Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Cybercriminals May Have Stolen Billions in Brazilian ‘Boletos’

RSA Research has identified a malware-based fraud ring targeting Brazil’s popular Boleto payment method that may have pilfered billions of dollars from unsuspecting victims. 

RSA Research has identified a malware-based fraud ring targeting Brazil’s popular Boleto payment method that may have pilfered billions of dollars from unsuspecting victims. 

Researchers with RSA, the security division of EMC, said they have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account – whether a company or an individual – can issue a Boleto associated with their bank.

Billions Stolen in Boleto Payments

Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion USD.

“The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media,” according to a whitepaper RSA released today on the malware. “The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts.”

“Although not directly related to the Boleto payment systems, the malware also collects user credentials from Microsoft online email services such as live.com, hotmail.com and outlook.com,” according to the paper. “It appears that these stolen credentials are being used to support infection campaigns by spreading spam email.”

In its investigation, RSA found 8,095 fraudulent Boleto ID numbers associated with 495,753 compromised transactions. It is not known how many of these Boletos were actually paid by the victims and whether all those funds were redirected to bank accounts controlled by the attackers.

All together, RSA found 192,227 infected computers controlled by the attackers based on the number of unique IP addresses. The attackers are believed to have affected more than 30 different banks in Brazil. The researchers also found 83,506 email user credentials stolen and collected by the Boleto malware.

Boletos have been used by fraudsters to carry out several different types of attacks in Brazil, with the most common being fake Boletos generated offline by scammers and sent to victims. Lately however, Boleto malware has emerged as a more sophisticated attack. The malware is also known as Eupuds by some antivirus engines.

“The malware infects web browsers to intercept and modify Boletos by two different methods,” according to the report. “In both cases, the Boleto information is modified so that the payment is redirected either to a fraudster’s account or a mule account. Since the malware is MITB, all malware activities will be invisible to both the user and the web application.”

According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.

Advertisement. Scroll to continue reading.

However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin’s memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin’s capabilities.

“While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds,” blogged Eli Marcus of RSA’s FraudAction Knowledge Delivery team. “As outlined in the detailed analysis from RSA Research, the developers have gone to great lengths to make Bolware effective and also hard to detect – refining features designed to evade detection and clean-up by endpoint anti-malware products.”

RSA has turned over its research along with a number of fraudulent Boleto ID numbers to the FBI and Brazilian law enforcement.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.