Estimated $3.75bn stolen by Brazil fraud ring

An estimated $3.75 billion have been netted by a single fraud ring that took advantage of a popular Brazilian payment method – the Boleto – by wielding a frequently upgraded piece of malware that silently intercepted and rerouted payments to the crooks’ bank accounts.

“Boleto Banc??rio, or simply Boleto, is a financial instrument that enables a customer to pay an exact amount to a merchant. Any merchant with a bank account can issue a Boleto associated with their bank; that Boleto is then sent to the consumer to pay anything from their mortgage, energy bills, taxes or doctor’s bills via electronic transfer,” RSA researchers explained.

“Boletos can be generated both offline (printed copies) and mailed to customers, or online (by online stores for example) for electronic payments. Their popularity has risen because of the convenience for consumers who don’t require a personal bank account to make payments using Boletos.”

For a while, fraudsters would create fake Boletos and send them to potential victims via email. They would modify the barcode and the ID number fields so that if the user is tricked into paying, the money lands in a fraudster or mule’s bank account.

According to RSA researcher, Boleto malware (“Bolware”) first appeared in late 2012. In nearly two years, the attackers updated it 19 times in order to stay ahead of malware detection specialists, software, and users, but also to add new targets and new features.

Bolware is capable of executing a Man-in-the-Browser attack, that affects online Boleto operations and is based on transaction modification on the client side. Again, Boleto information is modified to redirect the payment to a fraudster’s account or a mule account.

So far, the researchers identifies 8,095 unique fraudulent Boleto ID numbers, tied to a total 495,753 potentially fraudulent transactions. The $3.75 billion potential loss has been estimated by taking into account the sum of those transaction values, but is difficult to tell what the actual amount it.

Also, the researchers don’t yet know whether the criminals were successful in collecting on all of these compromised transactions.

All in all, 192,227 individual Bolware infections have been discovered by the researchers.

The malware is also capable of stealing personal and financial information, and passwords.

The company is cooperating with the US FBI, the Brazilian Federal Police and various banks in an attempt to help them mitigate the threat.

“RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments,” they advised.

“Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from unknown senders and to use updated anti-virus software to help protect their PCs from infection.”

More details about the threat and the attack vectors it uses can be found here.