Boleto Bots Bilk Brazil Out of $3 Billion

Jul 03, 2014 at 2:35 PM ET

In April 2013, an anonymous tipster sent a concerned message to the founder of a well-known Brazilian cybercrime blog, Linha Defensiva (the “Defensive Line”). In his email, the tipster explained he had recently tried to upload a Boleto—the Brazilian version of a money order—to his a bank account, but the money was never deposited.

The Defensive Line looked into the tipster’s concerns, and reported back with a scary finding: The tipster’s computer had been infected with a piece of malware designed to recognize the Boleto’s routing number, and redirect that payment into a mysterious third-party account. When the Defensive Line blogged about the piece of malware, the story generated hundreds of comments from victims who said they had similar experiences.

As it turns out, it’s not just hundreds that have been affected, it’s hundreds of thousands. In a new report published this week, the international cyber security firm RSA claims that a ring of cybercriminals dubbed the “Bolware operation” have, over the past two years, infected more than 192,000 PCs with Boleto malware, causing an estimated total monetary loss value of up to $3.75 billion. If that’s accurate, it’s essentially the worst bank robbery in the history of modern banking—and the culprits are still out there.

“Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized crime gangs are setting their sights on boleto users who bank online,” noted Brian Krebs, a well-known cyber-security blogger.

The scale of the operation is staggering. Researchers found 495,753 potentially fraudulent transactions, 83,506 stolen email user credentials, and 192,227 infected PC bots (individual computers). “The Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, but it does appear to be extremely lucrative for its masterminds,” notes the report’s authors.

Behind credit cards, Boletos are the second most popular form of payment in Brazil and act similarly to a money order—a cash voucher that customers can obtain at ATMs, banks, post offices, or via online banking. The way the Bolware scheme works is fairly straightforward. Once the victim’s PC is infected with the virus (which can happen by clicking a suspicious link in an email, or by downloading an infected program), the malware hides dormant. But when the victim begins to enter Boleto payment information (either into an online store or bank account) the malware perks up, intercepting all the data entered into the browser—including the Boleto routing number.

“If a Boleto is detected by the malware, the data will be sent to the fraudster’s server, which modifies the Boleto data with a fraudster or mule bank account,” RSA explains.

RSA also points out that Boleto fraud is actually very hard to detect from the customer’s point of view because the ID number field doesn’t really have any recognizable number sequence. Also, most customers in Brazil simply check the amount and date—not the payee information.

For now, RSA recommends users in Brazil regularly run anti-malware software to check if they’ve been infected. “RSA has turned over its research…to both U.S. (FBI) and Brazilian law enforcement (Federal Police),” the authors note, adding that “RSA is working together with these entities in the investigation while also helping to develop and/or advise on the implementation of various mitigation countermeasures.”