Cybercriminals Exploit Brazil’s PIX Instant Payment Platform in New Phishing Attack

The largest campaign we have uncovered, with over 4,000 phishing emails sent (and blocked by Forcepoint Email Security) on 21st October 2020, urges users to register with the service with warnings of additional charges and blocked accounts if they do not act fast.

PIX, a new instant money transfer service, is being launched to the public on 16th November 2020 by the Central Bank of Brazil (BCB). Forcepoint X-Labs have seen several email phishing campaigns using this service as a lure to steal banking details and passwords from would-be victims.

“Registration for the new PIX payment method has been available since October 5th, but we have not yet identified its membership. Perform the verification and avoid charging fees or temporarily blocking your account.

Here’s the contents of the phishing email:

– A new and much easier way to pay and receive money, in seconds, created by the Central Bank.

After all, what is PIX?

Here’s what the phishing email looks like:

Check now, the procedure is quick and simple.”

A smaller second campaign was uncovered on 6th October 2020 with over 1500 emails and was a simple call to register for the service.  This is timely, and misleading, given that the registration for keys (e-mail, mobile number, etc) is due to commence on 3rd November 2020 according to public documents.

“Dear CAIXA Customer.

Here’s the contents of the second phishing email:

Make your registration here in less than 1 minute, it is quick and simple.

It’s time to Register your PIX Key,

And here’s the second phishing email itself:

CAIXA Self-Service – 2020”

This campaign used a call to action URL from Google’s free hosting service to lend some legitimacy to the phishing email and circumvent security scanning

Web Phishing

In recent years, researchers across the industry have seen a huge uptick in the malicious use of free host services such as Google’s Firebase, Microsoft’s Azure and others. This has been covered widely by many security publications, but the services continue to be abused with very little attention from their admins.


The phishing URLs in the above campaigns did not serve any content at the time of writing, however Forcepoint X-Labs are constantly updating and creating new analytics for our Forcepoint Advanced Classification Engine (ACE) to detect credential harvesting phishing pages as they discovered.

Attacker tactics, techniques and procedures (TTP) stay consistent over time with the theme of the lure changing to leverage current events. If kept up to date, your web and email security stack should remain effective against these adjustments in the threat landscape.

As we have outlined in our COVID-19 being used as a lure for malicious and phishing campaigns blog post, we stress the use of caution when unexpected emails are received regarding a well-publicized event or technology.

Forcepoint customers are protected against this threat at the following stages of attack:

Protection Statement

  • Stage 2 (Lure) – Malicious emails associated with these attacks are identified and blocked.
  • Stage 4 (Exploitation) – Malicious websites are identified and blocked.

This post was first first published on Forcepoint website by Ben Gibney. You can view it by clicking here