Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

Posted by samzenpus on from the making-that-money dept.

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

69 comments

  1. I don't get it. by Kleebner · · Score: 3, Insightful

    So this boleto thing... It's a check, right? I am not getting what makes it different.

    1. Re:I don't get it. by Anonymous Coward · · Score: 0

      Looks to be more similar to a money order.

    2. Re:I don't get it. by Anonymous Coward · · Score: 5, Informative

      Just read Krebs and skip this drivel. http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

    3. Re:I don't get it. by Anonymous Coward · · Score: 0

      It is a "deposit this ammount to that bank account" letter including a standard bar code: http://en.wikipedia.org/wiki/Boleto

    4. Re: I don't get it. by Anonymous Coward · · Score: 5, Informative

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

    5. Re: I don't get it. by TechyImmigrant · · Score: 1

      That's rather neat. Why don't we have those?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    6. Re: I don't get it. by TechyImmigrant · · Score: 1

      That's rather neat. Why don't we have those?

      'we' being techy immigrants to 'murica.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    7. Re: I don't get it. by Anonymous Coward · · Score: 0

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

      OK, so its like a deposit slip?

    8. Re: I don't get it. by eric31415927 · · Score: 1

      http://thebrazilbusiness.com/a... ... describes how to make and pay boletos

    9. Re: I don't get it. by mindcandy · · Score: 2

      We do, it's called an invoice.
      You get one with practically every dead-tree bill, just take the slip into most grocery or corner stores and you can pay it.

    10. Re: I don't get it. by Anonymous Coward · · Score: 1

      I'm kind of guessing that it's much more dangerous for merchants in Brazil to handle cash. Necessity is the mother of invention. With this system I guess many merchants could choose to go cashless. People might still have to carry cash to make the payment, but they would carry it to the post office, lotto house, or bank mentioned in some links that people posted. Those locations presumably have higher levels of security? In other words, merchants have the option of centralizing security at these other locations.

      Other people are saying we do have it, it's an invoice or bill; but with bills you still have to send money to the merchant. With the boleto you have a 3rd party receiving the funds and making ledger adjustments with the merchant's bank. It seems like it might trim some beurocracy too, but it's hard to say...

    11. Re: I don't get it. by lskbr · · Score: 5, Informative

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

      OK, so its like a deposit slip?

      Not exactly. Long time ago, most Brazilians can't afford having a bank account! So Boletos were developed to allow people without a bank account to pay people with a bank account. So, with a Boleto, you can go to the post office and pay cash your bills. You can also ask somebody else to pay your bills, like an office clerk who will go to a bank or post office with the Boleto and pay with a check or cash. Some banks even accept credit/debit cards now. You can pay a boleto even in banks you don't have an account. A bank will collect Boletos for other banks and they manage the transaction doesn't matter if you are their client or if the seller is their client. Once it is paid, the seller is notified very fast and it works nationwide (it is ok to pay from one state to another, as they use the same national system). In Brazil you can pay with boletos at home, using internet banking. Some friends even have bar code readers to make it easier to pay their bills. You just scan the bar code and confirm the payment using your banking software. Nowadays, it is also used on e-commerce sites, because the buyer does not share any payment information with the seller. So a boleto is more like an invoice with full payment information, including date, fees (like 2% for the first day after due date and 1% per day after). It is also a confirmation of payment, as you receive a bank authentication code, printed on the back of the boleto (just after you pay or an electronic code if you pay by internet banking). This also says the date and the amount you paid. The seller uses a customer and order code to track who paid what and it works quite well. I live in Europe now and I miss the bar code. Here I have to type all sellers data like their name, address, bank account and amount to pay! No bar code :-(

    12. Re: I don't get it. by Anonymous Coward · · Score: 0

      So, you are required to confirm the text data witch is 80% of the times the same just changes some reference of the payment (given that the bank and seller are the same).
      While in Brazil you get a barcode witch you can-t check if it's valid... It's like does QR codes that Brazilian banks use for publicity in their stores,
      you could actually just change the poster and get some costumers infect with malware.

      Cool...

