July 2, 2014

With the eyes of the world trained on Brazil for the 2014 FIFA World Cup, it seems a fitting time to spotlight a growing form of computer fraud that’s giving Brazilian banks and consumers a run for their money. Today’s post looks at new research into a mostly small-time cybercrime practice that in the aggregate appears to have netted thieves the equivalent of billions of dollars over the past two years.

A boleto.

A boleto.

At issue is the “boleto” (officially “Boleto Bancario”), a popular payment method in Brazil that is used by consumers and for most business-to-business payments. Brazilians can use boletos to complete online purchases via their bank’s Web site, but unlike credit card payments — which can be disputed and reversed — payments made via boletos are not subject to chargebacks and can only be reverted by bank transfer.

Brazil has an extremely active and talented cybercrime underground, and increasingly Brazilian organized  crime gangs are setting their sights on boleto users who bank online. This is typically done through malware that lies in wait until the user of the hacked PC visits their bank’s site and fills out the account information for the recipient of a boleto transaction. In this scenario, the unwitting victim submits the transfer for payment and the malware modifies the request by substituting a recipient account that the attackers control.

Many of the hijacked boleto transactions are low-dollar amounts, but in the aggregate these purloined payments can generate an impressive income stream for even a small malware gang. On Tuesday, for example, a source forwarded me a link to a Web-based control panel for a boleto-thieving botnet (see screenshot below); in this operation, we can see that the thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the "linea alterada" column shows the accounts used by the thieves to accept diverted payments. "Valor" refers to the amount, expressed in Brazilian Real.

The records kept by a boleto-stealing botnet. Next to the date and time is the account of the intended recipient of the transfer; the “linha alterada” column shows the accounts used by the thieves to accept diverted payments. “Valor” refers to the amount, expressed in Brazilian Real.

But a recent discovery by researchers at RSA, the security division of EMC, exposes far more lucrative and ambitious boleto banditry. RSA says the fraud ring it is tracking — known as the “Bolware” operation — affects more than 30 different banks in Brazil, and may be responsible for up to $3.75 billion USD in losses. RSA arrived at this estimate based on the discovery of a similar botnet control panel that tracked nearly a half-million fraudulent transactions.

Most Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser. The plug-ins are designed to help block malware attacks. But according to RSA, the Bolware gang’s malware successfully disables those security plug-ins, leaving customers with a false sense of security when banking online.

The malware also harvests usernames and passwords from victim PCs, credentials that are thought to be leveraged in spreading the malware via spam to the victim’s contacts. RSA said this fraud gang appears to have infected more than 192,000 PCs, and stolen at least 83,000 sets of user credentials.

Administration screen of the Bolware gang shows the original Boleto numbers "Bola Original" and their destination bank "Bola".  Image: RSA

Administration screen of the Bolware gang shows the original Boleto numbers “Bola Original” and their destination bank “Bola”. Image: RSA

RSA notes that the miscreants responsible for the Bolware operation appear to have used just over 8,000 separate accounts to receive the stolen funds. That’s roughly 7,997 more accounts than were used by the boleto bandits responsible for the diverted transactions in the boleto botnet control panel I discovered.

Researchers at RSA suggest that Brazilians who wish to transact in boletos online should consider using a mobile device to manage their boleto transactions, noting that boleto-thieving malware currently is not capable of altering the data stored in the barcode of each hijacked boleto order — at least for the time being.

“As the malware does not alter the barcode (for now), the safest approach is to use mobile banking applications available on smart phones (for now, immune to this malware) to read the barcode and to make payments,” the company said in its report (PDF) on this crime wave.


72 thoughts on “Brazilian ‘Boleto’ Bandits Bilk Billions

  1. Morgan

    Brian, do you know why Brazilians would choose to use Boletos if they aren’t subject to chargebacks? It seems like a silly thing to do, especially when credit cards are acceptable forms of payment practically anywhere.

    1. sirrix

      Having done a lot of business in Brazil, I can hypothesize that many people in Brazil still have trouble getting access to credit. Bank transactions are an exceptionally popular way to pay for things. It’s also common to buy things on installment payments – that can be done via credit card but in many cases businesses don’t want to deal with handling your credit card and will prompt payment via bank transfer.

