In Brazil the PIX payment system is becoming more and more popular. Unsurprisingly, cybercriminals are jumping on the bandwagon, trying to abuse the system for their profit. A good example of this is GoPIX, a malware campaign that has been active since December 2022.
The attack cycle begins when a potential victim searches for “WhatsApp web”. The cybercriminals employ malvertising: their links are placed in the ad section of the search results, so the user sees them first. If they click such a link, a redirection follows, with the user ending up on the malware landing page. Then something interesting takes place: the criminals use a fraud prevention solution, IP Quality Score, to determine whether the visitor is a real user or a bot.