Brazilians using the country’s Boleto Bancário money payment system could have been swindled out of as much as a staggering $3.75 billion (£2.2 billion) by a piece of malware called 'Bolware, according to a new analysis by security firm RSA Security.
Boleto is a popular money order payment system that can be used online or offline to pay for more or less anything from goods to taxes. A person receives a Boleto invoice and uses the details on it to transfer money from themselves to the payee.
It’s the sort of payment system that would have seemed flexible and advanced in the not too distant past but is now wide open for man-in-the middle fraud in an online age. This is precisely what appears to have been happening on a scale so vast that it is hard to take in.
RSA believes that the crime ring wielding the Bolware (or ‘Boleto’ or ‘Eupuds’) man-in-the-browser (MiTB) malware have attacked 30 Brazilian banks since 2012, botting 192,227 PCs and stealing 83,506 user credentials.
The firm now connects the attack to 8,095 unique fraudulent Boleto accounts responsible for an unbelievable 495,753 potentially fraudulent transactions.
In Brazilian reals this is 8,572,513,355.59, said RSA, or $3.75 billion at rates calculated before the currency weakened a bit. This is an estimate because they firm can’t be sure how many of the fraudulent payments were actually made - the actual losses could be lower although it seems certain that the sums stolen are large.
RSA has posted a more detailed explanation of how the fraudsters beat the Boleto system but the larger question is what banks and the Brazilian authorities have been doing to protect their citizens.
“RSA has turned over its research along with a significant number of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to both US (FBI) and Brazilian law enforcement (Federal Police) and have been in direct contact with a number of Brazilian banks,” the firm said.
“It [the fraud] appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers.”
The firm concludes that Brazilian banks should better defend themselves using blacklisting to monitor the addresses used by malicious IPs. One might add that there should be some kind of fraud detection in play; a fraud of this scale would be a national scandal had it happened in the US or UK.