    13. Re: I don't get it. by AmiMoJo · · Score: 1

      You have to pay for a bank account? I expect my bank to pay ME for the privilege of holding my money and using it to invest and generate profit. Payment is in the form of services and interest.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    14. Re: I don't get it. by McFly777 · · Score: 1

      More recently, the interest rate being so low, and the bank fees so high, it feels more like I am paying the bank. Consider that my work requires me to direct deposit my check, but all the bank hours are the same as my work, so in order to get cash I have to use the ATM. If I do that more than a certain number of times during the month, I start getting charged an ATM usage fee. (I usually manage to avoid it however, so not a big deal.)

      --

      McFly777
      - - -
      "What do people mean when they say the computer went down on them?" -Marilyn Pittman
    15. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      It sounds like a Boleto is an invoice, and consequently that retailers in Brazil are very trusting of their customers, since there's no mention of collecting buyer information. What's to stop buyers from destroying or simply never paying off the Boleto? If I went to the store to get a TV and instead of having to actually pay for it I was just given an invoice, with no identifying information about me obtained by the seller, it would be rather tempting to never take the Boleto to a bank to pay it off.

      --
      Chuuch. Preach. Tabernacle.
    16. Re: I don't get it. by Anonymous Coward · · Score: 0

      Or just walk to the bank during your lunch break.

      Wtf is wrong with you lazy americans?

    17. Re: I don't get it. by tokizr · · Score: 1

      They only get the goods *after* you pay, so it is safe for them. If you go to a store and take a product home they will give you other payment options instead such as credit/debit, cash or some other type of *ensured* payment. Or they will collect all personal information (including your CPF (SSN equivalent)) which is all they need to the hell out of you if you don't pay (much like if you payed with a cheque and had no backing funds).

    18. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      Ah, so you go to a store to buy something, get a boleto instead, then take the boleto to a bank and pay it, then return to the store with a "paid" stamped boleto to pick up your goods?

      Wouldn't it be easier to just pay at the store?

      --
      Chuuch. Preach. Tabernacle.
    19. Re:I don't get it. by Anonymous Coward · · Score: 0

      it's a check... "on the internet"
      THAT... makes it patentable

    20. Re: I don't get it. by GTRacer · · Score: 1

      How often do you need cash? I assume you mean more than 5 bucks? I'm interested in how other people handle banking nowadays.

      On average, more of my ATM visits are to DEPOSIT checks, not take money out. And my credit union just rolled out mobile depositing, so there's that done. Generally, if I need cash less than $50, I just grab it when I check out at Target or the grocery store. No fees, no extra trip. Though your supermarket visits may be less frequent than ours - we seem to go go about once a week to keep the 3 kids fed.

      But even then, none of my bills are paid by cash - all but one are autopay or e-pay. And everywhere we go for fun or business takes debit or credit. Cash is for the odd times I need a soda at work (cash only)...

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    21. Re: I don't get it. by GTRacer · · Score: 1

      Simple. Many of us don't get paid lunches and for me at least, the nearest branch or ATM is nearly a mile from where I work. On foot, at good speed, that would take about half an hour just for the walk. And given that we're in summer here, I'd be a wreck when i got back to work.

      So, a half hour or so not eating and not getting paid. *That's* what's wrong.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    22. Re: I don't get it. by CronoCloud · · Score: 1

      Or just walk to the bank during your lunch break.

      Maybe in a large city...maybe if your work is close to your bank. But that's probably not the case everywhere else. Sometimes lunch breaks are a half-hour, which would not be long enough for someone to walk to some of the banks in town from various workplaces.

      American cities and towns are more "spread out"

    23. Re: I don't get it. by dafradu · · Score: 5, Informative

      Not exactly. You can go to a store and they will give you credit to buy something that costs X paying X/12 a month. They give you something like a boleto for each month and you take your good home. If you don't pay your boletos your credit is ruined, you'll only be able to do that once, no other store will give you credit because they always check with credit institutions like SERASA. Oh, and its a baaaaad idea to miss your payments, they charge ridiculous amounts for any day you miss. Your total due can double easily.

      Boletos come in the mail so you can pay most of your bills here, we call those boletos too. Utilities, cable, internet, credit card, any kind of insurance etc. They all can send you boletos to pay online or at your bank. Its common for old people to take a bunch of them to the bank on payday and ask the teller to pay them all. Me? I do it all online. My phone can scan the barcode with its camera, so its really easy to pay the bills.

