AUDIE CORNISH, HOST:
The theft of millions of records from the federal Office of Personnel Management, including Social Security numbers, is thought to be a case of espionage. Fingers have been pointed at China, though the Chinese government called that irresponsible.
MELISSA BLOCK, HOST:
Other big cyber thefts are financially motivated - credit and bank information stolen, as with breaches at Target and Home Depot. Overseas hackers are often blamed for those, too; we hear about Eastern Europe, Russia, Ukraine. Well, here's a country we hear about less often - Brazil. Whether stealing card numbers themselves or just buying them online, Brazilians are world leaders in Internet fraud. NPR's Lourdes Garcia-Navarro reports from Rio.
LOURDES GARCIA-NAVARRO, BYLINE: A few months ago, Maureen Pao, who works at NPR, noticed an odd charge on her credit card.
MAUREEN PAO, BYLINE: It was a company - foreign language - looked like it could be Spanish, maybe Portuguese. I did a little Google search and, in fact, it did turn out to be a company based in Brazil.
GARCIA-NAVARRO: The charge was pretty insignificant - about $11 - but when she looked back over previous bills, she saw it had been recurring.
PAO: It was really quite clever because it was such a small charge that it didn't really raise any red flags.
GARCIA-NAVARRO: She told her card company and they canceled her card. It was a minor hassle. She says she was surprised that the scheme originated in Brazil.
PAO: I think about beaches and I think about soccer and I definitely don't think about cybercrime.
GARCIA-NAVARRO: Cybercrime, though, has been big in Brazil for a while now, especially since Brazilians were early adopters of online banking. Most of the schemes have targeted other Brazilians, but now they hit further afield in places like the U.S. While Pao's charge wasn't big, imagine that over tens of thousands of cards over many months. It adds up to a lot of cash.
JUAN ANDRES GUERRERO: As far as global fraud is concerned, Brazil is almost exclusively at the top.
GARCIA-NAVARRO: That's Juan Andres Guerrero, a senior security researcher for Kaspersky Labs. The list of scams coming out of Brazil would take too long to detail. Thousands of fraudulent charges coming out of Brazil hit three U.S. financial institutions just to name one recent event.
GUERRERO: They're fantastically creative. In our team, Brazil actually takes an inordinate amount of time because of the amount of malware, the amount of schemes; they're constantly creating these phishing campaigns. They're incredibly elaborate.
GARCIA-NAVARRO: Elaborate and successful - one of the newest ones targeted a unique payment system in Brazil called the boleto, says Guerrero.
GUERRERO: Whenever someone needs to make a payment in Brazil they can print a piece of paper that has a barcode.
GARCIA-NAVARRO: The boleto system was invented here to try and circumvent online bank fraud.
GUERRERO: What happened was criminals caught up to that idea and they decided to design malware specifically to rewrite those barcodes. So they'll go so far as to create entirely new avenues, and it's profitable for them.
GARCIA-NAVARRO: How profitable? Just that scheme alone netted criminals as much as $3.75 billion.
(SOUNDBITE OF PHONE RINGING)
JOSE EUSON: (Foreign language spoken).
GARCIA-NAVARRO: We contacted Jose Euson in the state of Acre by Skype. He received what he thought was a legitimate boleto to pay a business creditor some $7,500.
EUSON: (Foreign language spoken).
GARCIA-NAVARRO: When he called to confirm the payment, they said they hadn't gotten it. But I have a receipt he told them. That's when he discovered the money had been stolen. He adds unfortunately the bank said they wouldn't reimburse me and now I've had to get a lawyer, he says. According to one report, at least 75 percent of Brazilian Internet users claim to have been victims of one form of cybercrime or another. The report from the Igarape Institute says the few cyber criminals who have been caught tend to fit a profile - well-educated, upper-middle-class males from 25 to 35 years old. It's an attractive business to be in because it pays well and you rarely get caught, says Brazilian cybersecurity specialist Lincoln Werneck.
LINCOLN WERNECK: (Foreign language spoken).
GARCIA-NAVARRO: He says Brazil only passed its first cybercrime law at the end of 2012 and it was done in a rush only after a soap opera star had private pictures hacked from her account.
WERNECK: (Foreign language spoken).
GARCIA-NAVARRO: The laws are completely ineffective and inefficient, Werneck says. For example, most cybercrimes involve only light penalties, house arrest or the paying of a fine, not a big deterrent considering the sums involved.
WERNECK: (Foreign language spoken).
GARCIA-NAVARRO: He also says federal and state cybercrime divisions are understaffed and underfunded. And he says despite the fact that Brazilians are obsessed with social media and Internet use, they aren't educated in how to protect themselves online, so they frequently fall for scams. Werneck says there's still no law that protects personal information in Brazil. It can be sold or given to the legitimate or illegitimate businesses with no repercussions. He says he hopes a new law will be on the books in the next a few years, but he shrugs with the Congress here, you never know. Lourdes Garcia-Navarro, NPR News, Rio de Janeiro. Transcript provided by NPR, Copyright NPR.