The Boletos Fraud: An Online Threat to Offline Users

Woburn, MA – September 26, 2014 – Kaspersky Lab researcher Fabio Assolini presented his investigation into the Boletos malware threat, a widespread financial fraud campaign targeting Brazilian users, at the Virus Bulletin conference.

Some users have long decided that financial malware makes it too dangerous to use any online payment service. But does this ultra-cautious approach keep them truly safe? According to Fabio Assolini they are not, especially in his native country of Brazil where Boletos are a popular means of settling accounts on- or offline.

• Brazilian criminals change payment credentials in Boletos – special payment documents generated on victims PC

• To do this, criminals use various techniques from SpyEye-like malware, encrypted malware payloads delivery and malicious browser extensions distributed via the official app store

• The damage already caused by Boleto fraud schemes could exceed millions of dollars

Boletos are one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market. A Boleto is a special paper document with a bar code and unique 44-digit ID code. When users pay for products or services using Boletos, they print the document then go to a bank, ATM or online bank account, scan the barcode or enter the ID code and then complete the transaction with cash or a digital payment. The bar code and 44-digit ID are unique to each boleto which in turn is assigned to a certain purchase to limit the chances of anything going wrong.

The fraud scheme. Most online services issues Boletos automatically; the document and all the credentials are generated in the browser of the user’s device. This is where the criminals step in. Using various malicious techniques, they secretly change the payment credentials. In particular they change the bar code and ID code to redirect a payment to a different banking account. Most people would struggle to notice these changes until it’s too late, and that’s how the whole scam works: victims unknowingly transfer the money to a fraudster’s bank account when they think they are paying for a legitimate deal.

The malicious techniques. Brazilian criminals use a whole range of different malicious techniques to snare victims in this fraud. The earliest incident, spotted in April 2013, used Trojans to inject malicious code in the browser in the same way as the infamous SpyEye banking Trojan.

Cybercriminals were even capable of attacking Boletos issuing services using SSL encryption. One piece of malware analyzed by Kaspersky Lab experts used Fiddler, a web debugging proxy tool. Some Boleto malware uses this to intercept SSL traffic or to launch Man in the Middle attacks, trying to change Boletos even when they are generated in HTTPS pages.

In another case, Brazilian fraudsters borrowed the technique of delivering encrypted malware payloads, first used by ZeuS\Gameover operators. Using encrypted payloads helps criminals find an effective way through firewalls, webfilters, network intrusion detection systems and any other defenses that may be in place. In this technique, a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

In addition criminals were spotted using malicious browser extensions for Chrome, which were successfully distributed through the official Chrome Web Store, and extensions for Firefox.

The impact. According to publicly available information, attacks aimed at Boleto users - including private individuals and companies alike – resulted in real financial losses worth millions of dollars a year. Kaspersky Lab experts did not see any evidence that could precisely confirm these estimates, but to measure the problem they sinkholed a C&C and found several victims.For example, in just one malicious server the logs registered more than 612,000 requests in three days. Each one sought a fraudulent ID field to be injected into Boletos generated on the infected machine.

In order to protect against fraud using Boletos, Kaspersky Lab experts advise companies issuing such documents to use server-side generated PDF Boletos instead of HTML-generated versions. This can prevent criminals from modifying any Boleto generated in the browser of an infected computer.

Individuals using Boletos for personal transactions are advised to use a reliable security solution with dedicated technologies that protect online financial transactions.

To find out more about Boleto fraud schemes read the full article on Securelist.