Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cybercrooks May Have Stolen Billions Using Brazilian "Boletos"

Posted by samzenpus on from the making-that-money dept.

wiredmikey writes Researchers with RSA have discovered a Boleto malware (Bolware) ring that compromised as many as 495,753 Boleto transactions during a two-year period. Though it is not clear whether the thieves successfully collected on all of the compromised transactions, the value of those transactions is estimated to be worth as much as $3.75 billion. A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant. Anyone who owns a bank account — whether a company or an individual — can issue a Boleto associated with their bank. The first signs of its existence appeared near the end of 2012 or early 2013, when it began to be reported in the local news media," according to the report (PDF). "The RSA Research Group analyzed version 17 of the malware, gathering data between March 2014 and June 2014. The main goal of Boleto malware is to infiltrate legitimate Boleto payments from individual consumers or companies and redirect those payments from victims to fraudster accounts."

39 of 69 comments (clear)

  1. I don't get it. by Kleebner · · Score: 3, Insightful

    So this boleto thing... It's a check, right? I am not getting what makes it different.

    1. Re:I don't get it. by Anonymous Coward · · Score: 5, Informative

      Just read Krebs and skip this drivel. http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

    2. Re: I don't get it. by Anonymous Coward · · Score: 5, Informative

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

    3. Re: I don't get it. by TechyImmigrant · · Score: 1

      That's rather neat. Why don't we have those?

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    4. Re: I don't get it. by TechyImmigrant · · Score: 1

      That's rather neat. Why don't we have those?

      'we' being techy immigrants to 'murica.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
    5. Re: I don't get it. by eric31415927 · · Score: 1

      http://thebrazilbusiness.com/a... ... describes how to make and pay boletos

    6. Re: I don't get it. by mindcandy · · Score: 2

      We do, it's called an invoice.
      You get one with practically every dead-tree bill, just take the slip into most grocery or corner stores and you can pay it.

    7. Re: I don't get it. by Anonymous Coward · · Score: 1

      I'm kind of guessing that it's much more dangerous for merchants in Brazil to handle cash. Necessity is the mother of invention. With this system I guess many merchants could choose to go cashless. People might still have to carry cash to make the payment, but they would carry it to the post office, lotto house, or bank mentioned in some links that people posted. Those locations presumably have higher levels of security? In other words, merchants have the option of centralizing security at these other locations.

      Other people are saying we do have it, it's an invoice or bill; but with bills you still have to send money to the merchant. With the boleto you have a 3rd party receiving the funds and making ledger adjustments with the merchant's bank. It seems like it might trim some beurocracy too, but it's hard to say...

    8. Re: I don't get it. by lskbr · · Score: 5, Informative

      A Boleto is the opposite of a check. A seller can issue a Boleto when they sell, and the buyer can pay the face value in any bank. No need for a credit card or bank account.

      OK, so its like a deposit slip?

      Not exactly. Long time ago, most Brazilians can't afford having a bank account! So Boletos were developed to allow people without a bank account to pay people with a bank account. So, with a Boleto, you can go to the post office and pay cash your bills. You can also ask somebody else to pay your bills, like an office clerk who will go to a bank or post office with the Boleto and pay with a check or cash. Some banks even accept credit/debit cards now. You can pay a boleto even in banks you don't have an account. A bank will collect Boletos for other banks and they manage the transaction doesn't matter if you are their client or if the seller is their client. Once it is paid, the seller is notified very fast and it works nationwide (it is ok to pay from one state to another, as they use the same national system). In Brazil you can pay with boletos at home, using internet banking. Some friends even have bar code readers to make it easier to pay their bills. You just scan the bar code and confirm the payment using your banking software. Nowadays, it is also used on e-commerce sites, because the buyer does not share any payment information with the seller. So a boleto is more like an invoice with full payment information, including date, fees (like 2% for the first day after due date and 1% per day after). It is also a confirmation of payment, as you receive a bank authentication code, printed on the back of the boleto (just after you pay or an electronic code if you pay by internet banking). This also says the date and the amount you paid. The seller uses a customer and order code to track who paid what and it works quite well. I live in Europe now and I miss the bar code. Here I have to type all sellers data like their name, address, bank account and amount to pay! No bar code :-(

    9. Re: I don't get it. by AmiMoJo · · Score: 1

      You have to pay for a bank account? I expect my bank to pay ME for the privilege of holding my money and using it to invest and generate profit. Payment is in the form of services and interest.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re: I don't get it. by McFly777 · · Score: 1

      More recently, the interest rate being so low, and the bank fees so high, it feels more like I am paying the bank. Consider that my work requires me to direct deposit my check, but all the bank hours are the same as my work, so in order to get cash I have to use the ATM. If I do that more than a certain number of times during the month, I start getting charged an ATM usage fee. (I usually manage to avoid it however, so not a big deal.)

      --

      McFly777
      - - -
      "What do people mean when they say the computer went down on them?" -Marilyn Pittman
    11. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      It sounds like a Boleto is an invoice, and consequently that retailers in Brazil are very trusting of their customers, since there's no mention of collecting buyer information. What's to stop buyers from destroying or simply never paying off the Boleto? If I went to the store to get a TV and instead of having to actually pay for it I was just given an invoice, with no identifying information about me obtained by the seller, it would be rather tempting to never take the Boleto to a bank to pay it off.

