Feed aggregator

New Signed Version of CryptoWall Ransomware On the Loose

Threatpost for B2B - Tue, 09/30/2014 - 09:37
Researchers have discovered a variant of the CryptoWall ransomware that has a valid digital signature and is being distributed through malicious ads on several top-ranked Alexa Web sites. CryptoWall is one of the more successful ransomware strains in recent memory, with researchers estimating last month that the malware had grossed more than $1 million for […]

Breaches in corporate network protection: access control

Secure List feed for B2B - Tue, 09/30/2014 - 08:43

In almost any company the IT security department faces two priority tasks: ensuring that critical systems operate continuously and reducing the risk of attacks on the corporate network. One of the most effective approaches to both these problems is to restrict the privileges of system users.

In terms of IT security, critical systems have two basic properties - integrity and availability - that affect their operational continuity. To protect a corporate network from attacks it is necessary to reduce the attack surface by reducing the number of devices and network services available from outside the corporate network and by protecting the systems and services that require such access (web services, gateways, routers, workstations, etc.). The main vector of attack on a corporate network is the user computers connected to the Internet on that network.

Theoretically, to protect critical systems from unauthorized changes and reduce the possibility of attacks on the corporate network, you should:

  • specify those objects (equipment, systems, business applications, valuable documents, etc.) on the corporate network  that require protection;
  • describe the company's business processes and use those to help determine the levels of access to the protected objects;
  • ensure that each subject (a user or a corporate application) has a unique account;
  • limit subjects' access to objects, i.e. to restrict the rights of the subjects within the business processes;
  • ensure that all operations between the subjects and the objects are logged and the logs are stored in a safe place.

In practice, it works more like this:

  • All corporate documents are stored centrally in shared folders on one of the servers of the company (for example, on the Document Controller server)
  • access to critical systems is denied to everybody but administrators - any administrator - can log into the system remotely to quickly repair any failure
  • Sometimes administrators use a "shared" account
  • All employees have limited privileges as a 'standard user' but on request anyone can get local administrator rights.

Technically, it is much easier to protect critical systems than workstations: changes in business processes are rare, regulations vary little and can be drawn up to account for even the smallest details. By contrast the users' work environment is chaotic, their processes change rapidly and the protection requirements change along with them. In addition, many users are suspicious of any restrictions, even when there is no impact on workflow. Therefore, the traditional protection of users is based on the principle 'it is better to miss malicious software than to block something really important'.

Last year, Avecto conducted a study called "2013 Microsoft Vulnerabilities Study: Mitigating Risk by Removing User Privileges" and concluded that "by removing local administrator rights it is possible to reduce the risk of exploitation of 92% of critical vulnerabilities in Microsoft software". The conclusion seems logical but it should be noted that Avecto did not test vulnerabilities; it only analyzed data from the Microsoft Vulnerability Bulletin 2013. Nevertheless, it is clear that malicious software running without administrator rights cannot install a driver, create/modify files in protected directories (% systemdrive%,% windir%,% programfiles%, etc.), change system configurations (including writing to the HKLM registry hive) and most importantly - cannot use privileged API functions.

In reality, though, the lack of administrator rights is not a serious obstacle for either malicious software or a hacker penetrating into the corporate network. Firstly, any system has dozens of vulnerabilities that open up the necessary rights up to kernel level privileges. Secondly, there are threats which only require standard user privileges to be implemented. The diagram below shows possible attack vectors that do not require any administrator rights. Let's have a closer look at them.

Local attacks

With only standard user privileges, the attacker gets full access to the memory of all processes running under the user account. This is enough to integrate malicious code into processes in order to remotely control the system (backdoor), to intercept keystrokes (keylogger), to modify the content in the browser, etc.

Since most antivirus programs can control attempts to implement unknown code in the processes, attackers often use more secretive methods. Thus, an alternative method applied to implement a backdoor or a keylogger in the browser process is to use plugins and extensions. Standard user privileges are enough to download a plugin, and that code can do almost everything a fully-featured Trojan is capable of. That includes remotely controlling the web browser, logging data entries in browser traffic, interacting with web services and modifying page content (phishing).

Fraudsters are also interested in standard office applications (such as email and IM-clients) which can be used to attack other network users (including phishing and social engineering). Scammers can access programs like Outlook, The Bat, Lync, Skype, etc. via API and local services of such applications as well as by injecting code into the relevant processes.

