720,000 Brazilian credit cards were leaked in 2021

In 2021, Brazil maintained its leadership position as the country with the highest number of credit and debit card leaks in the world. In all, 720,643 cards were exposed online, which encompasses both the superficial web, the dark web and the deep web (whose pages are not indexed in search engines such as Google).

The data is from a report released this Thursday (3) by Axur, a cybersecurity and risk monitoring company.

According to the survey, Brazilian leaks represent a third of the episodes detected globally, easily surpassing the United States (116%), which occupies the second position in the ranking with 333 thousand exposed cards.

This is the second consecutive year that Brazil tops the list. In 2020, the amount had been even higher: 910,000 leaked cards.

For Fábio Ramos, executive director of Axur, the size of the population is one of the factors that influence the position in the ranking, but the explanation is not limited to that.

“I think there is a lot of carelessness when using the card. In addition, people in Brazil are very banked, everyone has two, three, four credit cards,” he said, during the report’s presentation event.

Another factor that helps to understand such high numbers is the change in consumer habits, who started to make more purchases online during the pandemic.

“A large part of the population is exposing itself, and the credit card is still the most used means of payment”, he says.

The report also highlights the quality of the database found. In almost all cases, the available information was enough for criminals to make purchases: 95.9% of the cards were still within their expiry date and all of them were accompanied by a verification code (CVV).

In addition to payment data, Brazilians had several sensitive information exposed throughout 2021. According to the survey, at least 2.8 billion records such as RG, CNPJ and passport were made available online.

Only of CPFs, 699 million were leaked. The number is greater than the total population of Brazil because it includes data on dead people and doubles those that appeared in different leaks.

Phishing attacks dropped, but fake profiles grew

Axur’s data points to a drop in phishing episodes, a technique that uses social engineering to trick people into providing sensitive information.

In 2021, 25,133 phishing pages were identified, 36.4% lower than the 39,000 in 2020.

However, Ramos highlights that it is still not possible to celebrate this retraction, since 2020 was marked by an extraordinary volume of virtual attacks. “There’s no way there’s a wave bigger than a tsunami,” he says.

The director also says he has noticed a change in the behavior of cybercriminals, who are looking for easier ways to achieve the same goal.

One of the examples is fake profiles, the simplest fraud technique, which does not require hosting a website, buying email lists, etc.

According to the report, 58.8% of incidents that misused monitored brands in 2021 were through fraudulent profiling.

“Criminals began to see that making the same type of attack using the infrastructure of a social network is simpler,” he says.

The survey does not point out which platforms are most subject to the action of criminals, but Ramos says that Instagram is often a frequent target, as it gathers high exposure and the possibility of seeing which people are following real pages.

According to him, fake profiles of restaurants, hotels and inns are widely used to deceive customers. “The criminal creates a profile with the official name of a business, adds another word [como ‘suporte’, ‘oficial’ ou ‘atendimento’] and gets in touch with those who follow the company, announcing a promotion or coupon, for example.”

Fake apps also grew

Another trend highlighted by the report was the growth of fake apps. In 2021, 13,032 fraudulent apps for smartphones were identified, 103% more than in the previous year.

According to Ramos, these applications can function either as malware — which takes over a person’s device — or as mobile phishing platforms, providing forms to steal sensitive information.

This type of scam requires a certain technical knowledge from the cybercriminal. In the director’s view, the increase in episodes indicates a sophistication of attacks.

“Our hypothesis is that criminals are looking to diversify channels. They saw apps as a niche [de atuação] that is not explored”, he says.