      --
      Chuuch. Preach. Tabernacle.
    12. Re: I don't get it. by tokizr · · Score: 1

      They only get the goods *after* you pay, so it is safe for them. If you go to a store and take a product home they will give you other payment options instead such as credit/debit, cash or some other type of *ensured* payment. Or they will collect all personal information (including your CPF (SSN equivalent)) which is all they need to the hell out of you if you don't pay (much like if you payed with a cheque and had no backing funds).

    13. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      Ah, so you go to a store to buy something, get a boleto instead, then take the boleto to a bank and pay it, then return to the store with a "paid" stamped boleto to pick up your goods?

      Wouldn't it be easier to just pay at the store?

      --
      Chuuch. Preach. Tabernacle.
    14. Re: I don't get it. by GTRacer · · Score: 1

      How often do you need cash? I assume you mean more than 5 bucks? I'm interested in how other people handle banking nowadays.

      On average, more of my ATM visits are to DEPOSIT checks, not take money out. And my credit union just rolled out mobile depositing, so there's that done. Generally, if I need cash less than $50, I just grab it when I check out at Target or the grocery store. No fees, no extra trip. Though your supermarket visits may be less frequent than ours - we seem to go go about once a week to keep the 3 kids fed.

      But even then, none of my bills are paid by cash - all but one are autopay or e-pay. And everywhere we go for fun or business takes debit or credit. Cash is for the odd times I need a soda at work (cash only)...

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    15. Re: I don't get it. by GTRacer · · Score: 1

      Simple. Many of us don't get paid lunches and for me at least, the nearest branch or ATM is nearly a mile from where I work. On foot, at good speed, that would take about half an hour just for the walk. And given that we're in summer here, I'd be a wreck when i got back to work.

      So, a half hour or so not eating and not getting paid. *That's* what's wrong.

      --
      Defending IP by destroying access to it? That makes sense, RIAA/MPAA. Go to the corner until you can play nice!
    16. Re: I don't get it. by CronoCloud · · Score: 1

      Or just walk to the bank during your lunch break.

      Maybe in a large city...maybe if your work is close to your bank. But that's probably not the case everywhere else. Sometimes lunch breaks are a half-hour, which would not be long enough for someone to walk to some of the banks in town from various workplaces.

      American cities and towns are more "spread out"

    17. Re: I don't get it. by dafradu · · Score: 5, Informative

      Not exactly. You can go to a store and they will give you credit to buy something that costs X paying X/12 a month. They give you something like a boleto for each month and you take your good home. If you don't pay your boletos your credit is ruined, you'll only be able to do that once, no other store will give you credit because they always check with credit institutions like SERASA. Oh, and its a baaaaad idea to miss your payments, they charge ridiculous amounts for any day you miss. Your total due can double easily.

      Boletos come in the mail so you can pay most of your bills here, we call those boletos too. Utilities, cable, internet, credit card, any kind of insurance etc. They all can send you boletos to pay online or at your bank. Its common for old people to take a bunch of them to the bank on payday and ask the teller to pay them all. Me? I do it all online. My phone can scan the barcode with its camera, so its really easy to pay the bills.

      Boleto is a thing in Brazil because a lot of people get paid in cash. A lot of people don't have bank accounts or credit cards. "Informal workers" are still a big part of the working force in Brazil even in this days.

    18. Re: I don't get it. by dafradu · · Score: 1

      I don't think i made myself clear in that case.
      Why would you go to a store, get a boleto, go to the bank to pay it, get back to the store with the paid boleto and take your goods?
      That means you have means to pay the good right there, be it cash or debit/credit. So you just pay it right there at the store.
      The store could issue a boleto in the other case i described, where they let you pay a fraction of the total price each month for some % each month.

    19. Re: I don't get it. by NoImNotNineVolt · · Score: 1

      Mod parent up. Most complete explanation I've seen yet.

      --
      Chuuch. Preach. Tabernacle.
    20. Re: I don't get it. by TechyImmigrant · · Score: 1

      If you come into my store with an invoice from your gas company, I'm not going to know what the hell to do with it. Send your cheque to the gas company.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  2. What platforms are effected? by SpzToid · · Score: 4, Interesting

    According to RSA, the malware is being delivered via email. In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. When the customer does so, a protection service is created and starts running on the PC. In addition, some shared libraries are also installed on the system and are loaded by the browser in order to help provide protection for customers during online banking operations, RSA noted.

    However, the Boleto malware the company detected searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security. In one case, RSA analysts noticed that the malware accessed the plugin's memory area and modified a conditional JMP to a regular JMP operation, thereby thwarting the plugin's capabilities.

    What platforms does this malware operate on exactly? The TFA doesn't say.

    --
    You can't be ahead of the curve, if you're stuck in a loop.
    1. Re:What platforms are effected? by Anonymous Coward · · Score: 1

      Windows only.