Of course it's not just applications that are of value to fraudsters; the data stored on the PC is also a potential goldmine. In addition to corporate documents, attackers often look for different application files containing passwords, encrypted data, digital keys (SSH, PGP), etc. If the user's computer has the source code, attackers could try to implement their code into it.

Domain attacks

Since the accounts of most corporate users are domain accounts, the domain authentication mechanisms (Windows Authentication) provide the user with access to various network services on a corporate network. This access is often provided automatically without any additional verification of the username and password. As a result, if the infected user has access to the corporate database, attackers can easily take advantage of it.

Domain authorization also allows attackers to access all network folders and disks available to the user, share internal resources via the intranet and sometimes evenaccess other workstations on the same network segment.

In addition to network folders and databases, the corporate network often includes various network services such as remote access, FTP, SSH, TFS, GIT, SVN, etc. Even if dedicated non-domain accounts are used to access these services, attackers can easily utilize them while the user is working on his computer (i.e. during an active session).


It is almost impossible to provide high level of protection for workstations by denying users administrative rights. Installing antivirus software on a workstation will increase its security but won't solve all problems. To achieve high security levels, Application Control technology should consist of three key elements:

  1. Default Deny, which only allows the installation and running of software that has been approved by the administrator. In this case, the administrator does not have to put each individual application (hash) on the list of trusted software. There is a wide variety of generic tools available to enable dynamic whitelisting of all software signed by an approved certificate, created by an approved developer, obtained from a trusted source or contained in the Whitelisting database of a security software provider.
  2. Application Control that can restrict the work of trusted applications according to their functions. For example, for normal operation the browser should be able to create network connections but it does not need to read/write other processes in the memory, connect to online databases or store files on the network.
  3. Update management that ensures all software on workstations is updated promptly, reducing the risk of infection via update mechanisms.

In addition, specific products which feature Application Control can provide a range of useful functions based on this technology: inventory, control over software installed on the network, event logs (which will be useful in the case of incident investigation), etc.

On the one hand, the combination of technologies can provide users with everything they need for work and even for entertainment and is flexible enough to deal with changing requirements. On the other hand, the chances of an attacker gaining access to the protected system are extremely limited. No doubt, this is the best balance between flexibility and security in protecting a corporate network.

Apple Patches Shellshock Vulnerability in Bash for OS X

Threatpost for B2B - Mon, 09/29/2014 - 17:34
Apple released its patch for the Bash vulnerability, repairing versions of OS X vulnerable to Shellshock exploits.

WPScan Vulnerability Database a New WordPress Security Resource

Threatpost for B2B - Mon, 09/29/2014 - 15:31
Researcher Ryan Dewhurst released the WPScan Vulnerability Database, a database housing security vulnerabilities in WordPress core code, plug-ins and themes. It's available for pen-testers, WordPress administrators and developers.

RadEditor Web Editor Vulnerable To XSS Attacks

Threatpost for B2B - Mon, 09/29/2014 - 11:15
All versions of an HTML editor used in several Microsoft properties, including ASP.NET, suffer from a high-risk cross-site scripting (XSS) vulnerability.

CloudFlare Rolls Out Free SSL

Threatpost for B2B - Mon, 09/29/2014 - 10:29
In a move that will essentially double the number of SSL-protected sites on the Web in the space of 24 hours, CloudFlare on Monday said that it was enabling SSL for all of its more than two million customers for free. The new service is called Universal SSL, and the company is making it available […]

FBI to Open Up Malware Investigator Portal to External Researchers

Threatpost for B2B - Mon, 09/29/2014 - 09:22
SEATTLE–The FBI has developed an internal malware-analysis tool, somewhat akin to the systems used by antimalware companies, and plans to open the system up to external security researchers, academics and others. The system is known as Malware Investigator and is designed to allow FBI agents and other authorized law enforcement users to upload suspicious files. […]

Apple: OS X Safe By Default Against Bash Vulnerability

Threatpost for B2B - Fri, 09/26/2014 - 13:14
Apple said it is working on a patch for OS X to counter the Bash vulnerability, but in the meantime is telling users the OS is safe by default.

Government Requests for Yahoo Data Down Slightly

Threatpost for B2B - Fri, 09/26/2014 - 09:34
Yahoo published its third Transparency Report, which reveals that it fielded fewer requests for user data than the previous reporting period, and that it also received between 0-999 National Security Letters.

Shellshock and its early adopters

Secure List feed for B2B - Fri, 09/26/2014 - 05:27

Shortly after disclosure of the Bash bug called "Shellshock" we saw the first attempts by criminals to take advantage of this widespread vulnerability also known as CVE-2014-6271.

