Recently, the Brazilian press has reported the arrest of a gang that carried out a fraud against financial institutions in a scam that is based on the financing of vehicles that do not exist or are not available for sale. Tempest’s Threat Intelligence team was able to track the activity of criminals linked to this type of fraud and identify the scam steps. This modality of fraud was nicknamed “Garage Scheme” by the criminals.

The scheme depends on some components; the main one is the access to the bank financing system, which is granted by financial institutions to car stores, usually to the owner of the business or other personnel who run the shop, called “garage owners “ by the fraudsters.

Nothing prevents these people from sharing credentials with members of their team. However, fraudsters in the store also need to have access to the store’s bank account, in order to access the scam money. This factor can, in many cases, limit the number of those involved to store administrators only. Conceptually, it is also possible for an external attacker to have control of these credentials, but the researchers did not identify evidence of this activity.

People in a position to operate as garage owners are recruited on social networks by profiles or groups that share fraud tactics and techniques. These individuals form a society in attack campaigns, depending on the expertise of each person.

“Car stores that have financing platform, should come to earn money” // Image: posts on social networks recruiting people for the scheme
“Anyone who has a car store (car garage) with a financing screen, should come in private, for a job with full pay” // Image: posts on social networks recruiting people for the scheme

But, to get access to the money from the garage scheme it is still necessary to link a fictitious car to a fictitious buyer who has a good credit.

It was found that the financing systems of at least three Brazilian institutions identified cars by means of photos of the vehicles and their registration document. It would be enough to submit a photo of any car to get information from its owner and falsify the document.

Photos of cars are obtained through two paths: the first one is to photograph a car of the desired model (with high value, usually) in public places, such as shopping malls. This variant adds one more victim to the scam, raising the risks of detection. Thus, an alternative adopted by the fraudsters is to use vehicles in scrap status, but with photos taken when they were in good condition. Old photos can be obtained from public channels such as social media, online marketplaces or from insurance broker inspection.

With the photo of the vehicle, fraudsters search for data related to its registry and to its owner in government systems or private companies — such as insurers, for example — and issue a false registration document, which image will be added to the financing system along with the photo of the car.

There are accounts that operators of the scheme would have the contacts of people in DETRAN — a Brazilian government agency related to vehicle registration, among other things — and that these individuals would be responsible for creating “ghost vehicles” that do not exist in the government system, which would open a third way for the insertion of the car into the financing system. However, this modality was not confirmed.

The buyer’s data cannot be from any given person, but from an individual who has a good credit score, as this favors the analysis conducted by the financial institution and the payment release. Data from consumers with good scores are negotiated in several channels, especially on social networks.

“Does anyone have data with a score of 900 or 800 to give me. I give access to the website, PC and computer parts” // Image: posts in social media related to the negotiation of data with high credit scores

“Jobs active: 5 pieces of data with a 800+ score — 50 Brazilian reais / 10 pieces of data with a 800+ score — 80 Brazilian reais / 20 pieces of data with a 800+ score — 130 Brazilian reais / 50 pieces of data with a 800+ score — 200 Brazilian reais / Those who indicate customers will earn the same amount of data as the person buys” // Image: posts in social media related to the negotiation of data with high credit scores
“Those who have top score data should come in the private chat, I will buy it” // Image: posts in social media related to the negotiation of data with high credit scores
“Data sales with top score, you should come” (below a rating company system screenshot showing a score of 977) // Image: posts in social media related to the negotiation of data with high credit scores

Personal data can be obtained in a wide variety of channels, which can involve buying, obtaining by exchanging favors or even collecting it in direct attacks. This information is enriched with the credit score, granted by rating companies that are recognized by the Brazilian market. Obtaining the score of each victim can be done by individuals with access to the rating systems or by checking the score status on a consumer version system, in an automated manner or one by one.

With access to the financing system, vehicle data and buyer information, operators create financing proposals and wait for bank credit approvals. With the proposal approved, the bank deposits the financing amount into the “garage owner” account, which is divided with other members of the gang.

People involved in the scheme say that the scam generates 50 to 300 thousand Brazilian reais daily (10,000 to 60,000 GBP or 12,500 to 75,000 USD) and, according to police investigation disclosed by the press, one of the gangs that operated in the “garage scheme”, arrested in July, got 2 million Brazilian reais. Fraudsters criticised this gang after the news of the arrest, saying that the lavish behavior of criminals on social networks caught the attention of the police and stating that, even with this arrest, the scheme still works.

“Most people go there because they want to show off … Those who earn discreetly remain hidden… Everyone saw the news today. But what did they get? Because of a video opening a whiskey bottle with a shooting, in a house rented in a Luxury condominium … No way … I have 4 operators in this job! Everyone is online. You have to know how to earn and how to spend money … Those who have a garage, should come.” // Image: Fraudster says that the scheme remains active

It is recommended that the financial institutions implement controls that establish cautious analysis of images linked to the financing process and that they also implement a search for sources of information in which the history of stores, cars and buyers can be evaluated. Another important measure is the hiring of intelligence services that can provide an overview of frauds by analysing various threats.