      Boleto is a thing in Brazil because a lot of people get paid in cash. A lot of people don't have bank accounts or credit cards. "Informal workers" are still a big part of the working force in Brazil even in this days.

    24. Re: I don't get it. by dafradu · · Score: 1

      I don't think i made myself clear in that case.
      Why would you go to a store, get a boleto, go to the bank to pay it, get back to the store with the paid boleto and take your goods?
      That means you have means to pay the good right there, be it cash or debit/credit. So you just pay it right there at the store.
      The store could issue a boleto in the other case i described, where they let you pay a fraction of the total price each month for some % each month.

    25. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      Mod parent up. Most complete explanation I've seen yet.

      --
      Chuuch. Preach. Tabernacle.
    26. Re: I don't get it. by Anonymous Coward · · Score: 0

      American Checks have the same mechanic, just it's called Direct Deposit.

      Australians have a somewhat better version where they have banking numbers that can only be used for deposit.

      None the less, A Boleto is basically a reverse version of a check and has all the same problems. In the US we would call this check fraud, where someone changes the amount or name on who a check is made out to, or straight up NSF. In the case of this Boleto thing, they are changing the account information the same way so that the wrong person is paid AND/OR the Boleto is fake to begin with.

      What they are talking about in the article is a digital level of it, which if you know anything about paying with a check online, you'd also know that if you fat-finger your account number, you might cause someone elses account to be debited. I know this happens because people who pay over the phone tend to mis-identify 1's and 7's

    27. Re: I don't get it. by TechyImmigrant · · Score: 1

      If you come into my store with an invoice from your gas company, I'm not going to know what the hell to do with it. Send your cheque to the gas company.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    28. Re: I don't get it. by Anonymous Coward · · Score: 0

      Even though the boleto itself does not need the buyer's personal information but most sellers issue them just to trusted clients. And with a contract, they are official debt, ruining your credit if not paid.

      Nowadays boletos are used mostly for recurring payments and webcommerce.

      Goods paid in installments and montly services like schools, security monitoring (like ADT), etc.

      Utilities bills use the same logic but are technically not a boleto. You may allow them to be automatically paid by your bank.

      If you have a bank account, it's possible even to program the future payments, for those with less trustworthy memories (like me).

      On the webcommerce side, most stores give you a discount for using boletos, because their cost is fixed (less than a dollar) and they receive the value before shipping, not having to wait 30-45 days for the credit card company paying them.

      The boleto can have a due date, if not paid until then, the purchase is simply cancelled, no regrets or problems. Some people use it to garantee products in clearance sales. You click to buy it, issue a boleto and think/read reviews/asks permission to your wife to spend that money (come on, I know you do that!) before paying or not it.

      For those who have a bank account (majority by now) there a new alternative (DDA, stands for Automatic Digital Debit) that really automates the process but it's not in heavy use yet.

  2. What platforms are effected? by SpzToid · · Score: 4, Interesting

    According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.

    However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin's memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin's capabilities.

    What platforms does this malware operate on exactly? The TFA doesn't say.

    --
    You can't be ahead of the curve, if you're stuck in a loop.
    1. Re:What platforms are effected? by Anonymous Coward · · Score: 1

      Windows only.

  3. Blame the banks by DeKO · · Score: 4, Insightful

    From TFA:

    In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. [,,,] However, the Boleto malware [,,,] searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security.

    I've closed my account in 3 different banks for pulling this bullshit. So it turned out the "security plugin" is full of security holes; worse than that, they are educating their users that they need to install/update software every time they access their bank online, so most accept plugin installation confirmations right away.

    The fact that it attacks boletos is a minor detail, it's a traceable and reversible money transfer once suspicious activity is identified.

    1. Re:Blame the banks by lgw · · Score: 3, Interesting

      Fortunately for Brazil, the underworld is saturated with stolen account info. The bottleneck for actual "hacker" money theft worldwide is finding new money mules to take the loss when the transfer is inevitably reversed. The world is flooded with malware, but the cops are pretty good at following the money, and so the bottleneck is there.

      Most stolen account info is never acted on for lack of a way to get the cash. Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Blame the banks by dargaud · · Score: 1

      Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

      What's 'shifting' if you don't mind my asking ?