The most recent attempts we see to gain control of webservers just create a new instance of bash and redirect it to a remote server listening on a specific TCP port. This is also known as a reverse-connect-shell. Here's an example of how this attack appears in a webserver logfile:

The attacker listens on IP address 195.xx.xx.101 on TCP port 3333, while the attack's origin is the IP address 94.xx.xx.131. To gain control of a server with this method, no external binaries are involved.

In another ongoing attack the criminals are using a specially crafted HTTP-request to exploit the Bash vulnerability in order to install a Linux-backdoor on the victim's server. We're detecting the malware and its variants as Backdoor.Linux.Gafgyt.

The binary contains two hardcoded IP addresses. The first one is only used to notify the criminals about a new succesful infection. The second IP address is used as a command-and-control server (C&C) to communicate directly with the malware running on the infected webserver.

The following picture shows an example on how this communication can look like:

In line 1 the malware sends a "Hello" message and tells the attacker which architecture the binary was compiled for – here it's x86.

Independently of commands sent by the attackers, the backdoor sends a "PING" request every 30 seconds, which is answered with a "PONG" from the server (for better readability we've removed REMOVED is much better (S.O.) --> some of PING/PONG-pairs from the example above).

Commands always start with "!* ". The first command we see in this example is the "SCANNER ON" command in line 10. This tells the binary to scan random IP ranges for hosts accepting telnet connections on TCP port 23. When such a host is found, it tries to login using a hardcoded list of common default user/password combinations.

There is also a rudimentary honeypot fingerprinting routine implemented, which makes use of "busybox" as described by the Internet Storm Center here.

The next task the criminals start on the victim's box is initiated in line 14. Here the binary is told to perform flooding of IP 69.xx.xx.67 using UDP for 50 seconds. In line 17 the attackers stop the flooding in order to restart it in line 18, now targeting 178.x.x.241. The "None Killed." reply in line 21 appears because the flooding instruction from line 14 was already finished when the attacker tried to stop it using "!* KILLATTK" in line 17.

Here's the complete list of commands the backdoor accepts:

!* PING – Replies with "PONG!"
!* SH - Execute arbitrary shell command
!* GETLOCALIP – Replies with "My IP: $ipaddr"
!* SCANNER ON | OFF - Scan random networks, perform a very small dictionary attack (see above), test if target is a honeypot

!* HOLD - Hold flooding
!* JUNK – Perform junk flood
!* UDP – Perform udp flood
!* TCP – Perform tcp flood
!* KILLATTK - Kill all flood
!* LOLNOGTFO – Terminate backdoor.

Related binaries:





Attacks against Boletos

Secure List feed for B2B - Fri, 09/26/2014 - 02:00

José is a very suspicious person. He never uses internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He's well aware of all the risks that exist online, so José prefers to keep his life offline.  However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper.

Brazilian crooks created a unique way of stealing money from these cautious, offline-only types: changing "boletos", popular banking documents issued by banks and all kind of businesses in Brazil. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil – even government institutions use them – and they are a unique feature of the Brazilian market.

In a series of online attacks targeting flaws on network devices – especially DSL modems – and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts. It's a new worry for banks and financial institutions in the country.

This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.

Boleto bancário: the Brazilian payment system

Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. According to the Brazilian Central Bank 21% of all payments in the country in 2011 were made using boletos.

Preferred payment methods in Brazil in 2011

According to e-bit 18% of all e-commerce transactions in Brazil in 2012 used boletos as the preferred payment method:

Preferred online payment method in Brazil in 2012

A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.  After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. This fee varies from BRL 1,00 to BRL 12,00, depending on the bank. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.

The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. If a company want to do business in Brazil, it essential to use boletos – Apple, Dell, Skype, Microsoft, DX.com, Alibaba.com, and even FIFA in the 2014 World Cup used it in local operations.

Buying Skype credits with boleto bancário as a payment method

This is the basic structure of a printed boleto bancário:

Boleto bancário for beginners according TheBrazilBusiness.com

  • Issuer Bank: the financial institution responsible for issuing and collection based on an agreement between itself and the merchant. The bank, once authorized to collect payment for the merchant, will credit the amount owed by the client in the merchant's bank account.
  • Identification Field: a numerical representation of the barcode, it contains all the information necessary to identify the merchant's bank account and clear the payment. This field is used in home and self-service banking.
  • Barcode: a code consisting of a group of printed and variously patterned bars (always 103mm in length and 13mm in height) and spaces and sometimes numerals that is designed to be scanned and read by a digital laser scanner and that contains information to identify the object it labels.

