Boleto malware may lose Brazil $3.75bn

Hacker Hackers may have pocketed $3.75 Billion

Related Stories

Researchers from an American security company have unearthed a substantial malware-based fraud ring.

The operation has infiltrated one of Brazil's most popular payment methods, Boleto, for two years.

An estimated 495,753 Boleto transactions have been compromised, which means the hackers could have stolen up to $3.75bn (£2.18bn).

Researchers say it is not known whether the fraudsters were successful in collecting on all of the transactions.

Boleto Bancario allows an individual to pay an exact amount to a merchant and can be used for almost every kind of transaction, from the weekly shop to phone bills.

Boletos can be used and generated both online for electric transfers and offline with printed paper.

Start Quote

Be cautious about opening unsolicited email attachments or clicking on unknown links”

End Quote Graham Cluley Computer security analyst

The attack has been described by US-based security company RSA, a division of data storage corporation EMC, as "a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil".

It is not clear how much has been stolen or whether all the funds were successfully redirected to fraudster-controlled bank accounts.

However, this will have been the largest electronic theft in history if even half of the valued worth turns out to be in the hands of criminals, according to the New York Times.

The number of infected PCs totals 192,227 - an additional 83,506 email user credentials have also been stolen.

Known colloquially as a man-in-the-browser threat, the malware silently injects itself into users' web browsers after hackers have initially tricked individuals into clicking malicious links in seemingly ordinary looking emails. This is similar in principle to phishing scams.

Once the malware is in the browser, fraudsters can begin to intercept and alter Boleto details. This activity is invisible to the user.

"Because of its stealth capabilities, end-users also have little chance of detecting Boleto fraud on their own," said RSA researchers.

Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer are all vulnerable to the attack.

'A serious impact'

"Brazil has long been a hotbed of cybercrime, and although we don't know exactly what financial impact may have been caused by this sophisticated attack it's possible that different factors might have helped the hackers get away with it," said computer security analyst Graham Cluley.

"Sadly Brazilian computers aren't always necessarily running the very latest anti-virus software, and because Boletos aren't used outside of Brazil it might have made security companies less vigilant about the threat."

Boletos are the second most popular payment method in Brazil, responsible for an estimated 18% of all purchases during 2012.

"Such attacks will have a serious impact on the confidence we place in increasingly common digital payment methods," warned Dr Andrew Rogoyski, chair of techUK cyber-security group.

Mr Cluley advises users to "be cautious about opening unsolicited email attachments or clicking on unknown links, and keep your computer updated with security patches and the latest anti-virus".

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features & Analysis

  • Medea Benjamin Code Pink

    Why authorities refuse to ban disruptive protesters


  • Pellet of plutoniumRed alert

    The scary element that helped save the crew of Apollo 13


  • HandshakeKiss and make up

    A marriage counsellor on healing the referendum hurt


  • Burnt section of the Umayyad Mosque in the old city of AleppoBefore and after

    Satellite images reveal Syria's heritage trashed by war


BBC Future

(USAF)

Secrets of the aircraft boneyards

The vast storage sites for surplus planes Read more...

Programmes

  • A screenshot from Goat SimulatorClick Watch

    The goat simulator which started as a joke but became a surprising hit, plus other tech news

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.