Congrats to Germany for winning the 2014 World Cup in Brazil! The country has done a great job of playing host over these past few weeks.
Meanwhile, however, followers of technical news have had another reason to focus on Brazil, with an interesting story going around relating to online payments in the country, and a scam that’s thought to have made hackers billions of dollars over the last couple of years.
Unless you’ve lived in Brazil or done business there, you’ve probably not heard of the Boleto.
The Boleto is a means of transferring money for online purchases or business-to-business transactions. Boletos are used widely in Brazil as an alternative to credit and debit cards. However, unlike credit cards, they don’t offer any real protection to those using them, as there is no charge-back mechanism. Effectively, once you have spent money using an electronic Boleto, the only way to get it back is if the recipient agrees to transfer it back to you.
To those elsewhere in the world, the use of Boletos may seem rather primitive, but their continued presence in Brazil is thought to be because credit in the country is difficult to obtain. The trouble is, the nature of Boletos makes them a perfect target for cyber criminals.
Typical Boleto malware finds its way onto a PC courtesy of an infected email or a compromised website. Once it’s there, it waits until the user visits their Brazillian bank’s website, and quietly changes the details of a newly issued Boleto so that the money is routed to an alternative bank account—and straight into the hands of the criminals.
Often the amounts involved in each transaction are small, but due to the sheer bulk of transactions, these paltry amounts quickly add up. Krebson Security cite an example where just one small criminal gang managed to siphon off around a quarter of a Million dollars in just five months.
Brazillian authorities believe this to be the mere tip of the iceberg. It’s estimated that Boleto malware is present on up to 192,000 PCs, affecting over 30 different Brazillian banks.
Brazillian banks attempt to prevent against this threat by insisting that users install browser plugins to stop the malware. However, it seems that the hackers have got wise to this, with sophisticated new versions of the malware now able to disable the security plugins.
The easiest answer to Boleto malware would appear to be some kind of multi-phase authentication for transactions, but no such solution is in place as yet.
Researchers in Brazil are suggesting that, for now, people use mobile devices instead of PCs to conduct Boleto transactions, as the malware isn’t yet sophisticated enough to alter the related barcodes. This is sound advice, as the figures make it clear that Boleto fraud is more than just a rare occurrence. It is, as Krebson Security describe it, a genuine “crime wave.”