To pay a boleto at the bank or online all that is necessary is to scan the barcode – if it's unreadable (due to a bad print) users can type in the 44-number identification code instead. Some banks have a barcode scanner in their mobile apps, so mbanking users don't need to type the ID field; they can pay the boleto using their device's camera.

Paying a boleto using a barcode scanner

What could possibly go wrong? Well, how about changing the barcode or the ID field? It's simple and means payments can be redirected to another account. That's exactly what Brazilian fraudsters started to do – and the easiest and effective way was using malware.

The Brazilian boleto malware

A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. It's displayed in the browser, generally in HTML mode, using free libraries available for developers to implement in their ERP software or in their online store system.

BoletoPHP is a free resource for developers to generate boletos using PHP

The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April 2013 by LinhaDefensiva.com and are still being distributed in Brazil today. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.

The first generations chose to change the ID field number and the barcode:

A boleto modified by a Brazilian Trojan: the new ID number and barcode redirect the payment to the fraudster's account

Some versions of the malware use a JavaScript injection to change the content of the boleto:

"CodBarras" means barcode in Portuguese

Some later versions of this Trojan appeared and started to change only the numbers in the ID field:

"Linha Digitável" means typeable line in Portuguese; it's the ID field number

These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored 44-digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:

HTML page changed by the Trojan, adding a white space to invalidate the barcode, source LinhaDefensiva.org

The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. The "Nosso Número" data ("Our ID Number") is a unique identifier, different for each boleto. Changing the ID number is enough to redirect the payment to another bank account.

Understanding the ID field on boletos

Since most boletos are now generated in a browser, the Trojan targeting Internet Explorer users installs a BHO ready to communicate with a C&C and monitor traffic, looking for words such as "boleto" and "pagamento" (payment), choosing the right moment to inject the code and replacing the ID number stored in HTML with a new one, downloaded from the C&C.

It's like SpyEye: code injection in the browser's section

Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products (e.g the MD5s 23d418f0c23dc877df3f08f26f255bb5 and f089bf60aac48e24cd019edb4360d30d). One example of a request made by these BHOs and a response with a new ID number to be injected:

Response: 03399.62086 86000.000009 00008.601049 7 00000000000000

Compromised websites may also host scripts that generate the new ID number for these boletos:

Or something design to inject not only a new ID number but a new barcode as well:

We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated. It's the same infrastructure used in the development of Trojan bankers, as a fraudulent boleto is a new way to steal money from the users.

A bad guy's control panel to control infected machines

Some of the panels offer a lot of details to the crooks, such as the date/hour the boleto was generated/changed, the old ID field and the replacement injected by the malware, the value and the origin – where the boleto was generated, if it was local or on a website.

Another boleto malware panel

Right now it's really easy to find places where wannabe cybercriminals can buy this toolkit and start their own attacks on boletos. A starter pack costs about R$ 500.00 (around US$ 250)

"Only for connoisseurs", the boleto kit malware + panel for sale on Facebook

The Zeus link – encrypted payloads

The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a 32-bit key and compressed by ZLIB, using the extensions .BCK, .JMP, .MOD and others.

Encrypted .JMP file downloaded by the boleto malware

It's no coincidence that the same technique was used by the ZeuS GameOver gang. We have evidence of Brazilian criminals cooperating with western European gangs involved with ZeuS and its variants; it's not unusual to find them on underground forums looking for samples, buying new crimeware and ATM/PoS malware. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.

Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.

Decrypted .JMP file: a normal PE executable

Intercepting SSL conections

Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Some boleto malware uses it to intercept SSL traffic or to do a MitM, aiming to change boletos generated even in HTTPS pages.

We found this behavior in samples such as Trojan.Win32.Badur.imwt:

Boleto Trojan programmed to use Fiddler: MitM in SSL pages

The malware installs SSL certs from FiddlerCore on the infected machine and captures the traffic of HTTPS pages.

Certificate of Fiddler installed by the malware

Attacks against network devices

Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. Social engineering attacks via well designed e-mail campaigns are the most widespread, but the most aggressive path includes the massive use of RCE on vulnerable DSL modems – in 2011/12 more than 4 million of these devices were attacked in Brazil and had their DNS settings changed by cybercriminals – the same approach is still being used to distribute this malware today.

