Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

What platforms are effected?

[SpzToid]

According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.

However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin's memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin's capabilities.

What platforms does this malware operate on exactly? The TFA doesn't say.

Re:Blame the banks

[lgw]

Fortunately for Brazil, the underworld is saturated with stolen account info. The bottleneck for actual "hacker" money theft worldwide is finding new money mules to take the loss when the transfer is inevitably reversed. The world is flooded with malware, but the cops are pretty good at following the money, and so the bottleneck is there.

Most stolen account info is never acted on for lack of a way to get the cash. Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.