Cybercrooks May Have Stolen Billions Using Brazilian "Boletos" 69
wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."
I don't get it. (Score:3, Insightful)
Re:I don't get it. (Score:5, Informative)
Just read Krebs and skip this drivel. http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/
Re: I don't get it. (Score:5, Informative)
A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.
Re: (Score:2)
That's rather neat. Why don't we have those?
Re: (Score:2)
That's rather neat. Why don't we have those?
'we' being techy immigrants to 'murica.
Giro (Score:2)
Re: (Score:2)
A Giro is a cheque.
http://en.wikipedia.org/wiki/G... [wikipedia.org]
I know because I used to cash them at the post office.
Re: (Score:3)
You get one with practically every dead-tree bill, just take the slip into most grocery or corner stores and you can pay it.
Re: (Score:2)
If you come into my store with an invoice from your gas company, I'm not going to know what the hell to do with it. Send your cheque to the gas company.
Re: (Score:1)
I'm kind of guessing that it's much more dangerous for merchants in Brazil to handle cash. Necessity is the mother of invention. With this system I guess many merchants could choose to go cashless. People might still have to carry cash to make the payment, but they would carry it to the post office, lotto house, or bank mentioned in some links that people posted. Those locations presumably have higher levels of security? In other words, merchants have the option of centralizing security at these other
Re: I don't get it. (Score:5, Informative)
A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.
OK, so its like a deposit slip?
Not exactly. Long time ago, most Brazilians can't afford having a bank account! So Boletos were developed to allow people without a bank account to pay people with a bank account. So, with a Boleto, you can go to the post office and pay cash your bills. You can also ask somebody else to pay your bills, like an office clerk who will go to a bank or post office with the Boleto and pay with a check or cash. Some banks even accept credit/debit cards now. You can pay a boleto even in banks you don't have an account. A bank will collect Boletos for other banks and they manage the transaction doesn't matter if you are their client or if the seller is their client. Once it is paid, the seller is notified very fast and it works nationwide (it is ok to pay from one state to another, as they use the same national system). In Brazil you can pay with boletos at home, using internet banking. Some friends even have bar code readers to make it easier to pay their bills. You just scan the bar code and confirm the payment using your banking software. Nowadays, it is also used on e-commerce sites, because the buyer does not share any payment information with the seller. So a boleto is more like an invoice with full payment information, including date, fees (like 2% for the first day after due date and 1% per day after). It is also a confirmation of payment, as you receive a bank authentication code, printed on the back of the boleto (just after you pay or an electronic code if you pay by internet banking). This also says the date and the amount you paid. The seller uses a customer and order code to track who paid what and it works quite well. I live in Europe now and I miss the bar code. Here I have to type all sellers data like their name, address, bank account and amount to pay! No bar code :-(
Re: (Score:2)
You have to pay for a bank account? I expect my bank to pay ME for the privilege of holding my money and using it to invest and generate profit. Payment is in the form of services and interest.
Re: (Score:2)
More recently, the interest rate being so low, and the bank fees so high, it feels more like I am paying the bank. Consider that my work requires me to direct deposit my check, but all the bank hours are the same as my work, so in order to get cash I have to use the ATM. If I do that more than a certain number of times during the month, I start getting charged an ATM usage fee. (I usually manage to avoid it however, so not a big deal.)
Re: (Score:2)
So, a half hour or so not eating and not getting paid. *That's* what's wrong.
Re: (Score:2)
Or just walk to the bank during your lunch break.
Maybe in a large city...maybe if your work is close to your bank. But that's probably not the case everywhere else. Sometimes lunch breaks are a half-hour, which would not be long enough for someone to walk to some of the banks in town from various workplaces.
American cities and towns are more "spread out"
Re: (Score:2)
On average, more of my ATM visits are to DEPOSIT checks, not take money out. And my credit union just rolled out mobile depositing, so there's that done. Generally, if I need cash less than $50, I just grab it when I check out at Target or the grocery store. No fees, no extra trip. Though your supermarket visits may be less frequent than ours - we seem to go go about once a wee
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Wouldn't it be easier to just pay at the store?