When an affected user tries to visit popular websites or Brazilian web portals the malicious DNS configured in the DSL modem offers to install a new Flash Player. In reality, accepting this installation will infect the machine with boleto malware.

Is Google.com hosting a Flash Player installer? Nope, it's the malicious DNS in the DSL modem

Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. These attacks were called "drive-by-pharming". It can be spread via malicious domains or by compromising popular websites:

News website "Estadão" compromised: the malicious script asks the password of your home router

The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.

Is the password of your router gvt12345? Just guessing…

Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? It redirects users' connections, serving phishing pages or even fake banking pages that modify every boleto the user generates.

If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:

What's the fastest way to attack home routers in Brazil? Using advertising

If the criminals can't compromise your network device, they'll target the ISP. We have already seen a series of DNS poisoning attacks against Net Virtua, one of the biggest Brazilian ISPs. Every time the aim is the same, targeting boletos.

But there was worse to come when cybercriminals decided to move to a more online approach…

Fake websites, fake extensions, fraudulent boletos

Some fraudsters decided that spreading their Trojans wasn't enough. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos (this is possible with this payment system) and malicious browser extensions for Google Chrome or Firefox.

Malicious Chrome extensions, in the official Store

One attack started with a message promising 100 minutes free Skype credit:

Skype-To-Go free for Chrome users! It's easy, just install an extension…

Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic? That's exactly what the fraudsters did, with the valuable help of the official Google Chrome Web Store, where the malicious extension was hosted:


And this wasn't the only one, we found more:

Trojan-Banker.JS.BanExt.a, found on June 2014 in the Store, almost 2,000 users installed it

And one more, disguised as financial app that generates (fake) boletos:

Trojan-Banker.JS.Banker.bx, more than 3,800 installations…

The extension was prepared to just like a BHO on an infected machine: monitor and wait for the moment a boleto is generated, and then communicate with a C&C…


…and receive a new ID field number, injecting it in the boleto while invalidating the barcode:

To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main .JS file inside the .CRX file:

HEXed JavaScript file

After removing the obfuscation we can see the websites it's targeting:

The list includes big Brazilian backs and well-known online stores such as Americanas.com and PagSeguro (a service similar to Paypal). Customers of small banks did not escape from the attack – malicious extensions are set up to target a long list of local banks:

The huge number of malicious extensions prompted Google's decision at the end of May 2014 to limit the installation of Chrome extensions. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.

Forcing the developer mode on Google Chrome

One example is Trojan-Banker.Win32.ClearWind.a. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:

"Developer mode" activated on Chrome. The malware did it

These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:

Trojan-Banker.Win32.ClearWind.a, more than 8,000 installations

Malicious Firefox add-on

But if you use Firefox, you're still at risk; there is a version of a malicious add-on for these users as well:

For bad guys' convenience, the malicious Firefox add-on is hosted on Google Storage:

Trojan-Banker.JS.Banker.cd ready to install a malicious addon to change your boletos

Sponsored links, fake websites

Other interesting characteristic of boletos is that you can generate a counterpart copy, in case you lose the original one. Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee. All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well.

The fraudsters decided to set up malicious websites that claim to offer re-issues or recalculations of expired boletos – but of course the new boleto is totally fake and redirects the payment to the criminals' account. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results.

In a search for "calcular boleto vencido" (recalculate expired boleto) or "segunda via boleto" (counterpart copy) on Google, the first result is a fraudulent service:

Google isn't the only one – it's the same on Yahoo:

And Ask.com:

Not forgetting Bing:

The fake websites that supposedly offer these services have a very professional design to help trick their victims.

All you need to do is choose the bank that issued the boleto, type in the data and "reissue" it.

Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…

"Your new boleto was generated and registered. Pay it today"

It's not just malware: the boleto gangs are using all the possible ways of tricking users and stealing their money. A very widespread attack such this one resulted in many victims.

Online and offline victims

These attacks were especially notorious for their "crossover" to the offline world, stealing from people who do not use internet banking or buy things online. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. Once printed and paid they sent the money directly to the cybercriminals' accounts.

This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected. Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans (e.g. 1, 2, 3, 4). A lot of money was stolen and even now this fraud is costing banks, stores and customers dear.

Some cases draw our attention such this one of a businesswoman from Campo Grande – her company lost BRL 183,000 (around US$80,000):

That sum was stolen in just 3 days…

The Police Department in the state of Minas Gerais issued an alert to residents, warning that fraudsters had already stolen around BRL 25,000 (US$ 10,000) from businesses:

The police registered 12 cases in the state

To measure the problem we did the sinkhole of a C&C and found several victims – in only one malicious server the logs registered more than 612,000 requests in 3 days. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:

Requests to a sinkholed C&C

Looking at these values led us to ask: how much money was stolen? How many victims? It's not easy to get this number if you do not thoroughly understand the Brazilian cybercrime environment.

