Brazilian Payment Fraud Campaign Targets Boletos, Steals Millions

A fraud ring targeting Brazil’s Boleto payment method has pulled off hundreds of thousands of bogus transactions valued at $3.75 billion.

UPDATE–Hackers are targeting Brazil’s Boleto payment system, the second most popular payment method in the country, and have conducted hundreds of thousands of fraudulent transactions, though researchers differ over how much money has been stolen.

Formally known as Boleto Bancario, Boletos are financial documents issued by banks that can be used by consumers to make payments to utilities and other outlets. Boletos are either printed and mailed to customers, or are generated and sent via electronic transfers. Common to all are a bar code, identification field or numerical representation of the bar code, and an identification number.

Researchers at RSA Security yesterday reported the discovery of an extensive and effective malware campaign that’s been operating for two years and has ratcheted up the sophistication of Boleto fraud, which used to be confined to offline forgery of the payment documents.

The Boleto malware attacks leverage man-in-the-browser infections to attack vulnerabilities in Chrome, Firefox and Internet Explorer running on Windows PCs and redirects Boleto payments to the attacker’s money mule account.

“Since the malware is MITB, all malware activities are invisible to both the victim and the web application,” RSA said in its report, adding that there are up to 19 variants of the malware.

RSA said it has detected 495,753 fraudulent Boleto transactions since 2012, valued at $3.75 billion USD. However, Brazilian banking association FEBRABAN in 2012 estimated financial fraud losses at $700 million, dramatically under cutting RSA’s numbers.

“Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” RSA said. “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.”

In a legitimate online Boleto transaction, an online store, for example, will generate and send the Boleto to a customer. The customer can then choose where to use it once it’s displayed in the browser. Once an infected PC is used, the Boleto data is stolen along with all browser data and sent to the attacker’s server. The attacker then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank.

“The malware uses techniques exported from other famous Trojans, such as SpyEye, HTML code injection, MitB and so on,” said Fabio Assolini, senior security researcher with Kaspersky Lab. “But it’s not all: the most recent attacks relies on malicious Firefox and Chrome extensions (found in the official store) and fake websites that offers the possibility to reissue or recalculate an expired boleto.”

RSA said it has detected 192,227 bots, or unique IPs, that have been infected.

RSA said it has detected 192,227 bots, or unique IPs, that have been infected. More than 30 bank brands have been affected in this campaign, which has also scooped up more than 83,000 email credentials and other data stolen by the malware.

RSA said this type of fraud is difficult for the customer to detect because the ID number fields aren’t tied to a payee and customers don’t generally validate that type of information. Banks, RSA said, don’t detect the fraud immediately because transactions are coming from customer computers and customers make frequent Boleto payments.

Fraudulent Boleto ID numbers and attack characteristics have been turned over to the FBI and Brazil’s federal police, RSA said.

“While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.”

This story was updated on July 4 to clarify that researchers disagree on how much money may have been stolen.

Suggested articles