Boleto Fraud Ring Siphons $3.75 Billion from Brazilian Banks

A massive fraud ring has been exposed that has been responsible for bilking Brazilian banks out of $3.75 billion in just the past two years
A massive fraud ring has been exposed that has been responsible for bilking Brazilian banks out of $3.75 billion in just the past two years

Brazil may have seen its World Cup dreams dashed in a humiliating 7–1 defeat to Germany in the semifinals this week, but it's not the only suffering that the country has gone through of late. A massive fraud ring has been exposed that has been responsible for bilking Brazilian banks out of $3.75 billion in just the past two years.

Boleto malware, or Bolware, first reared its head near the end of 2012 or early 2013 and has continued on until the present, according to RSA, which said that the botnet operation potentially affects more than 30 different banks in Brazil. The monetary loss estimate is based on the discovery of a half-million (495,753) potentially fraudulent Boleto transactions.

The Boleto Bancário, known as simply Boleto, is a money order-like payment method used in Brazil by individual consumers or companies. Boletos can be used to remit payment for a wide variety of goods and services; and anyone (individuals or corporations) who owns a bank account can issue a Boleto associated with their bank. They can be used as printed documents or in a virtual online version.

Typically the malware simply infiltrates victim accounts and redirects legitimate payments to fraudster accounts. RSA has identified 8,095 unique fraudulent Boleto ID numbers (tied to a total 495,753 potentially fraudulent transactions) that the fraudsters have been using to steal and transfer money to their (mule) accounts. The overall amount of infected PC bots, according to unique IP addresses, is 192,227.

It doesn’t just siphon off funds, either. “Although not directly related to the Boleto payment systems, the malware also collects user credentials from Microsoft online email services such as live.com, hotmail.com and outlook.com,” RSA explained in a report. “It appears that these stolen credentials are being used to support infection campaigns by spreading spam email.”

In all, RSA researchers discovered 83,506 user credentials that were stolen and collected by the Boleto malware.

Bolware has become a scourge, as the billions lifted demonstrated. And, it has been evolving with each version of the application, including improvements such as new targets, new features and self-protection mechanisms.

RSA said that cybercrime dominates the financial losses, and this form of fraud has become one of the greatest threats to banks in the region; in comparison, conventional crime represents just 5% of losses incurred by Brazilian banks.

RSA’s investigation was of a large ring, but even smaller operations are making use of Bolware. “Many of the hijacked Boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang,” said independent security researcher Brian Krebs, breaking down the phenomenon. “For example, a source forwarded me a link to a web-based control panel for a Boleto-thieving botnet; in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.”

What’s hot on Infosecurity Magazine?