Nearly $4 Billion Lost in Brazillian Boleto Attack

Yesterday afternoon, researchers from RSA’s FraudAction Knowledge Delivery team shed light on one of the most profitable malware schemes ever attempted in the history of the open Internet.


Photo: Kentoh / Shutterstock

In just under two years, the ‘Boleto’ virus has far succeeded any other malware-charged currency caper that’s come before it, pulling in a total of close to $3.75 billion USD ($8.57 Brazillian Real) before all was said and done.

Although this is just an estimate based on one piece of malware that scraped financial details, wrote resident researcher Eli Marcus.

The potential that the hackers known as the Bolware crew used other techniques to stack their ill-gotten billions is very high, and this discovery represents only one of many tools the ring had ready to deploy from their belts.

The virus was first spotted back in late 2012, and used a relatively standard man-in-the-browser attack to pick up general information about clients, their login details, and the transactions they made by recording the data as it was entered into a computer either from home or at one of the country’s many net cafes.

By infecting the browser, Boleto could modify the screens and numbers that a user saw as they were on the site, making them believe they were sending money to a merchant while the funds were actually funneled to an account belonging to members of the Bolware criminal syndicate.

“The Boleto malware is a newer and more sophisticated kind of fraud in Brazil that leverages man-in-the-browser technology to attack online operations, and is based on transaction modification on the client side.”

Photo: RSA

Photo: RSA

Reportedly, 18 percent of all payments in Brazil were sent through Boleto Bancario in 2012, thanks in part to the lackadaisical requirements that allowed users to make transactions through the service even if they didn’t have their own bank account.

Initially identified as ‘Eupuds’ when it first went live, the exploit has been tracked and targeted by AV experts for years, though no one had gathered enough information on the perpetrators behind it to publish any details until recently.

“While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to US$3.75 billion ($8.57 billion Brazilian Real),” Marcus said.

Upwards of 195,000 separate computers were zombified in order to provide the resources necessary to process so much data at once, and of those almost fifth-of-a-million, a little over 83,000 credentials were picked up and falsified in order to move money from a legitimate customer’s account to those belonging to the gang.

The network behind the attacks were also tenacious in their ability to stay one step ahead of the law in order to keep the operation running unimpeded. There were 19 updates and hotfixes applied to the Boleto malware while it was still active, many made just a few short hours after AV advisory boards had posted fresh updates on a new method to bring the program down.

Both US and Brazilian officials have been notified of the issue, and have launched a joint-investigation into all of the banks and independent financial institutions who were affected by the bug.