Forgot your password?
typodupeerror
Crime Security The Almighty Buck

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos" 69

Posted by samzenpus
from the making-that-money dept.
wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."
This discussion has been archived. No new comments can be posted.

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

Comments Filter:
  • I don't get it. (Score:3, Insightful)

    by Kleebner (533168) on Wednesday July 02, 2014 @10:24PM (#47373607) Homepage
    So this boleto thing... It's a check, right? I am not getting what makes it different.
    • Re:I don't get it. (Score:5, Informative)

      by Anonymous Coward on Wednesday July 02, 2014 @10:31PM (#47373629)

      Just read Krebs and skip this drivel. http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

    • Re: I don't get it. (Score:5, Informative)

      by Anonymous Coward on Wednesday July 02, 2014 @10:42PM (#47373651)

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

      • That's rather neat. Why don't we have those?

        • That's rather neat. Why don't we have those?

          'we' being techy immigrants to 'murica.

        • by tepples (727027)
          I was under the impression that some countries called their opposite-of-check a "giro".
        • We do, it's called an invoice.
          You get one with practically every dead-tree bill, just take the slip into most grocery or corner stores and you can pay it.
          • If you come into my store with an invoice from your gas company, I'm not going to know what the hell to do with it. Send your cheque to the gas company.

        • by Anonymous Coward

          I'm kind of guessing that it's much more dangerous for merchants in Brazil to handle cash. Necessity is the mother of invention. With this system I guess many merchants could choose to go cashless. People might still have to carry cash to make the payment, but they would carry it to the post office, lotto house, or bank mentioned in some links that people posted. Those locations presumably have higher levels of security? In other words, merchants have the option of centralizing security at these other

      • It sounds like a Boleto is an invoice, and consequently that retailers in Brazil are very trusting of their customers, since there's no mention of collecting buyer information. What's to stop buyers from destroying or simply never paying off the Boleto? If I went to the store to get a TV and instead of having to actually pay for it I was just given an invoice, with no identifying information about me obtained by the seller, it would be rather tempting to never take the Boleto to a bank to pay it off.
        • by tokizr (1984172)
          They only get the goods *after* you pay, so it is safe for them. If you go to a store and take a product home they will give you other payment options instead such as credit/debit, cash or some other type of *ensured* payment. Or they will collect all personal information (including your CPF (SSN equivalent)) which is all they need to the hell out of you if you don't pay (much like if you payed with a cheque and had no backing funds).
          • Ah, so you go to a store to buy something, get a boleto instead, then take the boleto to a bank and pay it, then return to the store with a "paid" stamped boleto to pick up your goods?

            Wouldn't it be easier to just pay at the store?
            • Re: I don't get it. (Score:5, Informative)

              by dafradu (868234) on Thursday July 03, 2014 @12:17PM (#47377223)
              Not exactly. You can go to a store and they will give you credit to buy something that costs X paying X/12 a month. They give you something like a boleto for each month and you take your good home. If you don't pay your boletos your credit is ruined, you'll only be able to do that once, no other store will give you credit because they always check with credit institutions like SERASA. Oh, and its a baaaaad idea to miss your payments, they charge ridiculous amounts for any day you miss. Your total due can double easily.

              Boletos come in the mail so you can pay most of your bills here, we call those boletos too. Utilities, cable, internet, credit card, any kind of insurance etc. They all can send you boletos to pay online or at your bank. Its common for old people to take a bunch of them to the bank on payday and ask the teller to pay them all. Me? I do it all online. My phone can scan the barcode with its camera, so its really easy to pay the bills.

              Boleto is a thing in Brazil because a lot of people get paid in cash. A lot of people don't have bank accounts or credit cards. "Informal workers" are still a big part of the working force in Brazil even in this days.
            • by dafradu (868234)
              I don't think i made myself clear in that case.
              Why would you go to a store, get a boleto, go to the bank to pay it, get back to the store with the paid boleto and take your goods?
              That means you have means to pay the good right there, be it cash or debit/credit. So you just pay it right there at the store.
              The store could issue a boleto in the other case i described, where they let you pay a fraction of the total price each month for some % each month.
    • http://thebrazilbusiness.com/a... [thebrazilbusiness.com] ... describes how to make and pay boletos

  • by SpzToid (869795) on Wednesday July 02, 2014 @10:26PM (#47373613)

    According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.