    2. Marco Floriano

      Usually when you pay via Boleto, you get a big discount (10 to 15%). Also, it´s cheaper (and easier) for the selling company to charge with boleto.

      1. Hugo

        In what way it it easier? You need to print or save the boleto, go to your online banking (or to the bank itself), scan the code or write all the 2983u1831 numbers and pay it. Sorry, but this isn’t easier like pay using a credit card.

        1. Anderson Lima

          It’s easier because there are much more taxes in the credit card payment for the company than the boleto payment, which is almost like a bank transaction. In other words, is easier for the company (not for the customer) and given the ease, the institutions are able to offer a few discounts.

      2. loudcloud

        Believe it or not, its the same way in the US. next time you’re about to buy a TV (or another big ticket item) and ask the manager for a CASH discount. Most stores will give you one. If the one your at doesn’t; find one that does.

        1. Raphael A. Oliveira

          It’s easier in the sense of implementing it, all you gotta do is to download or implement your favorite Boleto generating method and input the receiving bank account data and you’re golden.

          That’s way easier than jumping thru the redtape of getting credit card machines or processing tokens.

          And boletos are still massively popular because they’re flexible, so an electricity or cable company only needs to print those and mail it to you and you can pay in whichever way you choose, either by credit card, debit card, checks, or simply cash.

          Popular boleto-accepting places (places where you can pay your boletos, either they were printed by yourself or mailed to you) includes supermarkets, lottery houses, gas stations… essentially everywhere, the minority of boleto transactions are completed thru the internet though.

          So for us, it’s more convenient for bills and non-immediate stuff (for stuff you want done on the day, you use your credit card, because boletos can take up to 4 days to be processed, that’s why it’s used mainly in the utility bills).

          Not only that, but it’s also a way for an underage boy to have access to internet goods and services. I used to have a online game server a while ago, and most transactions where completed thru boletos, because that was the only way a 15 year old boy could buy internet goods using physical paper money.

          Hopefully I cleared some things up.

    3. Marcelo

      In Brazil many people doesn’t have access to credit cards.
      Credit cards also charge a percentage commission from the seller based on the final sale price. Because of this, many stores will give you discount (up to 15%) if you pay in cash or “boleto”

      Boletos are traceable as they transfer the money to an bank account. The problem is that the bank accepted fake documents to create those accounts. Now they have to capture the thieves when they try to cash the money. (If they already didn’t do so)

      Boletos are generated by banks. To generate a boleto for your legitimate business is an incredible bureaucratic process.

    4. James

      Here’s the thing for those unfamiliar with the situation in Brazil:

      1 – You can’t pay most things by Credit Card. Most people don’t have a Credit Card

      2 – Using a Boleto is mandatory for several payments (Government payments mostly but several service providers – water, electricity, phone, etc). Credit card balances are payed, guess how, with a Boleto

      3 – The mailing of cheques is very rarely used

      4 – Boletos are payee initiated methods of payment, with its number you can pay the bill (usually) in several places or online.

      1. Altieres Rohr

        The boleto for bills such as eletricity, phone and water are different (most of the time). They are called the same, but work differently and have a different bar code format. They are not targets for this fraud.

    5. sebastian

      flowing, my company, is in Brazil.

      They are valid only nationally but several good things about Boletos:

      1. When paid, money enters in your account very fast 24h or 48h as opposed to ~30 days of the credit card companies (think capital costs)

      2. Cheap. They cost you about u$s1 that you pay only if the Boleto got paid (if it expires and you have to send another, that would be free of charge until the new one gets paid)

      3. No commissions, as opposed to credit cards usually taking 3% to 5% of your money (plus giving it you only 30 days after your client pays).

      That should give you plenty of room why Boleto is so popular. Is good, it works, makes your money go to you fast and simple and is actually secure for you to send them.

      Those schemes are annoying to receive of course, but you soon learn to smell them from miles away. They sound like email phishing schemes only with paper (snail mail)

      1. Henrique Bastos

        There is an important 4th point I learned creating e-commerce solutions in Brazil: Most people still don’t trust credit card. I’ve seen over and over again customers demanding boleto.

    6. Hannah

      I’m from Brazil. The reason Brazilians use boletos is because their purchase can be divided into several payments (sometimes up to 12) versus credit cards only divide payments in up to 4 times. They have a false sense of spending less money when they look at 10 payments of $10/month versus $100 at one time.

