Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

Re:I don't get it.

[Anonymous Coward]

Just read Krebs and skip this drivel. http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

Re: I don't get it.

[Anonymous Coward]

A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

Re: I don't get it.

[lskbr]

A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

OK, so its like a deposit slip?

Not exactly. Long time ago, most Brazilians can't afford having a bank account! So Boletos were developed to allow people without a bank account to pay people with a bank account. So, with a Boleto, you can go to the post office and pay cash your bills. You can also ask somebody else to pay your bills, like an office clerk who will go to a bank or post office with the Boleto and pay with a check or cash. Some banks even accept credit/debit cards now. You can pay a boleto even in banks you don't have an account. A bank will collect Boletos for other banks and they manage the transaction doesn't matter if you are their client or if the seller is their client. Once it is paid, the seller is notified very fast and it works nationwide (it is ok to pay from one state to another, as they use the same national system). In Brazil you can pay with boletos at home, using internet banking. Some friends even have bar code readers to make it easier to pay their bills. You just scan the bar code and confirm the payment using your banking software. Nowadays, it is also used on e-commerce sites, because the buyer does not share any payment information with the seller. So a boleto is more like an invoice with full payment information, including date, fees (like 2% for the first day after due date and 1% per day after). It is also a confirmation of payment, as you receive a bank authentication code, printed on the back of the boleto (just after you pay or an electronic code if you pay by internet banking). This also says the date and the amount you paid. The seller uses a customer and order code to track who paid what and it works quite well. I live in Europe now and I miss the bar code. Here I have to type all sellers data like their name, address, bank account and amount to pay! No bar code :-(

Re: I don't get it.

[dafradu]

Not exactly. You can go to a store and they will give you credit to buy something that costs X paying X/12 a month. They give you something like a boleto for each month and you take your good home. If you don't pay your boletos your credit is ruined, you'll only be able to do that once, no other store will give you credit because they always check with credit institutions like SERASA. Oh, and its a baaaaad idea to miss your payments, they charge ridiculous amounts for any day you miss. Your total due can double easily.

Boletos come in the mail so you can pay most of your bills here, we call those boletos too. Utilities, cable, internet, credit card, any kind of insurance etc. They all can send you boletos to pay online or at your bank. Its common for old people to take a bunch of them to the bank on payday and ask the teller to pay them all. Me? I do it all online. My phone can scan the barcode with its camera, so its really easy to pay the bills.

Boleto is a thing in Brazil because a lot of people get paid in cash. A lot of people don't have bank accounts or credit cards. "Informal workers" are still a big part of the working force in Brazil even in this days.