A Huge Malware-Based Fraud Ring Discovered in Brazil

Huge Malware-Based Fraud Ring Discovered in Brazil

It’s probably the biggest security news of the year. Researchers at RSA, a security division of EMC, uncovered a massive malware-based fraud that reaped an estimated $ 3.7 billion through man-in-the-browser attacks. The malware has infiltrated Boleto, Brazil’s second most popular payment methods, for two years. The RSA researchers believe that malware has likely compromised as a many as 495,753 Boleto transactions during its two-year period.

It is not clear how much has been stolen and whether the fraudsters successfully collected on all the compromised transactions, and whether all the payments successfully redirected to fraudster-controlled accounts. The value of those compromised transactions is estimated to be reached as much as $3.75 billion, making it the largest electronic theft in history. What is a Boleto? Boleto or Boleto Bacario, is the second most popular payment methods in Brazil, it’s a financial document issued by banks that can be used by consumers to make payments for merchants, utilities and others establishments. It functions the same way as the American money order, a payment voucher equivalent to cash that users can obtain from banks, ATMs and many more.

RSA’s FraudAction team released details Wednesday of a massive malware-based fraud ring that’s been operating for two years in Brazil-Boleto malware.

Boleto malware is a more sophisticated fraud operation and financial threats designed to target individuals and companies in Brazil. Its goal is simple - to infiltrate legitimate Boleto payments from individuals or companies redirects those payments to fraudsters’ accounts.


The malware leverages man-in-the-browser technology (MITB) to attack vulnerabilities in Chrome, Firefox and Internet Explorer and it’s based on transaction modification on the client side. By infecting the web browser, Boleto could modify the screens and numbers that a user saw as they were on the legitimate site, making them believe they were sending money to a merchant. It uses techniques exported from other famous Trojans, such as SpyEye, HTML code injection, MITB and many more, but not all, the most recent attacks relies on malicious Firefox and Chrome extensions (found in the official store) and even websites that offers the possibility to reissue an expired Boleto.

The malware silently inject itself into user’s browser after attackers successfully tricked users into clicking malicious links in seemingly legitimate looking site or ordinary looking email. And once the malware has injected itself into the victim's browser, it looks for specific, bank-issued versions of client-side security plug-ins, then detects it shared libraries, and patches them in real-time, neutralizing their functions. And since the Boleto malware is MITB, the whole activities are invisible to both users and web application.

This type of fraud is difficult for the customers to detect because the malware displays the original inputs in the validation screen making it look like the legitimate site. Because of the malware’s stealth capabilities, users have a hard time of detecting the fraud on their own. Not just the users but also banks and businesses, it’s too difficult for banks because transactions are done and arrive from regular, well-known IPs (Internet address) and user accounts.

There are several factors that might helped the “Boleto crews” get away with this kind of fraud, first the three major browsers- Chrome, Firefox and Inter Explorer are all vulnerable to MITB attack. The second is that the Brazilians are not necessarily the kind of people that run the very latest anti-virus software and software stuffs, which make them more vulnerable to such attack. The last is Boletos aren’t used outside of Brazil, which might make the companies and users less aware of the coming danger.

Image Courtesy of BBC News

Recommended Posts | IT News

NoSQL Market With Two New Azure Cloud Services

Microsoft Joins the NoSQL Market With Two New Azure Cloud Services

Joining into the growing NoSQL market, Microsoft is making available previews on August 21 two new Azure cloud services - a NoSQL database service and a full-text search service. Redmond-based Microsoft Corp. has officially unveiled Azure DocumentDB NoSQL, the latest iteration of its cloud platform ...
Google Acquires Jetpac

Google Acquires Jetpac

Recently, Google acquired JetPac, a San Francisco based company. The company created a mobile application that is designed to come up with interesting city guides for travelers. Google will likely use the Jetpac team to improve search around location information using the data ...
SanDisk And New SD Card

Thoughts on Rapid Technology Advancement: SanDisk Extreme PRO 512 GB

SanDisk recently announced a new SD card, this one unlike most of them has around the space of an average hard drive, which is around 500 to 600 GB (The SD card is 512 GB). This SD card is the latest innovation by SanDisk, which for years has been one of the leading innovators in SD card technology ...
8 New Tablets

Vendor’s Release 8 New Tablets

PC shipments declined while the tablet market has grown 47 percent. In recent years tablets have invaded every aspect of people's lives. The Los Angeles has been using tablets as part of the children's learning process for the past few years. New Tablets From Samsung, Amazon, Acer, LG, Microsoft ...