|Published (Last):||7 December 2012|
|PDF File Size:||11.83 Mb|
|ePub File Size:||5.70 Mb|
|Price:||Free* [*Free Regsitration Required]|
Learn More. He never uses internet banking services or buys anything using a credit card. Boletos are actually one of the most popular ways to pay bills and buy goods in Brazil — even government institutions use them — and they are a unique feature of the Brazilian market. This article explains how these attacks have happened in Brazil, and gives advice on protecting customers even when they have chosen to live offline.
Boletos are a very popular and easy way to pay bills or buy goods in Brazil today; even online stores will accept this kind of payment. All you need to do is print and pay it. A boleto comes with an expiry date. Before that date it can be paid in at ATMs, branches and internet banking of any Bank, the Post Office, Lottery Agents and some supermarkets until its due date.
After the date it can only be paid at a branch of the issuing bank. The client also pays a fee levied by the bank; the fee increases with every passing day. Banks charge a handling fee for every boleto paid in by a customer. If the collection is registered then the bank will also charge a fee for every issued boleto, regardless of whether it was paid or not. Therefore, unregistered collections are more suitable for online transactions.
The bank also takes into account the size of the client, so a client with a higher volume of banking transactions, who has been working with the bank for a while, etc, is able to get lower fees or even fee exemption, which made the boleto a very important sales tool inside big companies, e-commerce and the government. What could possibly go wrong? Well, how about changing the barcode or the ID field?
A boleto can be generated and printed by the store that is selling its products to you, or even by users themselves during an online purchasing process. The extensive documentation and legitimate open source software used to generate boletos helps malware creators to develop Trojans which are programmed to change boletos locally, as soon as they are generated by the computer or browser. These Trojans were spotted in the wild in April by LinhaDefensiva. In fact most of the Brazilian criminals who use Trojan bankers to steal money are migrating their attacks to target boletos, using the same infrastructure.
Some later versions of this Trojan appeared and started to change only the numbers in the ID field:. These new versions also used a span HTML element in order to add a white space to the barcode, making it unreadable. That forces the customer or bank staff to type the doctored digit ID field to pay the boleto. So as not to raise suspicions, the Trojan does not change the value and due date for the transaction:.
The ID field includes a lot of information, detailing the bank account that will receive the payment and other data used according to the rules established by each bank. Changing the ID number is enough to redirect the payment to another bank account. Initially most of these BHO had a very low detection rate, incorrectly flagged as Trojan banker by normal antimalware products e. We also found very professional control panels used by the fraudsters to collect data from infected machines and register every boleto as soon as it is generated.
The boleto malware campaigns combined several new tricks to infect and steal from more users. One of the most recent is the use of non-executable and encrypted malware payloads XORed with a bit key and compressed by ZLIB, using the extensions. MOD and others. The first results of this cooperation can be seen in the development of new attacks such the one targeting payments of boletos in Brazil.
Using encrypted payloads offers the criminals an effective way to bypass any firewalls, webfilters, network intrusion detection systems or other defenses that may be in place, as a tiny Trojan downloads these encrypted files and decrypts them to complete the infection.
Another interesting approach seen in boleto malware is the role of Fiddler, a web debugging proxy tool normally used by malware researchers. Investigating the attack vector used by the fraudsters and looking at how the victims got infected we found that all possible techniques are used. In reality, accepting this installation will infect the machine with boleto malware.
Is Google. Another recent move from Brazilian criminals was to spread web-based attacks against home-routers in an attempt to change the DNS of the device. It can be spread via malicious domains or by compromising popular websites:. The malicious script tries to guess the password of your home router. If it succeeds a new DNS server will be configured in the device and the criminals will control all your traffic. If it fails the compromised site will display a box asking for your credentials.
Recently we identified more than 30 malicious DNS servers being used in these attacks in Brazil. What does the new DNS server do? If criminals combine web-based attacks with advertisements they can reach millions of people. This tactic is already being used:. Using advertising. Every time the aim is the same, targeting boletos. They wanted faster returns and changed their tactics. They looked online, investing in sponsored links, fake websites that claimed to recalculate expired boletos this is possible with this payment system and malicious browser extensions for Google Chrome or Firefox.
Skype-To-Go free for Chrome users! Why distribute a Trojan when you can trick users into installing a malicious browser extension that controls and monitors all the traffic?
To disguise any intent to discover the real purpose of the extension there was some obfuscation of the main. JS file inside the. CRX file:. The list includes big Brazilian backs and well-known online stores such as Americanas. Customers of small banks did not escape from the attack — malicious extensions are set up to target a long list of local banks:. Now they can only be hosted on the Chrome Web Store, but it is no problem for cybercriminals to put their malicious creations there.
One example is Trojan-Banker. Its main target is to install a malicious extension that changes boletos, activating the developer mode on Google Chrome and forcing the installation of any extension, even those not hosted in the official store:. The malware did it. These Trojans were able to infect a lot of people, installing the malicious extension to change boletos:. Other interesting characteristic of boletos is that you can generate a counterpart copy , in case you lose the original one.
Some banks also offer a service to customers who missed the payment deadline and need to recalculate the value of an expired boleto and reissue it, after paying a small fee.
All companies working with boletos offer these services to their customers, generally online, and cybercriminals can attack here as well. These attacks are carried out with the help of search engines, buying up sponsored link campaigns and putting their fraudulent sites to the top of the results. The fake websites that supposedly offer these services have a very professional design to help trick their victims.
Of course the boleto generated has the exact same value and due date you asked for, but the ID field number has new data…. A very widespread attack such this one resulted in many victims. It can even steal from people who have never connected to the Internet in their lives. Several infected computers in thousands of stores all over the country started to generate fraudulent boletos for their customers. This sparked a real avalanche of Trojans using the same technique, and several businesses were badly affected.
Many companies, the association of shopkeepers and the Brazilian government all issued alerts to their customers about the fraudulent boletos issued by these trojans e. A lot of money was stolen and even now this fraud is costing banks, stores and customers dear. Each one sought a fraudulent ID field to be injected into boletos generated on the infected machines:.
Looking at these values led us to ask: how much money was stolen? How many victims? In other words, it would have been the largest cybercrime heist known to date. So the bad guys stole half of the money from a big bank? Not so fast…. RSA found , boletos and , victims in their investigation. Once inside the control panel, they found the values of all payments that the virus had redirected. This figure, however, includes everything — payments not made and payments that were made but not authorized by the bank as the fraud was detected.
It also includes any test payments made by other researchers trying to understand the malware behavior or even tests made by the bad guy, or even duplicated entries as some customers tried to generate the same boleto several times. This value is unreal and incorrect — most boletos are worth far less. They also estimated a number of victims at , They did this by counting unique IP address, which is very unreliable. As in other parts of the world, most connections in Brazil use dynamic IP addresses.
So how much was really stolen with fraudulent boletos? In reality only the banks can suggest a final total. The year with the most losses so far was One thing is certain: Brazilian cybercriminals are moving fast, adopting new techniques to continue attacking and stealing money from boletos. They would not waste their time if the scam was not profitable for them. This is a common question from users and businesses in Brazil working with boletos. Is it possible using this payment method securely?
However some Brazilian companies are concerned by the higher costs associated with DDA. At present no Trojan can modify a PDF boleto. Kaspersky Lab customers are protected against these attacks — the Safe Money technology presented in our products can block it entirely by offering the option of opening pages in a safe mode where no malicious code could inject data.
This ensures that boletos can be generated securely:.
Subscribe to RSS
Attacks against Boletos