July 10, 2014 By George Tubin 4 min read

Boleto Malware Targeting Brazilian Banks

Cyber criminals have been targeting the Boleto payment method in Brazil throughout the past year, leading to an estimated $3.75 billion in losses (Update: this previously reported number might have been over stated by RSA), according to a recent report issued by RSA, the security division of EMC. The report details the actions of one specific fraud ring — the “Boleto bandits” — and discusses the Boleto malware they use to commit fraud. The report is very helpful in exposing this dangerous threat, which is well known to the Brazilian banking industry, to the general public. Like every bit of news, there is always more to the story.

Trusteer researchers have discovered two additional malware families targeting the Boleto payment system that operate quite differently from the Eupuds malware variant discussed in the RSA report. These new Boleto malware families are not yet known to the industry as financial, or Boleto-related, malware. Trusteer research shows that approximately one in every 900 machines in Brazil is infected with some form of Boleto malware at any given point. We are now sharing more details on these new malware families to help the industry combat the rising threat of Boleto payment malware.

We at Trusteer, an IBM company, have been effectively fighting Boleto — officially “Boleto Bancário” — malware for over a year, successfully protecting our Brazilian bank clients from Boleto-related malware attacks. We would like to take this opportunity to contribute some of our insights to help clarify the current state of this malware.

Boleto Malware Really Is a Multiheaded Monster

The recent RSA report focuses on one specific type of Boleto malware that uses Web injection techniques to modify Boleto payee fields. Since Boleto malware’s initial discovery early last year, we have seen multiple crime rings develop different types of malware attacks against Boleto payments, with at least three distinct major malware approaches currently in operation. Each of these malware approaches have multiple variants that all aim to modify the Boleto payment data on the client machine.

Web Injects

The recent Boleto payment system malware announcements have primarily been focused on one specific family of Boleto malware commonly referred to as Eupuds; an earlier blog from April 2013 discusses Eupuds.

Eupuds, and similar Boleto variants, modify the Boleto in the Web page (Web inject) to modify the payee fields, diverting funds to fraudster, or mule, accounts. Web injection is a standard modus operandi for advanced financial malware, also commonly used by such malware variants as Zeus, Spyeye, Citadel and most others.

DOM Manipulation

One new Boleto malware family discovered by Trusteer uses the Component Object Model (COM) interface to perform Document Object Model (DOM) manipulations on Internet Explorer browsers. This approach essentially enables the malware to access and change the internal data of targeted Web pages. The malware uses these methods to manipulate payee fields while obfuscating this manipulation to the end user. As an example, Trusteer identified and named one such variant “Domingo” [md5 d972d719aab8f4750ee0b15187dc1ad0]. This sample is currently identified as “generic” by the major AV companies and not as a “Boleto Bancário malware.”

Browser Extension Scanner

Another new Boleto Bancário malware family discovered by Trusteer adds browser extensions to Firefox and Chrome. This malware variant, which we named “Coleto,” is quite new and not yet widely utilized. This malware operates by first downloading and installing a Firefox or Chrome extension. The extension then scans the Web pages for numbers that match the pattern of a Boleto number. Once such a number is found, it substitutes it with another predefined number, thus diverting funds to a fraudster, or mule, account.

Recommendations: Effective Way to Fight Malware-Based Fraud

One of the recommendations provided in the RSA report is to use mobile banking applications since they are immune to this malware — for now. We agree that this approach will work “for now,” but for how long? And at what cost?

We expect that the cyber criminals will develop techniques to commit fraud via mobile devices, especially if the PC attack vector becomes less lucrative. Forcing customers to perform transactions via the mobile channel is not considered exemplary customer service; customers should be allowed to transact in the channel most convenient for them. Most of the recommendations provided put far too much onus on the bank customer to recognize when a fraud attempt is taking place.

Beyond the impractical end user recommendations, the proposed solutions are mostly “post-mortem,” i.e., based on information attained after the company accesses known command and control (C&C) servers. This approach is far from real-time, occurring after significant fraudulent transactions have been conducted.

The most effective way to fight malware-based fraud is at the point of attack: the customer’s device. If malware is not identified and prevented from operating on the customer’s device, all subsequent fraud prevention methods (such as authentication and anomaly detection) can be easily tricked and bypassed by the malware. By focusing on detecting and preventing the root cause of most financial fraud — malware — Trusteer solutions can, in turn, prevent fraudulent transactions from being created before they enter the payments system.

The report goes on to mention that Boleto payment system malware can successfully circumvent client-side security plug-ins that hook into the user’s browser. As the leading provider of client-side malware protection to the world’s leading financial institutions, we can definitively state that this has not happened for Trusteer products. In fact, Trusteer has been effectively fighting Boleto malware for well over a year now, successfully protecting our Brazilian bank clients from Boleto-related malware attacks.

We recommend focusing on the root cause of fraud and winning the battle at that point. In this case, it is the three variants of Boleto Bancário malware that each utilize a different attack vector — with possibly more variants to come. Trusteer now protects over 1.6 million banking customers in Brazil from Boleto malware and all other forms of dangerous financial malware. Trusteer defenses are effective, adaptable and continually updated to successfully combat the ever-changing malware threat facing financial institutions across the globe.

More from Malware

Strela Stealer: Today’s invoice is tomorrow’s phish

12 min read - As of November 2024, IBM X-Force has tracked ongoing Hive0145 campaigns delivering Strela Stealer malware to victims throughout Europe - primarily Spain, Germany and Ukraine. The phishing emails used in these campaigns are real invoice notifications, which have been stolen through previously exfiltrated email credentials. Strela Stealer is designed to extract user credentials stored in Microsoft Outlook and Mozilla Thunderbird. During the past 18 months, the group tested various techniques to enhance its operation's effectiveness. Hive0145 is likely to be…

Hive0147 serving juicy Picanha with a side of Mekotio

17 min read - IBM X-Force tracks multiple threat actors operating within the flourishing Latin American (LATAM) threat landscape. X-Force has observed Hive0147 to be one of the most active threat groups operating in the region, targeting employee inboxes at scale, with a primary focus on phishing and malware distribution. After a 3-month break, Hive0147 returned in July with even larger campaign volumes, and the debut of a new malicious downloader X-Force named "Picanha,” likely under continued development, deploying the Mekotio banking trojan. Hive0147…

Ongoing ITG05 operations leverage evolving malware arsenal in global campaigns

13 min read - As of March 2024, X-Force is tracking multiple ongoing ITG05 phishing campaigns featuring lure documents crafted to imitate authentic documents of government and non-governmental organizations (NGOs) in Europe, the South Caucasus, Central Asia, and North and South America. The uncovered lures include a mixture of internal and publicly available documents, as well as possible actor-generated documents associated with finance, critical infrastructure, executive engagements, cyber security, maritime security, healthcare, business, and defense industrial production. Beginning in November 2023, X-Force observed ITG05…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today