    However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin's memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin's capabilities.

    What platforms does this malware operate on exactly? The TFA doesn't say.

    • by Anonymous Coward

      Windows only.

  • Blame the banks (Score:5, Insightful)

    by DeKO (671377) <danielosmari.gmail@com> on Wednesday July 02, 2014 @10:32PM (#47373631)

    From TFA:

    In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. [,,,] However, the Boleto malware [,,,] searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security.

    I've closed my account in 3 different banks for pulling this bullshit. So it turned out the "security plugin" is full of security holes; worse than that, they are educating their users that they need to install/update software every time they access their bank online, so most accept plugin installation confirmations right away.

    The fact that it attacks boletos is a minor detail, it's a traceable and reversible money transfer once suspicious activity is identified.

    • Re:Blame the banks (Score:4, Interesting)

      by lgw (121541) on Thursday July 03, 2014 @01:20AM (#47374069) Journal

      Fortunately for Brazil, the underworld is saturated with stolen account info. The bottleneck for actual "hacker" money theft worldwide is finding new money mules to take the loss when the transfer is inevitably reversed. The world is flooded with malware, but the cops are pretty good at following the money, and so the bottleneck is there.

      Most stolen account info is never acted on for lack of a way to get the cash. Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

      • by dargaud (518470)

        Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

        What's 'shifting' if you don't mind my asking ?

    • The plugin from bank itself can be considered a virus. As an example, the ridiculous plugin of the company GAS technology [gastecnologia.com.br] not only affect the overall operation of the computer (slowdowns all the time) as it is easily defeated by any malware. It's a piece of junk made by amateurs who only disrupt the computer without offering any protection.
  • Boleto Bancário, simply referred to as Boleto (English: Ticket) is a payment method in Brazil regulated by FEBRABAN, short for Brazilian Federation of Banks.

    you're welcome

  • by rossdee (243626)

    So whats a Billion Brazillan Boletos worth in BitCoin?

  • 3750000000/495793 = 7564.25 per transaction .. even if it's the Real (Brazil's 'dollar') it's a little less than half that in USD.
    If the crooks are smart they are shaving a'la Superman3 and not stealing it outright but that's a huge per-transaction average.
    • by DeKO (671377)

      Sounds like they replace the barcode to redirect the payment to an account they own, so they are really stealing the whole amount. Funny thing is, after you enter the code (by scanning or typing) you get a confirmation screen (either on the ATM or on the online system) with the name of the receiving entity; it's hard to imagine the bank would allow somebody to create an account with a name that looks like an utility company or something like that.

      I agree, the average amount seems way too high; things at tha

      • by Anonymous Coward

        actually you don't get a confirmation screen when paying "non-registered" boletos (banks offer 2 types of boletos to costumers, they work the same way, but on the non-registered one the bank has no information on the boleto until it gets payed)

        the amount is probably wrong, no way the mean transaction would be 7500

    • by tokizr (1984172)
      The value of the Boleto is part of the code and can be altered by the payer(for instance if you have to pay a fine because the payment is late, or if you have a discount for paying early) so if you can yank the transaction you can probably also alter the value.
  • A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

    So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

    (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

    • if the article

      if the writeup

      There, fixed that for me ...

    • by Nyder (754090)

      A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

      So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

      (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

      I get bills all the time, I don't pay most of them.

      Hmm, that makes me wonder, can I just start sending official looking bills to people and see if they pay them?

      • There are illegal companies that do exactly this. They send formal looking bills for vague services to large companies, usually in smallish amounts.
        Often, the person receiving the bill, rather than research why "XYZ Consulting" is charging a $22.45 fee for consulting services, will just pay them.
        If only one out of ten gets paid, they're still ahead.

      • Usually for catalog listings, listing maintenance, annual service charges, restocking fee, etc. with a magic number that is below what some business managers can pay without escalating a charge to the front office. Paper-based phishing.

egrep -n '^[a-z].*\(' $ | sort -t':' +2.0

Working...