak.
According to the Kaspersky Lab expert who detected the fake e-mail, it is a well known fact that Brazillian criminals sell CDs containing (among other things) the citizens’ CPF numbers for a price that reaches $190.