Re: I don't get it. (Score:5, Informative)
Boletos come in the mail so you can pay most of your bills here, we call those boletos too. Utilities, cable, internet, credit card, any kind of insurance etc. They all can send you boletos to pay online or at your bank. Its common for old people to take a bunch of them to the bank on payday and ask the teller to pay them all. Me? I do it all online. My phone can scan the barcode with its camera, so its really easy to pay the bills.
Boleto is a thing in Brazil because a lot of people get paid in cash. A lot of people don't have bank accounts or credit cards. "Informal workers" are still a big part of the working force in Brazil even in this days.
Re: (Score:2)
Re: (Score:1)
Why would you go to a store, get a boleto, go to the bank to pay it, get back to the store with the paid boleto and take your goods?
That means you have means to pay the good right there, be it cash or debit/credit. So you just pay it right there at the store.
The store could issue a boleto in the other case i described, where they let you pay a fraction of the total price each month for some % each month.
Re: I don't get it. (Score:2)
http://thebrazilbusiness.com/a... [thebrazilbusiness.com] ... describes how to make and pay boletos
What platforms are effected? (Score:5, Interesting)
What platforms does this malware operate on exactly? The TFA doesn't say.
Re: (Score:1)
Windows only.
Blame the banks (Score:5, Insightful)
From TFA:
I've closed my account in 3 different banks for pulling this bullshit. So it turned out the "security plugin" is full of security holes; worse than that, they are educating their users that they need to install/update software every time they access their bank online, so most accept plugin installation confirmations right away.
The fact that it attacks boletos is a minor detail, it's a traceable and reversible money transfer once suspicious activity is identified.
Re:Blame the banks (Score:4, Interesting)
Fortunately for Brazil, the underworld is saturated with stolen account info. The bottleneck for actual "hacker" money theft worldwide is finding new money mules to take the loss when the transfer is inevitably reversed. The world is flooded with malware, but the cops are pretty good at following the money, and so the bottleneck is there.
Most stolen account info is never acted on for lack of a way to get the cash. Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.
Re: (Score:2)
Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.
What's 'shifting' if you don't mind my asking ?
Re: (Score:2)
Boleto Bancário (Score:1)
you're welcome
B;s (Score:1)
So whats a Billion Brazillan Boletos worth in BitCoin?
~$7500 per transaction? (Score:2)
If the crooks are smart they are shaving a'la Superman3 and not stealing it outright but that's a huge per-transaction average.
Re: (Score:2)
Sounds like they replace the barcode to redirect the payment to an account they own, so they are really stealing the whole amount. Funny thing is, after you enter the code (by scanning or typing) you get a confirmation screen (either on the ATM or on the online system) with the name of the receiving entity; it's hard to imagine the bank would allow somebody to create an account with a name that looks like an utility company or something like that.
I agree, the average amount seems way too high; things at tha
Re: (Score:1)
actually you don't get a confirmation screen when paying "non-registered" boletos (banks offer 2 types of boletos to costumers, they work the same way, but on the non-registered one the bank has no information on the boleto until it gets payed)
the amount is probably wrong, no way the mean transaction would be 7500
Re: (Score:1)
Ah (Score:2)
A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.
So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.
(Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)
Re: (Score:2)
if the article
if the writeup
There, fixed that for me ...
Re: (Score:2)
A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.
So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.
(Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)
I get bills all the time, I don't pay most of them.
Hmm, that makes me wonder, can I just start sending official looking bills to people and see if they pay them?
Re: (Score:2)
There are illegal companies that do exactly this. They send formal looking bills for vague services to large companies, usually in smallish amounts.
Often, the person receiving the bill, rather than research why "XYZ Consulting" is charging a $22.45 fee for consulting services, will just pay them.
If only one out of ten gets paid, they're still ahead.
We get these on a regular basis. (Score:2)
I thought they were made up by drug lords to scare (Score:2)