Boleto Malware Targeting Brazilian Banks

Cyber criminals have been targeting the Boleto payment method in Brazil throughout the past year, leading to an estimated $3.75 billion in losses (Update: this previously reported number might have been over stated by RSA), according to a recent report issued by RSA, the security division of EMC. The report details the actions of one specific fraud ring — the “Boleto bandits” — and discusses the Boleto malware they use to commit fraud. The report is very helpful in exposing this dangerous threat, which is well known to the Brazilian banking industry, to the general public. Like every bit of news, there is always more to the story.

Trusteer researchers have discovered two additional malware families targeting the Boleto payment system that operate quite differently from the Eupuds malware variant discussed in the RSA report. These new Boleto malware families are not yet known to the industry as financial, or Boleto-related, malware. Trusteer research shows that approximately one in every 900 machines in Brazil is infected with some form of Boleto malware at any given point. We are now sharing more details on these new malware families to help the industry combat the rising threat of Boleto payment malware.

We at Trusteer, an IBM company, have been effectively fighting Boleto — officially “Boleto Bancário” — malware for over a year, successfully protecting our Brazilian bank clients from Boleto-related malware attacks. We would like to take this opportunity to contribute some of our insights to help clarify the current state of this malware.

Boleto Malware Really Is a Multiheaded Monster

The recent RSA report focuses on one specific type of Boleto malware that uses Web injection techniques to modify Boleto payee fields. Since Boleto malware’s initial discovery early last year, we have seen multiple crime rings develop different types of malware attacks against Boleto payments, with at least three distinct major malware approaches currently in operation. Each of these malware approaches have multiple variants that all aim to modify the Boleto payment data on the client machine.

Web Injects

The recent Boleto payment system malware announcements have primarily been focused on one specific family of Boleto malware commonly referred to as Eupuds; an earlier blog from April 2013 discusses Eupuds.

Eupuds, and similar Boleto variants, modify the Boleto in the Web page (Web inject) to modify the payee fields, diverting funds to fraudster, or mule, accounts. Web injection is a standard modus operandi for advanced financial malware, also commonly used by such malware variants as Zeus, Spyeye, Citadel and most others.

DOM Manipulation

One new Boleto malware family discovered by Trusteer uses the Component Object Model (COM) interface to perform Document Object Model (DOM) manipulations on Internet Explorer browsers. This approach essentially enables the malware to access and change the internal data of targeted Web pages. The malware uses these methods to manipulate payee fields while obfuscating this manipulation to the end user. As an example, Trusteer identified and named one such variant “Domingo” [md5 d972d719aab8f4750ee0b15187dc1ad0]. This sample is currently identified as “generic” by the major AV companies and not as a “Boleto Bancário malware.”

Browser Extension Scanner

Another new Boleto Bancário malware family discovered by Trusteer adds browser extensions to Firefox and Chrome. This malware variant, which we named “Coleto,” is quite new and not yet widely utilized. This malware operates by first downloading and installing a Firefox or Chrome extension. The extension then scans the Web pages for numbers that match the pattern of a Boleto number. Once such a number is found, it substitutes it with another predefined number, thus diverting funds to a fraudster, or mule, account.

Recommendations: Effective Way to Fight Malware-Based Fraud

One of the recommendations provided in the RSA report is to use mobile banking applications since they are immune to this malware — for now. We agree that this approach will work “for now,” but for how long? And at what cost?

We expect that the cyber criminals will develop techniques to commit fraud via mobile devices, especially if the PC attack vector becomes less lucrative. Forcing customers to perform transactions via the mobile channel is not considered exemplary customer service; customers should be allowed to transact in the channel most convenient for them. Most of the recommendations provided put far too much onus on the bank customer to recognize when a fraud attempt is taking place.

Beyond the impractical end user recommendations, the proposed solutions are mostly “post-mortem,” i.e., based on information attained after the company accesses known command and control (C&C) servers. This approach is far from real-time, occurring after significant fraudulent transactions have been conducted.

The most effective way to fight malware-based fraud is at the point of attack: the customer’s device. If malware is not identified and prevented from operating on the customer’s device, all subsequent fraud prevention methods (such as authentication and anomaly detection) can be easily tricked and bypassed by the malware. By focusing on detecting and preventing the root cause of most financial fraud — malware — Trusteer solutions can, in turn, prevent fraudulent transactions from being created before they enter the payments system.

The report goes on to mention that Boleto payment system malware can successfully circumvent client-side security plug-ins that hook into the user’s browser. As the leading provider of client-side malware protection to the world’s leading financial institutions, we can definitively state that this has not happened for Trusteer products. In fact, Trusteer has been effectively fighting Boleto malware for well over a year now, successfully protecting our Brazilian bank clients from Boleto-related malware attacks.

We recommend focusing on the root cause of fraud and winning the battle at that point. In this case, it is the three variants of Boleto Bancário malware that each utilize a different attack vector — with possibly more variants to come. Trusteer now protects over 1.6 million banking customers in Brazil from Boleto malware and all other forms of dangerous financial malware. Trusteer defenses are effective, adaptable and continually updated to successfully combat the ever-changing malware threat facing financial institutions across the globe.

more from Malware

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine

Following ongoing research our team, IBM Security X-Force has uncovered evidence indicating that the Russia-based cybercriminal syndicate "Trickbot group" has been systematically attacking Ukraine since the Russian invasion — an unprecedented shift as the group had not previously targeted Ukraine. Between mid-April and mid-June of 2022 the Trickbot group, tracked by X-Force as ITG23 and also known as Wizard Spider,…

World’s Largest Darknet Market Shut Down, $25 Million in Bitcoin Seized

On April 5, German authorities announced the takedown of the Hydra marketplace, the world’s largest darknet market trading in illicit drugs, cyberattack tools, forged documents and stolen data. The criminal operation, with about 17 million customer accounts, raked in billions in bitcoin before getting shut down. On its website, the Federal Criminal Police Office (BKA) stated it had secured and…

Countdown to Ransomware: Analysis of Ransomware Attack Timelines

This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia. Key Highlights The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:  2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident…