A Huge Malware-Based Fraud Ring Discovered in Brazil
It’s probably the biggest security news of the year. Researchers at RSA, a security division of EMC, uncovered a massive malware-based fraud that reaped an estimated $ 3.7 billion through man-in-the-browser attacks. The malware has infiltrated Boleto, Brazil’s second most popular payment methods, for two years. The RSA researchers believe that malware has likely compromised as a many as 495,753 Boleto transactions during its two-year period.
It is not clear how much has been stolen and whether the fraudsters successfully collected on all the compromised transactions, and whether all the payments successfully redirected to fraudster-controlled accounts. The value of those compromised transactions is estimated to be reached as much as $3.75 billion, making it the largest electronic theft in history. What is a Boleto? Boleto or Boleto Bacario, is the second most popular payment methods in Brazil, it’s a financial document issued by banks that can be used by consumers to make payments for merchants, utilities and others establishments. It functions the same way as the American money order, a payment voucher equivalent to cash that users can obtain from banks, ATMs and many more.
RSA’s FraudAction team released details Wednesday of a massive malware-based fraud ring that’s been operating for two years in Brazil-Boleto malware.
Boleto malware is a more sophisticated fraud operation and financial threats designed to target individuals and companies in Brazil. Its goal is simple - to infiltrate legitimate Boleto payments from individuals or companies redirects those payments to fraudsters’ accounts.
The malware leverages man-in-the-browser technology (MITB) to attack vulnerabilities in Chrome, Firefox and Internet Explorer and it’s based on transaction modification on the client side. By infecting the web browser, Boleto could modify the screens and numbers that a user saw as they were on the legitimate site, making them believe they were sending money to a merchant. It uses techniques exported from other famous Trojans, such as SpyEye, HTML code injection, MITB and many more, but not all, the most recent attacks relies on malicious Firefox and Chrome extensions (found in the official store) and even websites that offers the possibility to reissue an expired Boleto.
The malware silently inject itself into user’s browser after attackers successfully tricked users into clicking malicious links in seemingly legitimate looking site or ordinary looking email. And once the malware has injected itself into the victim's browser, it looks for specific, bank-issued versions of client-side security plug-ins, then detects it shared libraries, and patches them in real-time, neutralizing their functions. And since the Boleto malware is MITB, the whole activities are invisible to both users and web application.
This type of fraud is difficult for the customers to detect because the malware displays the original inputs in the validation screen making it look like the legitimate site. Because of the malware’s stealth capabilities, users have a hard time of detecting the fraud on their own. Not just the users but also banks and businesses, it’s too difficult for banks because transactions are done and arrive from regular, well-known IPs (Internet address) and user accounts.
There are several factors that might helped the “Boleto crews” get away with this kind of fraud, first the three major browsers- Chrome, Firefox and Inter Explorer are all vulnerable to MITB attack. The second is that the Brazilians are not necessarily the kind of people that run the very latest anti-virus software and software stuffs, which make them more vulnerable to such attack. The last is Boletos aren’t used outside of Brazil, which might make the companies and users less aware of the coming danger.
Image Courtesy of BBC News