      --
      Non-Linux Penguins ?
    3. Re:Blame the banks by Anonymous Coward · · Score: 0

      Shifting from advantage on law enforcement's side to advantage on the thieves' side. If the thieves can figure out some clever way to break the money trail and disappear with money taken from an unsuspecting victim's bank account without leaving a trail leading back to them, then all hell is going to break loose.

    4. Re:Blame the banks by TheDarkMaster · · Score: 1

      The plugin from bank itself can be considered a virus. As an example, the ridiculous plugin of the company GAS technology not only affect the overall operation of the computer (slowdowns all the time) as it is easily defeated by any malware. It's a piece of junk made by amateurs who only disrupt the computer without offering any protection.

      --
      Religion: The greatest weapon of mass destruction of all time
  4. Boleto Bancário by Gravis+Zero · · Score: 0

    Boleto Bancário, simply referred to as Boleto (English: Ticket) is a payment method in Brazil regulated by FEBRABAN, short for Brazilian Federation of Banks.

    you're welcome

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Boleto Bancário by Anonymous Coward · · Score: 0

      Boleto Bancário, simply referred to as Boleto (English: Ticket) is a payment method in Brazil regulated by FEBRABAN, short for Brazilian Federation of Banks.

      you're welcome

      FEBRABAN should be Federation of Brazilian Banks. You're very fucking welcome yourself!

  5. B;s by rossdee · · Score: 0

    So whats a Billion Brazillan Boletos worth in BitCoin?

    1. Re:B;s by Anonymous Coward · · Score: 0

      2.

    2. Re:B;s by Anonymous Coward · · Score: 0

      After either is stolen, nothing.

  6. ~$7500 per transaction? by mindcandy · · Score: 1

    3750000000/495793 = 7564.25 per transaction .. even if it's the Real (Brazil's 'dollar') it's a little less than half that in USD.
    If the crooks are smart they are shaving a'la Superman3 and not stealing it outright but that's a huge per-transaction average.

    1. Re:~$7500 per transaction? by DeKO · · Score: 1

      Sounds like they replace the barcode to redirect the payment to an account they own, so they are really stealing the whole amount. Funny thing is, after you enter the code (by scanning or typing) you get a confirmation screen (either on the ATM or on the online system) with the name of the receiving entity; it's hard to imagine the bank would allow somebody to create an account with a name that looks like an utility company or something like that.

      I agree, the average amount seems way too high; things at that range are usually paid with credit cards, cheques, or direct transfers between bank accounts. I'm really curious to find out what kinds of transactions average at 100 times the typical boleto value. Was every victim buying a 65" 3D 4k LED TV over the internet?

    2. Re:~$7500 per transaction? by Anonymous Coward · · Score: 1

      actually you don't get a confirmation screen when paying "non-registered" boletos (banks offer 2 types of boletos to costumers, they work the same way, but on the non-registered one the bank has no information on the boleto until it gets payed)

      the amount is probably wrong, no way the mean transaction would be 7500

    3. Re:~$7500 per transaction? by Anonymous Coward · · Score: 0

      Since they are counting the value of the boletos and not only the ones that were actually paid, I'm guessing there were a few really high test boletos that never got paid (like four 500million boletos or ten thousand 200k boletos) and they missed it on the article. I can't think of anything that would cost this much that people would buy on the internet, except for the 3d 4k LED tv the other user talked about.

    4. Re:~$7500 per transaction? by tokizr · · Score: 1

      The value of the Boleto is part of the code and can be altered by the payer(for instance if you have to pay a fine because the payment is late, or if you have a discount for paying early) so if you can yank the transaction you can probably also alter the value.

  7. Welll ... by Anonymous Coward · · Score: 0

    If they just fucked over multinationals, then good or them.

    If they fucked over the little guy, then I hope their children get really slow cancer and they have to deal with them crying in the middle of the night .. Daddy! Make the pain stop!"

    I AM evil and I want to make the assholes of the World suffer immensely - thats my purpose on this Earth - to make assholes suffer.

    1. Re:Welll ... by Anonymous Coward · · Score: 0

      thats my purpose on this Earth - to make assholes suffer

      and

      then I hope their children get really slow cancer

      So, you do this by hoping? Really hard, I presume. And you don't seem to be able to distinguish between a potential asshole and those around them. Not looked in a mirror (metaphorically speaking) lately, have you? I'd suggest you start with yourself, but given your stated purpose it would seem you take some kind of comfort or joy in the suffering of others, I am struck by just how shallow and empty your life must already be.