    7. Diego Bitencourt Contezini

      Hello ppl, I’m Brazillian and maybe I can help you understand this brazillian payment scene.

      Here if you want to bill thru CreditCard, every CreditCard Company in Brazil will charge you a tax that is between 4% and 7,5%.
      And they only will transfer you the value of your sells in D+30 (30 days after its sold.)

      Billing with Boleto, we have a fixed tax, varying by bank, between US 2,00 and US 4,00.
      And you receive your money varying from D+1 and D+3 (1 to 3 days).

      So, here, its really the cheaper and faster way to bill someone.

      BR.

      Diego

  2. Uri

    Morgan,

    Many people in Brazil don’t have any bank account.

    Their only options to pay bills and purchase goods are using cash or Boletos (Boleto Bancario) as those are the only payment methods which one can use without having a banking account in Brazil.

    More info on the Brazilian online payment methods can be found at the following links:

    http://techinbrazil.com/online-payment-for-e-commerce-in-brazil

    http://thebrazilbusiness.com/article/boleto-bancario-for-beginners

    http://info.abril.com.br/noticias/seguranca/de-cada-r-100-roubados-de-bancos-95-sao-por-computador-05052013-2.shl

    1. Igor Cellani

      Uri, in this case, if don’t have bank account, the person need to pay this boleto at the bank on money, not at the internet banking.

      I usually pay my boletos at internet banking, but I use a safe computer to do this

      1. Rabid Howler Monkey

        Igor Cellani wrote:
        “I usually pay my boletos at internet banking, but I use a safe computer to do this”

        A link to Brian’s best practices for online banking appears on all levels of this web site, but it is, IMO, worth including here in the discussion thread for those businesses and individuals that might benefit:

        http://krebsonsecurity.com/online-banking-best-practices-for-businesses/

  3. TheOreganoRouter.onion.it

    Wouldn’t it just be easier for people in Brazil to use a online Paypal account to transfer money instead of using a only one way money transfer system like boleto?

    1. Bot Fap

      what part of many don’t have bank accounts are you not grasping?

      1. TheOreganoRouter.onion.it

        I am sure that a certain percentage of the Brazilian population have a bank account

    2. Igor Cellani

      TheOreganoRouter.onion.it the paypal is not accepted here yet by the companies. we need to use boletos or credit card.

      1. TheOreganoRouter.onion.it

        I just check paypal and yes in fact it’s available in Brazil.

        1. Wow.Really?

          Listen to yourself. Available does not equal Accepted by the payee. Try paying a credit card bill in the US with PayPal – they won’t accept it.

    3. Joca

      And how many people do you think have Internet access all the time?

      1. TheOreganoRouter.onion.it

        Sure, a lot of spam comes from Brazil either directly or by way of abused proxy servers.

        1. server N1

          TheOreganoRouter.onion.it i think that you are the biggest spammer in here . In every single time i see your face . How can you know everything about everything ?

          1. TheOreganoRouter.onion.it

            I never said in any of my posts that I was a expert in anything. Bragging is narcissistic, which I’m not !

            I am here reading these great articles just to learn more about internet security just like everyone else that posts here.

  4. Andre

    Boletos are cheaper for the issuing company as they don’t have to pay the credit card fees, and you can pay them with almost any means and almost anywhere. Credit cards are not as common as in the US as credit is a lot more expensive in Brazil. You won’t believe the interests rates here.

    Companies are in general migrating to DDA boletos, where you receive it directly though your online banking where the customer does not need to type or scan a barcode.

  5. petepall

    Brian, I have discovered your weakness: alliteration!

  6. leallan

    Brian, the RSA link seems to have gone missing.

  7. Carlos Santos

    Brian, you too… why so many people thinks that Brazilians speak Spanish? We speak Portuguese. And “line” in Portuguese is “linha” (as you can see in the first screenshot), not “linea”.

  8. JCitizen

    I glad Brian realistically said “yet” in referencing smart phone technology being temporarily immune to these attacks. I’d wager, they are already in the wild, but have not surfaced, because the victims are, at this time, clueless to the compromise of their transactions.

