Cyber-
criminals have abused the Boleto Bancário online payment system to steal
potentially billions of dollars, according to security firm RSA.
Cyber-Criminals
have infected nearly 200,000 computers in Brazil and used their access to issue
payment vouchers with an estimated value of $3.75 billion, according to an
analysis of the attack published by security firm RSA on July 1.
Dubbed the "Bolware"
gang, the criminals abuse the Brazilian payment system known as Boleto
Bancário, which allows customers to promise to pay an online merchant, print
out a payment slip with a barcode and remit money at a bank. While previous
attempts to defraud the payment system used fake boleto, the latest attack,
which started in late 2012, infects Web browsers on compromised computers and
modifies legitimate boleto to route payment to the criminal accounts.
"The Boleto
Malware (is) a newer and more sophisticated kind of fraud in Brazil that
leverages MITB
(man-in-the-browser) technology to attack online operations, and is based
on transaction modification on the client side," RSA stated in its
analysis. "Like any substantial cyber-criminal operation, the Bolware gang
has continued to innovate, revising their purpose-built malware through 19
different versions.
While the details of the
fraud differ from payment fraud in other nations, the techniques—such as using
a man-in-the-browser attacks—are similar to how criminals are attempting to
steal money from financial institutions in the U.S. and Europe. Criminals
adopted man-in-the-browser attacks to defeat additional countermeasures—such as
IP address and device identification—deployed by financial institutions.
"It is a class of
problem where the arms race has migrated," Dan Kaminsky, co-founder and
chief scientist of White Ops, an anti-fraud technology firm. "Once upon
time, it was good enough to steal a customer's username and password and log
into the bank from wherever and do whatever you wanted, but they soon figured
out that a California customer should not be logging in from Latvia."
While banks in Brazil and
other nations continue to fight against payment fraud, such attacks expose
weaknesses and undermine trust in the financial ecosystem in most countries.
Because customer-owned computers are generally thought to work on behalf of the
user, banks typically argue that any fraud that originates from compromised
customer systems are the responsibility of the victims. Such fraud rose more
than 200 percent in the first nine months of 2013, according to Symantec.
Small U.S. businesses, for
example, have lost hundreds of thousands of dollars to such attacks and sued
their banks for allowing funds to be transferred to foreign nations, even
though it was the business's machine that was compromised. Courts have
generally split on whether the business is responsible for the lost money, or
if banks should catch anomalous transactions and perform extra security
measures.
A similar scam, where the
attacker changed the banking information to which publisher Conde Nast sent
funds, resulted in $8 million being transferred in six weeks, but the money was
frozen before attackers could transfer it to their own bank accounts
While the Brazilian crime
network is not large compared to other botnets, the potential profits for its
operators are huge, according to RSA.
"Boleto malware is a
major fraud operation and a serious cyber-crime threat to banks, merchants and
banking customers in Brazil," the company stated. "While the Bolware
fraud ring may not be as far-reaching as some larger international cybercrime
operations, it does appear to be an extremely lucrative venture for its
masterminds."