Massive Boleto fraud in Brazil caused 3,75 USD billion losses

RSA Security has discovered a large-scale malware campaign, which hijacked Boleto payments causing an amount of financial losses for 3,75 USD billion losses.

Security experts at RSA Security have recently discovered a large-scale malware campaign that’s been operating at least for two years, the malicious code implements the man-in-the-browser technique to exploit vulnerabilities in popular browsers, including Chrome, Firefox and Internet Explorer running on Windows machines.

The security firm has detected 495,753 fraudulent Boleto transactions since 2012, a total amount of losses for $3.75 billion USD, but the Brazilian banking association FEBRABAN in 2012 has provided an optimistic estimation for financial fraud losses reporting only $700 million.

The malware used in the fraudulent transaction is able to hijack Boleto payments to a series of accounts managed by the cyber criminals and used as money mule accounts.

Cyber criminals are targeting Brazil’s Boleto payment system, it has been estimated that the bad actors have already conducted hundreds of thousands of fraudulent transactions.

Boleto is the second most popular payment method in Brazil, Boletos are financial documents issued by banks that can be used by the population to make payments in all the country.

“Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil,” “While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.” states the RSA in the report issued by the company.

Boletos are managed in both paper and electronic form, they could be sent via email to the customers or transferred in electronic transactions. Each Boleto report a bar code, an identification field or numerical representation of the bar code, and an identification number.

“A new and more sophisticated kind of fraud involving Boletos is Boleto malware, also known as Eupuds by some AV engines. This new threat is of the MITB (Man-in-the-browser) variety that attacks online operations and is based on transaction modification on the client side. The malware infects web browsers to intercept and modify Boletos by two different methods. In both cases, the Boleto information is modified so that the payment is redirected either to a fraudster’s account or a mule account. Since the malware is MITB, all malware activities will be invisible to both the user and the web application. ”RSA said.  

In a legitimate transaction when a customer buys a product or service online Boletos are generated by the vendor for the payment and are sent online to the customer. Once a customer receives the Boleto, he can choose where to pay it.

If the Boleto is intercepted by a malware in the customer’s PC, the malcious code stoles its data and sent it to the attacker which then modifies the Boleto data to send payments to the hacker’s mule account rather to the bank.

According to Fabio Assolini, senior security researcher with Kaspersky Lab, recent attacks rely on malicious browser extension.

 “But it’s not all: reliathe most recent attsesck on malicious Firefox and Chrome extensions (found in the official store) and fake websites that offers the possibility to reissue or recalculate boleian expdtore .” said Assolini.

This type of fraud is difficult to detect by victims as explained by RSA in the report.

“While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers,” RSA said. “RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets.”

Pierluigi Paganini

(Security Affairs –  Boleto, cybercrime)