  9. MariaCristina

    Morgan, I’m Brazilian and I live in Brazil.
    Our team from LinhaDefensiva.org (a security site that does malware analysis and report) found this malware scheme here in Brazil +- 1 year ago.
    The “bank boleto” is the preferred way to pay bills and online shopping here because most of the people don’t have credit card, not even bank credit. So, if you live in USA and want to sell something that I want to buy, and if I don’t have a credit card, all you need to do is to ask your own bank to generate a “boleto”. This is your guarantee. Also, there’s a lot of websites that offer such services.

  10. Altieres Rohr

    Febraban (the bank’s association in Brazil) reports ~US$ 700 million in electronic frauds a year for the past few years. Of those, US$ 400 to 500 million are credit card-related frauds, with internet banking-related fraud accounting for only US$ 140 million or so.

    It would take many years to reach these figures that the RSA has. It would mean billions in frauds are going unreported every year. Or that the RSA number is completely off the mark.

    The fraud itself is very old (as the research itself points out) and like Andre said, DDA is already a solution.

    Generating a boleto is not difficult at all. Both banks and third-party companies provide web services that generate the code on-demand, as well as services which rework the numbers to change the due date. Further, as long as you modify the numbers related to the bank account and bank identification, the money will go to that account.

    As for why boletos are popular even in the internet age, the reason is that they are completely safe for the seller and they have a flat cost of US$ 2 or less, while credit card payment processors can charge as much as 5% per sale, plus risk of fraud (see number above).

    1. Souza

      “Febraban (the bank’s association in Brazil) reports ~US$ 700 million in electronic frauds a year for the past few years.”

      How come Febraban
      has kept this fact as a secret from the Brazilian population for so so many years?

      Is Febraban an organization
      which only protects its member banks
      and not banking consumers at all?

      And who oversees/monitors Febraban, then?

      1. Altieres Rohr

        This is not a secret. Far from it. They have been publishing this information every year for a few years now. A few years back they even held an online press conference, which if I remeber right was open to the public, in which they gave many details such as how much money the banks were investing in security and the percentage of fraudulent transactions that got through their systems, as well as the total amount of money lost and the breakdown.

        You can read this piece of mine from late 2012 here:
        http://g1.globo.com/tecnologia/blog/seguranca-digital/post/bancos-querem-seguranca-invisivel-no-acesso-a-conta-pela-internet.html

  11. Brazilian

    Brian the RSA blog link for the PDF is broken. Do you have the working version?

  12. JimV

    I started noticing a significant uptick in spam with malware attachments from Brasilian-server addresses a couple of years ago — now I have a better notion of what those spammers were up to….

    As always, great reporting Brian!

  13. Jon Marcus

    Many of the hijacked boleto transactions are low-dollar amounts…thieves had hijacked some 383 boleto transactions between February 2014 and the end of June, but had stolen the equivalent of nearly USD $250,000 during that time.

    That’s over $500/transaction. Not low-dollar amounts even in my US middle-class estimation, let when converted to the buying power of the real. These aren’t small amounts that would “fly under the radar” of most people. Seems unlikely that they’d be missed. Do the banks refuse to do reverse transfers when called on this?

    1. BrianKrebs Post author

      That’s why averages are often poor indicators of a number that truly is typical of the data set. In this case, there were some very high-value transfers, including one for over 100k, which skew the average. If we were to discard these few high outliers, the average would be much lower than 500.

      1. Carrie

        Maybe use the “mean” instead of “average” to convey that?

  14. Richard Steven Hack

    A billion here, a billion there – and pretty soon you’re talking about real money. 🙂

    But apparently Senator Everett Dirksen never actually said that. 🙂

    But he should have. ‘Cuz it’s gonna be true in computer crime pretty soon. 🙂

  15. Berend de Boer

    Thanks to all who do business in Brasil and have commented here.

    What do you guys think about Bitcoin, would that be a suitable and more secure replacement?

    1. Noclo

      Once the attacker has hijacked your computer, nothing is safe.

    2. Guilherme

      kkkk Its easier for malwares to stole the whole wallet instead of just a transaction!! kkkk

    3. SeymourB

      It’s a replacement in that you also don’t get to dispute transfers and an infected computer can result in you losing money.

      It sounds like boleto malware typically results in small fraudulent transactions that can’t easily be reversed, while Bitcoin malware typically seizes all funds available to it as soon as it gains access.

      Would you rather lose your entire savings, or just a portion of it? You’d just be trading the good for the bad (or the ugly).