  3. Blame the banks by DeKO · · Score: 4, Insightful

    From TFA:

    In Brazil, when banking customers access their online banking site for the first time, they are often asked to install a security plugin. [,,,] However, the Boleto malware [,,,] searches for specific versions of client side security plug-ins detects their shared libraries and patches them in real-time to dodge security.

    I've closed my account in 3 different banks for pulling this bullshit. So it turned out the "security plugin" is full of security holes; worse than that, they are educating their users that they need to install/update software every time they access their bank online, so most accept plugin installation confirmations right away.

    The fact that it attacks boletos is a minor detail, it's a traceable and reversible money transfer once suspicious activity is identified.

    1. Re:Blame the banks by lgw · · Score: 3, Interesting

      Fortunately for Brazil, the underworld is saturated with stolen account info. The bottleneck for actual "hacker" money theft worldwide is finding new money mules to take the loss when the transfer is inevitably reversed. The world is flooded with malware, but the cops are pretty good at following the money, and so the bottleneck is there.

      Most stolen account info is never acted on for lack of a way to get the cash. Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    2. Re:Blame the banks by dargaud · · Score: 1

      Of course, that's one clever criminal idea away from shifting, and it will be very ugly if that ever happens.

      What's 'shifting' if you don't mind my asking ?

      --
      Non-Linux Penguins ?
    3. Re:Blame the banks by TheDarkMaster · · Score: 1

      The plugin from bank itself can be considered a virus. As an example, the ridiculous plugin of the company GAS technology not only affect the overall operation of the computer (slowdowns all the time) as it is easily defeated by any malware. It's a piece of junk made by amateurs who only disrupt the computer without offering any protection.

      --
      Religion: The greatest weapon of mass destruction of all time
  4. ~$7500 per transaction? by mindcandy · · Score: 1

    3750000000/495793 = 7564.25 per transaction .. even if it's the Real (Brazil's 'dollar') it's a little less than half that in USD.
    If the crooks are smart they are shaving a'la Superman3 and not stealing it outright but that's a huge per-transaction average.

    1. Re:~$7500 per transaction? by DeKO · · Score: 1

      Sounds like they replace the barcode to redirect the payment to an account they own, so they are really stealing the whole amount. Funny thing is, after you enter the code (by scanning or typing) you get a confirmation screen (either on the ATM or on the online system) with the name of the receiving entity; it's hard to imagine the bank would allow somebody to create an account with a name that looks like an utility company or something like that.

      I agree, the average amount seems way too high; things at that range are usually paid with credit cards, cheques, or direct transfers between bank accounts. I'm really curious to find out what kinds of transactions average at 100 times the typical boleto value. Was every victim buying a 65" 3D 4k LED TV over the internet?

    2. Re:~$7500 per transaction? by Anonymous Coward · · Score: 1

      actually you don't get a confirmation screen when paying "non-registered" boletos (banks offer 2 types of boletos to costumers, they work the same way, but on the non-registered one the bank has no information on the boleto until it gets payed)

      the amount is probably wrong, no way the mean transaction would be 7500

    3. Re:~$7500 per transaction? by tokizr · · Score: 1

      The value of the Boleto is part of the code and can be altered by the payer(for instance if you have to pay a fine because the payment is late, or if you have a discount for paying early) so if you can yank the transaction you can probably also alter the value.

  5. Giro by tepples · · Score: 1

    I was under the impression that some countries called their opposite-of-check a "giro".

    1. Re:Giro by TechyImmigrant · · Score: 1

      A Giro is a cheque.
      http://en.wikipedia.org/wiki/G...

      I know because I used to cash them at the post office.

      --
      I should use this sig to advertise my book ISBN-13 : 978-1501515132.
  6. Ah by cascadingstylesheet · · Score: 1

    A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

    So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

    (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

    1. Re:Ah by cascadingstylesheet · · Score: 1

      if the article

      if the writeup

      There, fixed that for me ...

    2. Re:Ah by Nyder · · Score: 1

      A Boleto is essentially a document that allows a customer to pay an exact amount to a merchant.

      So, like, a bill. How unlike us stupid norteamericanos, who of course just pay completely random and imprecise amounts to merchants.

      (Cue all the people telling me how stupid and parochial I am ... but it would have been nice if the article actually explained this thing.)

      I get bills all the time, I don't pay most of them.

      Hmm, that makes me wonder, can I just start sending official looking bills to people and see if they pay them?

      --
      Be seeing you...
    3. Re:Ah by kaatochacha · · Score: 1

      There are illegal companies that do exactly this. They send formal looking bills for vague services to large companies, usually in smallish amounts.
      Often, the person receiving the bill, rather than research why "XYZ Consulting" is charging a $22.45 fee for consulting services, will just pay them.
      If only one out of ten gets paid, they're still ahead.

  7. I thought they were made up by drug lords to scare by jpellino · · Score: 1

    their lawyers - http://www.youtube.com/watch?v...

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
  8. We get these on a regular basis. by jpellino · · Score: 1

    Usually for catalog listings, listing maintenance, annual service charges, restocking fee, etc. with a magic number that is below what some business managers can pay without escalating a charge to the front office. Paper-based phishing.

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."