Massive Boleto fraud in Brazil caused 3,75 USD billion losses

Pierluigi Paganini July 05, 2014

RSA Security has discovered a large-scale malware campaign, which hijacked Boleto payments causing an amount of financial losses for 3,75 USD billion losses.

Security experts at RSA Security have recently discovered a large-scale malware campaign that’s been operating at least for two years, the malicious code implements the man-in-the-browser technique to exploit vulnerabilities in popular browsers, including Chrome, Firefox and Internet Explorer running on Windows machines.

The security firm has detected 495,753 fraudulent Boleto transactions since 2012, a total amount of losses for $3.75 billion USD, but the Brazilian banking association FEBRABAN in 2012 has provided an optimistic estimation for financial fraud losses reporting only $700 million.

The malware used in the fraudulent transaction is able to hijack Boleto payments to a series of accounts managed by the cyber criminals and used as money mule accounts.

Cyber criminals are targeting Brazil’s Boleto payment system, it has been estimated that the bad actors have already conducted hundreds of thousands of fraudulent transactions.

Boleto is the second most popular payment method in Brazil, Boletos are financial documents issued by banks that can be used by the population to make payments in all the country.

Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.” states the RSA in the report issued by the company.

Boletos are managed in both paper and electronic form, they could be sent via email to the customers or transferred in electronic transactions. Each Boleto report a bar code, an identification field or numerical representation of the bar code, and an identification number.


“A new and more sophisticated kind of fraud involving Boletos is Boleto malware, also known as Eupuds by some AV engines. This new threat is of the MITB (Man-in-the-browser) variety that attacks online operations and is based on transaction modification on the client side. The malware infects web browsers to intercept and modify Boletos by two different methods. In both cases, the Boleto information is modified so that the payment is redirected either to a fraudster’s account or a mule account. Since the malware is MITB, all malware activities will be invisible to both the user and the web application. ”RSA said.  

In a legitimate transaction when a customer buys a product or service online Boletos are generated by the vendor for the payment and are sent online to the customer. Once a customer receives the Boleto, he can choose where to pay it.

If the Boleto is intercepted by a malware in the customer’s PC, the malcious code stoles its data and sent it to the attacker which then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank.

boleto malware

According to Fabio Assolini, senior security researcher with Kaspersky Lab, recent attacks rely on malicious browser extension.

 “But it’s not all: reliathe most recent attsesck on malicious Firefox and Chrome extensions (found in the official store) and fake websites that offers the possibility to reissue or recalculate boleian expdtore .said Assolini.

The Key numbers provided by RSA on the Boleto fraud are:
  • Evidence suggests that a fraud ring known as the Bolware operation affects more than 30 different banks in Brazil. 
  • The potential loss related to operations of this fraud ring have been estimated at up to  R$ 8,572,513,355.59 ($3.75 billion USD). The monetary loss estimate is based on the discovery of 495,753 potentially fraudulent transactions, and tallying the sum of those transaction values. The actual amount the fraudsters were able to redirect to their accounts and were actually paid by the victims is unknown. 
  • RSA Research has been able to identify 8,095 unique fraudulent Boleto ID numbers (tied to a total 495,753 potentially fraudulent transactions) that the fraudsters have been using to steal and transfer money to their (mule) accounts. 
  • RSA Research has discovered 83,506 user credentials that were stolen and collected by the Boleto malware. 
  • The overall amount of infected PC bots (according to unique IP addresses) is 192,227.

This type of fraud is difficult to detect by victims as explained by RSA in the report.

“While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.”

Pierluigi Paganini

(Security Affairs –  Boleto, cybercrime)

you might also like

leave a comment