      May I suggest that helping those who have suffered at the hands of assholes will both be more personally rewarding and offer better outcomes with respect to diminishment of suffering?

    2. Re:Welll ... by Anonymous Coward · · Score: 0

      thats my purpose on this Earth - to make assholes suffer.

      So basically you're saying you're a huge dick?

      Got it.

  8. Giro by tepples · · Score: 1

    I was under the impression that some countries called their opposite-of-check a "giro".

    1. Re:Giro by Anonymous Coward · · Score: 0

      or a "Slovakian"

    2. Re:Giro by TechyImmigrant · · Score: 1

      A Giro is a cheque.
      http://en.wikipedia.org/wiki/G...

      I know because I used to cash them at the post office.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  9. Crooks? by Anonymous Coward · · Score: 0

    Call them a bank and suddenly they're job creators.

    Let's face it, there's no relationship anymore between the numbers that come before the dollar sign and whatever it is you think someone "produced".

    Stock market record high! Look around you, it's the same planet as yesterday. Stock market lost soooo many points! Look out the window, still the same place.

    We've given so much power to symbols, rather than to reality.

    1. Re:Crooks? by Anonymous Coward · · Score: 0

      Please describe your step-by-step "thought" process that made you arrive at that conclusion.

  10. Crooks? by Anonymous Coward · · Score: 0

    Call them a bank and suddenly they're job creators.

    Let's face it, there's no relationship anymore between the numbers that come before the dollar sign and whatever it is you think someone "produced".

    Stock market record high! Look around you, it's the same planet as yesterday. Stock market lost soooo many points! Look out the window, still the same place.

    We've given so much power to symbols, rather than to reality.

    until you have no window to look out of you soppy muppet

  11. $3.75 Billion? by Anonymous Coward · · Score: 0

    This is the level of money that would fund a Doctor No type operation, and no one is worried?

    1. Re:$3.75 Billion? by Anonymous Coward · · Score: 0

      This is the level of money that would fund a Doctor No type operation, and no one is worried?

      i might be more worried if i knew who the fuck Doctor No is.

    2. Re:$3.75 Billion? by Anonymous Coward · · Score: 0

      No means yes. Yes means anal.

  12. OMG what a worthless currency by Anonymous Coward · · Score: 0

    Face it, if this were Bitcoin, you'd all be crying about how the currency is worthless.

  13. Get with the times by Anonymous Coward · · Score: 0

    The solution is called ChipTAN: You get a small calculator-like device which uses the chip in your bank card to cryptographically sign a transaction. The user sees the recipient account number and the value of the transaction on that device, so it's secure even if the computer is riddled with malware. If the transaction information displayed on the ChipTAN device is correct, the generated TAN can not be used for a manipulated transaction.

    Of course people (including bankers) are lazy and cheap, so they'll go through a dozen solutions which don't work just to avoid paying for a ChipTAN generator (and bank cards with embedded chips). The honor system doesn't work online, folks.

  14. Ah by cascadingstylesheet · · Score: 1

    A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

    So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

    (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

    1. Re:Ah by cascadingstylesheet · · Score: 1

      if the article

      if the writeup

      There, fixed that for me ...

    2. Re:Ah by Nyder · · Score: 1

      A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

      So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

      (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

      I get bills all the time, I don't pay most of them.

      Hmm, that makes me wonder, can I just start sending official looking bills to people and see if they pay them?

      --
      Be seeing you...
    3. Re:Ah by kaatochacha · · Score: 1

      There are illegal companies that do exactly this. They send formal looking bills for vague services to large companies, usually in smallish amounts.
      Often, the person receiving the bill, rather than research why "XYZ Consulting" is charging a $22.45 fee for consulting services, will just pay them.
      If only one out of ten gets paid, they're still ahead.

  15. I thought they were made up by drug lords to scare by jpellino · · Score: 1

    their lawyers - http://www.youtube.com/watch?v...

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  16. We get these on a regular basis. by jpellino · · Score: 1

    Usually for catalog listings, listing maintenance, annual service charges, restocking fee, etc. with a magic number that is below what some business managers can pay without escalating a charge to the front office. Paper-based phishing.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."