8 billion?

In July 2014 several media outlets covered some RSA research about a "Cybercrime Scheme Uncovered in Brazil" – those attacks against boletos. Right from the start it offers a shocking figure: possibly as much as US$3.75 billion stolen, BRL 8.6 billion. In other words, it would have been the largest cybercrime heist known to date. To compare how big this number is, Banco do Brasil, the biggest bank in the country, makes US$ 6.6 billion in annual profits. So the bad guys stole half of the money from a big bank? Not so fast…

RSA found 495,793 boletos and 192,227 victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. Added together, those payments topped the US$3.75 billion mark. This figure, however, includes everything – payments not made and payments that were made but not authorized by the bank (as the fraud was detected).  It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times.

A C&C displaying testing and duplicated entries

Counting every entry in a C&C resulted in this absurd number of R$ 8 billion, which averages at R$ 16,000 for each boleto. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses. Other errors in the RSA report were highlighted by the LinhaDefensiva community in this article.

So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The Brazilian Federation of Banks (FEBRABAN) publishes the combined losses faced by all banks due to electronic fraud each year. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million.

One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them.

How to protect you and your company

This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?

FEBRABAN, the Brazilian Federation of Banks, suggests using DDA (Debito Direto Autorizado, Authorized Direct Debit). This replaces a printed boleto with an electronic bill, automatically withdrawing funds from another person's bank account after both parties pre-authorize the deal.

However some Brazilian companies are concerned by the higher costs associated with DDA. In this case we advise issuing boletos in a PDF format generated on the server-side, instead of using HTML format. At present no Trojan can modify a PDF boleto.

Boleto generated in PDF format: more secure than HTML

Kaspersky Lab customers are protected against these attacks – the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data. This ensures that boletos can be generated securely:

Kaspersky Fraud Prevention platform also stops Trojans designed to capture HTTPS traffic using Fiddler. KFP compares this fake certificate of Fiddler with the real certificate used by the Bank or payment service and then blocks access.

Kaspersky Fraud Prevention in action, blocking an unreliable SSL connection


Today these attacks are a big headache for everyone involved in buying and selling in Brazil – banks, businesses and customers alike. When a customer is hit with a fake boleto he says it's not his fault because he paid. The stores blame the bank for failing to process the payment properly. The bank insists it is only responsible for processing the boleto, not for the content of the paperwork. The buck goes round and round …

To complete the scenario Brazilian criminals specialize in identity theft. They often open banking accounts in the name of innocent people who know nothing of the situation, using stolen personal data. With money mules and accounts opened in the name of dead people; it's easy to see why it's so difficult to track stolen money.

Boletos are a very local and distinctive payment method; most other countries don't have anything similar and don't even know what a boleto is. Unfortunately security companies pay little attention to Brazil and miss a lot of issues that only local intelligence can detect and offer expertise. Local criminals are strictly limiting their attacks to Brazilian IPs and only install their Trojans on machines operating in Brazilian Portuguese.

Brazilian cybercriminals are following the same path as their counterparts in Russia and China, with a very specialized cybercrime scene where attacks on locals require special effort to understand properly. They are also sharing knowledge with cybercriminals from Eastern Europe, exporting new techniques such this one described here, clearly inspired by SpyEye, to do code injection.

Honeypot Snares Two Bots Exploiting Bash Vulnerability

Threatpost for B2B - Thu, 09/25/2014 - 15:30
Two malware samples trying to exploit the Bash vulnerability, both DDoS bots, were snared in a honeypot belonging to AlienVault Labs.

Patching Bash Vulnerability a Challenge for ICS, SCADA

Threatpost for B2B - Thu, 09/25/2014 - 13:34
Experts are concerned that many Linux-based industrial control systems and embedded systems could be too steep a patching challenge and remain in the crosshairs of the Bash vulnerability.

Mozilla Patches RSA Signature Forgery in Firefox, Thunderbird, NSS

Threatpost for B2B - Thu, 09/25/2014 - 11:41
Users of Mozilla products should update Firefox, NSS, SeaMonkey and Thunderbird in order to obtain fixes for a bug that could let an attacker forge RSA certificates and perform man-in-the-middle attacks.
Syndicate content