Brazilian baddies bank Boleto billions

Tremendous takings through a trillion tiny transactions


Brazilian bad guys appear to have made an astonishing $US3.75 billion by scraping a tonne of tiny transactions from a popular payment system used by locals, RSA researcher Eli Marcus says.

The carders operating a single fraud ring may have netted enough over the last two years to foot 80 percent of Brazil's $4.7 billion World Cup stadium bill.

Marcus pointed out the true profit from the 495,753 stolen transactions was unknown and the billions were potential earnings from a malware-based campaign that scraped financial details.

"While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to US$3.75 billion ($8.57 billion Brazilian Real)," Marcus said.

"The Boleto malware [is] a newer and more sophisticated kind of fraud in Brazil that leverages man-in-the-browser technology to attack online operations, and is based on transaction modification on the client side."

The gang controlled at least 192,227 bot-infected computers used for Bolware banking and had stolen some 83,506 email user credentials stored within the botnet command and control server.

The Boleto (Boleto Bancário) was in 2012 used for 18 percent of all payments made in Brazil. Customers could pay merchant-generated invoices for anything from energy bills to mortgages through bills mailed by post or generated through online shops.

It was popular with customers notably because it did not require customers to own bank accounts, and with fraudsters because it did not apply dispute resolution or charge-backs for dodgy transactions.

The malware was identified by anti-virus engines as 'Eupuds' in 2012 and infected popular web browsers running on Windows. It intercepted and modified Boleto transactions directing payments into the fraudster's account which remained invisible to victims and web apps.

One malware gang operating a botnet had netted US$250,000 in the four months to June this year from 383 Boleto transactions, a leaked bot webpanel obtained by Brian Krebs showed.

The malware's authors were continuously updating their wares to keep abreast of defensive manoeuvres by Brazil banks and have pushed out 19 fixes to date.

Previous Boleto fraud attempts worked by sending dodgy transaction phishing requests via post and email to victims and by replacing deposit slip data with the fraudster's mule bank account details.

The researchers have handed over the victim and attacker information to US and Brazil authorities who have alerted affected banks.

More information including technical malware data was available in RSA's report RSA discovers massive boleto fraud ring in brazil [PDF]. ®

Similar topics


Other stories you might like

  • US recovers a record $15m from the 3ve ad-fraud crew
    Swiss banks cough up around half of the proceeds of crime

    The US government has recovered over $15 million in proceeds from the 3ve digital advertising fraud operation that cost businesses more than $29 million for ads that were never viewed.

    "This forfeiture is the largest international cybercrime recovery in the history of the Eastern District of New York," US Attorney Breon Peace said in a statement

    The action, Peace added, "sends a powerful message to those involved in cyber fraud that there are no boundaries to prosecuting these bad actors and locating their ill-gotten assets wherever they are in the world."

    Continue reading
  • China reveals its top five sources of online fraud
    'Brushing' tops the list, as quantity of forbidden content continue to rise

    China’s Ministry of Public Security has revealed the five most prevalent types of fraud perpetrated online or by phone.

    The e-commerce scam known as “brushing” topped the list and accounted for around a third of all internet fraud activity in China. Brushing sees victims lured into making payment for goods that may not be delivered, or are only delivered after buyers are asked to perform several other online tasks that may include downloading dodgy apps and/or establishing e-commerce profiles. Victims can find themselves being asked to pay more than the original price for goods, or denied promised rebates.

    Brushing has also seen e-commerce providers send victims small items they never ordered, using profiles victims did not create or control. Dodgy vendors use that tactic to then write themselves glowing product reviews that increase their visibility on marketplace platforms.

    Continue reading
  • IBM deliberately misclassified mainframe sales to enrich execs, lawsuit claims
    Lawsuit accuses Big Blue of cheating investors by shifting systems revenue to trendy cloud, mobile tech

    Special report IBM has been sued by investors who claim the company under former CEO Ginni Rometty propped up its stock price and deceived shareholders by moving revenues from its non-strategic mainframe business to its strategic business segments, allegedly in violation of securities regulations.