    4. MalwareTech

      Yes, because everyone would rather having their entire bank account stolen instead of a portion of it, with absolutely no chance of reversing the transaction or being reimburse.

  16. KrebsonSecurityFan

    In the late 1980s, Brazilian banks put a lot of work in developing banking services via dial-up modem (pre-Internet). At the time, inflation was very high. By the time a check cleared, the amount lost 10% of its value.

    The Boleto Bancario system seems to be related to this effort as it allows the payer to pay the exact amount without the payer having to even have a bank account or credit card. As times changed, the Boleto system interacted with online banking and this fraud appeared taking advantage of the confidence the public has in the Boleto system.

    Banks have to get more involved. The falsified Boleto numbers that the thieves create are still legitimate Boleto numbers in the system as the payments end up in the receiver’s bank account eventually.

  17. Shawn B

    Not sure if someone mentioned this yet, but in the US we are lucky enough to have “zero liability” on Credit Card transactions. But in many places around the world this isn’t the case. If your credit card gets stolen in many countries, the credit card company will just tell you to call the police because thats who you call when something gets stolen. Oh and by the way, you owe us the $7000 the crook charged on your card.

  18. Do Not Track

    Hope everyone is following THIS:
    https://www.schneier.com/blog/archives/2014/07/nsa_targets_pri.html

    Fair warning, slight rant follows…
    How is this not a declaration of World War by the nsa? Setting out to detect and target those who wish their privacy respected? Never mind coy wtf’s, this is a WHAT THE FUCK??? moment.

    So Brian, you’re the expert: Can you answer the question? To remind you, the question is What The Fuck???

    I think it’s time people stopped saying “The NSA doesn’t need and can’t use” this kind of info. They seem to disagree, and I don’t think we should be so confident they don’t have specific plans to use this data, considering the resources being spent and the risks (political, economic, national security) being taken.

    Just because the uses might be unthinkable doesn’t mean they’e not doable. Yet that would seem to be the general consensus: I I wouldn’t do it, then they wouldn’t either, because law and kittens.

    We owe it to the likes of Aaron Schwarz, Daniel Ellsberg, Edward Snowden to not roll over and take this laying down. Don’t forget, we kinda owe it to ourselves and each other too.

    1. DNT

      forgot Chelsea Manning, sorry Chelsea, only Aaron got it worse than you

  19. Blanche Dubois

    I really like Brazil.
    For credit card and debit care number entrepreneurial theft anywhere in the world by the golden boys in East Europe and Western Russia, they are a strong competitor to the US thieves in buying stolen credit cards, for re-sale.
    Competition amongst thieves boosts prices!
    Adam Smith rules.
    Brazil, along with the US, Thailand, and a few other reprobate countries, is firmly committed to maintaining the US 60 year old magnetic strip technology for credit and debit cards.
    Thank ye!
    Just how do you say “Target dufus lucrative breach” in Portuguese?
    In fairness, this Krebs expose clearly illustrates that the second best country of which to be a resident for consumer credit card protections, is the US (vs. the “freedom fries” EU).
    But those US protections were enacted in the 1970s, and very unlikely to be updated to 2014 tech or thieves, thanks to an archaic 1787 Constitution.
    To those Yanks reading this, may you thoroughly enjoy your financial/consumer protection delusions.

  20. Tom

    Cheeky crooks … it just highlights how paranoid I am about online banking, even though I use it all the time!

  21. QHoster

    We have got paid with stolen Boleto as well. Thought this was a sure payment system – turned out is not.

  22. Costely

    Sounds like Boleto was designed for offline transactions with little thoughts to online security. Banks should step up security, although they probably little incentive as the custom can’t charge back.

  23. brian

    Hey Brian,

    I’m confused with one thing; the white paper reports 3.75B in losses due to 495k fraudulent transactions.
    That would mean an average transaction would be around 7.5k. Unless the vast amount of the money came from a few thousand transactions, it doesn’t seem to fit.

    or the admin panel is simply falsified by the fraudsters.

  24. Maureen

    Wow. I almost skipped this article, but it and the comments have made this one of my favorite articles. My thanks to Brian and all of the knowledgeable commenters!

  25. Chris

    The “Transaction Verification” features in CryptoPhoto block this kind of malware from working.

Comments are closed.