RSA Research has identified a malware-based fraud ring targeting Brazil’s popular Boleto payment method that may have pilfered billions of dollars from unsuspecting victims.
Researchers with RSA, the security division of EMC, said they have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account – whether a company or an individual – can issue a Boleto associated with their bank.
“The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media,” according to a whitepaper RSA released today on the malware. “The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts.”
“Although not directly related to the Boleto payment systems, the malware also collects user credentials from Microsoft online email services such as live.com, hotmail.com and outlook.com,” according to the paper. “It appears that these stolen credentials are being used to support infection campaigns by spreading spam email.”
In its investigation, RSA found 8,095 fraudulent Boleto ID numbers associated with 495,753 compromised transactions. It is not known how many of these Boletos were actually paid by the victims and whether all those funds were redirected to bank accounts controlled by the attackers.
All together, RSA found 192,227 infected computers controlled by the attackers based on the number of unique IP addresses. The attackers are believed to have affected more than 30 different banks in Brazil. The researchers also found 83,506 email user credentials stolen and collected by the Boleto malware.
“The malware infects web browsers to intercept and modify Boletos by two different methods,” according to the report. “In both cases, the Boleto information is modified so that the payment is redirected either to a fraudster’s account or a mule account. Since the malware is MITB, all malware activities will be invisible to both the user and the web application.”
According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.
However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin’s memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin’s capabilities.
“While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds,” blogged Eli Marcus of RSA’s FraudAction Knowledge Delivery team. “As outlined in the detailed analysis from RSA Research, the developers have gone to great lengths to make Bolware effective and also hard to detect – refining features designed to evade detection and clean-up by endpoint anti-malware products.”
RSA has turned over its research along with a number of fraudulent Boleto ID numbers to the FBI and Brazilian law enforcement.