    The investors' securities fraud lawsuit [PDF] was filed on Tuesday, April 5 in a southern New York federal court. It names as defendants not only IBM but current and former executives including Rometty, former CFO Martin J. Schroeter (now CEO of IBM spin-off Kyndryl), current CFO James J. Kavanaugh, and current CEO Arvind Krishna.

    IBM "improperly and in violation of Generally Accepted Accounting Principles ('GAAP') embarked on a fraudulent scheme to shift billions of dollars in revenues from its mainframe line of business to its Strategic Imperatives and CAMSS line of business," the complaint reads.

    Continue reading
  • Cybercrooks target students with fake job opportunities
    Legit employers don't normally send a check before you've started – or ask you to send money to a Bitcoin address

    Scammers appear to be targeting university students looking to kickstart their careers, according to research from cybersecurity biz Proofpoint.

    From the department of "if it's too good to be true, it probably is" comes a study in which Proofpoint staffers responded to enticement emails to see what would happen.

    This particular threat comes in the wake of COVID-19, with people open to working from home and so perhaps more susceptible. "Threat actors use the promise of easy money working from home to collect personal data, steal money, or convince victims to unwillingly participate in illegal activities, such as money laundering," the researchers said.

    Continue reading
  • Yale finance director stole $40m in computers to resell on the sly
    Ill-gotten gains bankrolled swish life of flash cars and real estate

    A now-former finance director stole tablet computers and other equipment worth $40 million from the Yale University School of Medicine, and resold them for a profit.

    Jamie Petrone, 42, on Monday pleaded guilty to one count of wire fraud and one count of filing a false tax return, crimes related to the theft of thousands of electronic devices from her former employer. As director of finance and administration in the Department of Emergency Medicine, Petrone, of Lithia Springs, Georgia, was able to purchase products for her organization without approval if the each order total was less than $10,000.

    She abused her position by, for example, repeatedly ordering Apple iPads and Microsoft Surface Pro tablets only to ship them to New York and into the hands of a business listed as ThinkingMac LLC. Money made by this outfit from reselling the redirected equipment was then wired to Maziv Entertainment LLC, a now-defunct company traced back to Petrone and her husband, according to prosecutors in Connecticut [PDF].

    Continue reading
  • Singapore introduces potent anti-scam measures
    Plans to block more scam sites, share liability between banks and customers

    Singapore will step up up efforts to stamp out phishing and spoofing, ministers told the island nation's parliament on Tuesday.

    The topic earned ministerial attention after instances of attacks and scams soared recently. The standout example is the attack on Southeast Asia's second-largest bank, the Oversea-Chinese Banking Corporation (OCBC). In the OCBC bank scam, threat actors stole a combined SG$13.7 million ($10.2M) from 790 customers by spoofing text messages in what minister of finance Lawrence Wong referred to as "by far the most serious phishing scam seen" in Singapore.

    Wong detailed [VIDEO] several ways banks would be expected to improve security, including using more diverse machine learning algorithms to strengthen fraud detection tools to identify suspicious transactions. Banks will also be required to block suspicious transactions in a more consistent fashion, require additional customer confirmations for high-risk transactions or changes to account details, expand biometric technology, and accelerate adoption of – and preference for – mobile banking apps.

    Continue reading
  • Former tech CIO jailed for setting up £475k backhander scam with IT outsourcing firm
    One-time head of Hampshire Police IT gets six years

    A pro-outsourcing CIO whose first act at a new employer was to set up a £475,000 backhander scheme has been jailed for six years.

    Brian Chant, 62, took the bribes after joining procurement services firm Achilles in 2011, Southwark Crown Court heard.

    One of the first things he did was recommend outsourcing of various IT functions, suggesting three companies to Achilles' board for the £22m SPTL and Systems Plus IT contracts.

    Continue reading

Biting the hand that feeds IT © 1998–2022