JavaScript disabled. Please enable JavaScript to use My News, My Clippings, My Comments and user settings.

If you have trouble accessing our login form below, you can go to our login page.

If you have trouble accessing our login form below, you can go to our login page.

Brazilian boleto bandits bilk billions

Date

Brian Krebs

Zoom in on this story. Explore all there is to know.

While the eyes of the world are on the ball, Brazilian cyber criminals are kicking goals with malware.

While the eyes of the world are on the ball, Brazilian cyber criminals are kicking goals with malware. Photo: Julian Finney

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money.

Just as a gang of Cup ticket scalpers was arrested in Rio de Janeiro on Wednesday, new research into a mostly small-time cybercrime practice has come to light.

At issue is the “boleto” (officially “Boleto Bancario”), a popular Brazilian payment method used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s website, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

A Brazilian boleto: a supposedly safer method of money transfer.

A Brazilian boleto: a supposedly safer method of money transfer. Photo: KrebsOnSecurity

Brazil has an extremely active and talented cybercrime underground, and organised crime gangs in the country are increasingly setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the boleto recipient's account information. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account with one the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a web-based control panel for a boleto-thieving botnet (see screenshot ). In this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly $US250,000 ($266,000) during that time.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking - known as the “Bolware” operation - affects more than 30 different banks in Brazil, and may be responsible for up to $US3.75 billion ($3.4 billion) in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real. Photo: KrebsOnSecurity

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

RSA notes that the miscreants responsible for the Bolware operation appear to have used more than 8000 separate accounts to receive the stolen funds. That’s roughly 7997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order - at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smartphones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.

KrebsOnSecurity

1 comment so far

  • Let me guess, this would be another example of WINDOWS only malware with no mention in the article that it only affects WINDOWS users (like the vast majority of all malware)?

    Commenter
    DC
    Location
    Melbourne
    Date and time
    July 04, 2014, 1:09PM

    Make a comment

    You are logged in as [Logout]

    All information entered below may be published.

    Error: Please enter your screen name.

    Error: Your Screen Name must be less than 255 characters.

    Error: Your Location must be less than 255 characters.

    Error: Please enter your comment.

    Error: Your Message must be less than 300 words.

    Post to

    You need to have read and accepted the Conditions of Use.

    Thank you

    Your comment has been submitted for approval.

    Comments are moderated and are generally published if they are on-topic and not abusive.

    Advertisement
    Featured advertisers
    Advertisement