“Does anyone know where this family lives?
They bought
400 thousand pesos
in my furniture store and made a payment with a
Mercado Pago trucho
at our freight,” comments a merchant in a Facebook group of residents of San Martín, west of the Conurbano.
Another neighbor, from the Belgrano neighborhood of Mar del Plata, replicated, in another group, the case of a woman who
pretended to transfer
27 thousand pesos
to the owners of a bookstore
for the purchase of school supplies.
There are countless other posts on social networks that allege this new type of scam: simulating the payment or transfer of money through a
fake Mercado Pago application
.
Other posts on Facebook, Marketplace or Telegram promote the sale of this apocryphal application at ridiculous prices.
But, what is it about?
The Mercado Pago app is today common among Argentines.
It emerged as a virtual wallet to integrate many people who could not access or operate in the legal financial system and have a debit or credit card.
It was quickly accepted and today it is difficult to find someone who does not have it downloaded on their cell phone or a business that does not accept it as a means of payment.
And it is known that everything that becomes massive is a source of inspiration for those who make a living by cheating.
Not many years ago it happened with fake coins and bills, then credit card cloning appeared and now the scam of the moment is the fake Mercado Pago.
Thus, there are application developers who, instead of improving them or collaborating with their security, dedicate themselves to perverting them.
True professionals in the art of design and programming who start
chains of scams
.
One of the cases of attempted scam with the fake Mercado Pago app occurred this summer in Mar del Plata when a group of eight young people spent a million pesos on alcohol at the "Jano's Beach" parador, in the Punta area. Mogotes.
But when it came time to collect, the managers of the place, seeing that the transfers, two alleged transfers, of $530,000 and another of $265,000, did not arrive, they called the Police.
All were detained in the framework of a "fraud" case, led by prosecutor David Bruna, of the Functional Instruction Unit 10, specialized in Economic Crimes.
False Mercado Pago: what the scam circuit is like
The
circuit
begins with developers cloning the interface and a limited number of functions from all those offered by the original application: in particular the
money transfer and QR code reading
functions .
An analyst from
Birmingham Cyber Arms
(BCA), a group of experts in offensive computer security (that is, using hacker techniques to thwart hackers), and which is also a source for
Clarín
, contacted a developer to Let this explain the origin of the trout version of the application.
One of the publications in which they offer the "9.9 vip market" with "ghost transfer".
—Are you interested
in buying the fake Mercado Pago
in its latest version?—asks the developer.
—What is the system like?—asks the BCA analyst.
—It is an installable application for
Android
, similar in every way to Mercado Pago, but with
fictitious money
, and with which you can make payments by reading QR codes or transfer.
The fictitious money
is credited for half an hour
and after that it disappears
.
That is, the person who receives the money issued from an account in this fake application
sees the amount
transferred to them impacted, but after half an hour that money no longer exists.
—And is it a hack to Mercado Libre or how does it work?—continues the BCA analyst.
—It is a separate application, but developed from that company's servers.
—And what does the application cost?
And does play money have a fixed amount or can you put whatever amounts you want?
—The latest version is worth
8 thousand pesos
,
friend
.
And you yourself can put whatever twine you want.
However, in Facebook or Telegram groups, or in Marketplace, the application sells for less than a
thousand pesos
.
What, then, is the reason for the discrepancy?
In the field of computing and cybersecurity, this maneuver is defined as
“
malware
as a service”
.
Malware is a malicious program, that is, whose purpose is to carry out harmful actions against a user with the presumption that they
do
not realize it.
"
Vendo Mercado Pago
", "
Mercado Pago $500
", "
Mercado Pago Trucho Phantom Transfer
", "
Mercado Pago app for sale (F4LS4)
", are some of the hundreds of ads in
Marketplace
that appear in a simple search.
Those who sell this scam program in the aforementioned groups are part of a scheme.
Precisely, they “rent” these apocryphal versions of Mercado Pago (and
also
other wallets such as Cuenta DNI, BNA+ or Naranja
In most cases these are non-updated versions, which have design or operation flaws.
Thus,
scammers and those who wish to be scammers are defrauded
.
A scammer offers trout apps from different wallets and banks.
The BCA analyst puts the issue in street terms: “It's like buying drugs: the more hands that have touched it, the less you know what 'cut' it may have.
Or also those who
buy credit cards: you don't know how many are 'burned'
.
There are people who buy a batch of a hundred cards, and when they use them, they have the police kicking down their door.”
We must not forget, he adds, that this type of business proliferates on Marketplace and on Telegram.
“That is, the worst of the worst.”
The keys to avoid falling into the fake Mercado Pago scam
A source from Mercado Libre, the company that owns Mercado Pago, reports that it is working on cybersecurity to take extreme care.
He does not give further details, because he estimates that it would mean encouraging developers and scammers.
But it recommends that users activate security measures, such as
two-step verification or not deliver the merchandise until the money is credited
, and, to the extent possible,
use the posnet that the company developed and process the payment using a code. QR.
Fake Mercado Pago apps are offered on different Internet platforms for values ranging from $400 to $8000.
In turn, Mercado Pago has established itself as a major financial player, formidable competition for the banking system.
How do banks handle security in their applications and portals such as homebanking?
Ernesto, a cybersecurity analyst frequently contacted by different banks operating in the country, and who prefers to reserve his real last name but not his virtual “last name” (@dkavalanche), explains this.
“Banks have teams of people especially dedicated to cybersecurity tasks: they are professionals with high technical and theoretical knowledge, and who are fully aware of the techniques that hackers use.
That is, they think like them to be able to detect vulnerabilities,” he tells
Clarín
.
These techniques are known as “ethical hacking”.
Sometimes they hire highly computer-savvy outsiders to tell them how they would breach their sites.
He adds that banking entities have a computer structure set up to detect schemes such as cloning of sites, fake profiles and interfaces.
“In addition to internal audits, there are external ones that the Central Bank requires as a regulatory basis.
They also carry out very specific and technical tasks, but also Open Source Intelligence.”
Fake Mercado Pago apps are offered on different Internet platforms for values ranging from $400 to $8000.
Open Source Intelligence (or OSINT) refers to the public data that circulates on the Internet and that can represent, for example, the same posts that the sellers of this trout application make.
As every action on social networks leaves a trace, and not all sellers and scammers are experts in computers and the art of stealth, it is possible to trace where the leak originated and the long chain of the scam began.
However, they not only scam merchants and people in good faith, but also those who seek to engage in illicit activities.
Meanwhile, on Facebook, Telegram and other social networks,
groups of scammers and publications of escrache towards such scammers coexist.
Sometimes, it is the same people who want to scam who end up scammed, a true Borromean knot.
MG