What Can We Learn From the Billion Dollar Brazilian Boleto Scam?

A Brazilian cybercriminal scam targeting a popular payment method known as Boletos is costing that country billions. How can you protect yourself?

If you’re a regular reader with a remarkable capacity to recall unique words (or just a resident of Brazil), then you might recognize the term “Boleto.” We first became aware of a scam involving Boletos –a popular payment method in Brazil – back in February at Kaspersky Lab’s annual Security Analysts Summit. Now the term is back in the news following RSA’s publication of a research paper suggesting that Boleto-related fraud cost South America’s most populous country $3.75 billion in 2012.

Boletos are special invoice documents issued by banks and businesses that are used not only to pay bills but also more broadly to pay for goods and services. With a little hacking and a lot of social engineering, Brazilian cybercriminals have been making serviceable counterfeit Boletos, which they can print and use to transfer money out of out of bank accounts that belong to the people whose Boletos the criminals are mimicking.

That $3.75 billion dollar is hotly contested. According to our friends at Threatpost.com, the Brazilian banking association FEBRABAN estimates that Boleto-related fraud accounts for just $700 million. In private conversations, I have been told the number may sit near $1.1 billion. Whichever is correct, Boletos are costing Brazil a lot of money, as Kaspersky Lab security experts Fabio Assolini and Santiago Pontiroli noted at SAS earlier this year.

“Brazil may be proud of not only its football team, but its developed economy and modern banking ecosystem as well. Unfortunately, the country has a developed cyber-underground as well.”

Another of Kaspersky’s global research and analysis team members, Dimitry Bestuzhev, explained to the Kaspersky Daily that as Brazil has developed into the economic powerhouse of South America, so has that country’s cybercriminal underground.

“Brazil may be proud of not only its football team, but its developed economy and modern banking ecosystem as well,” Bestuzhev said in an interview that coincided with the playing of the World Cup in the country. “Unfortunately, the country has a developed cyber-underground as well.”

Bestuzhev went on to explain that there are large numbers of criminals that deploys so called ‘bankers’ in Brazil. ‘Bankers’ is just his term for banking trojans or malware designed with malicious code that steals financial data from victims in or near Brazil.

“The Brazil-specific twist is a popular, alternative payment system, called a ‘Boleto,'” he explained. “Boletos are very popular, because anyone paying with Boleto typically receives an additional discount.”

Bestuzhev noted that these scams aren’t new – citing Assolini and Pontirolli’s SAS briefing – and also contested RSA’s figures, saying their loss estimation is “way overblown.”

The trick is not a complicated one, Bestuzhev explained. While a user is printing their Boleto, a Trojan on the victim’s computer modifies that Boleto’s barcode. The printed Boleto is then useless. The criminal then uses the legit Boleto-barcode in order to transfer money into his or her own account.

“Ordinary users must utilize a strong antimalware protection system to prevent their machines from being infected,” Bestuzhev said. “However, more efficient technologies, like Kaspersky Safe Money, can prevent theft even when a machine is infected.”

In other words, stay smart; follow the security advice you read here and elsewhere. All you really need to do to protect yourself from these Boleto scams is run a solid antivirus product.

Assolini will be presenting new information about Boleto scams at the upcoming Virus Bulletin Conference in Seattle in September. A corresponding blog-post will be published on Securelist (which just got a slick redesign!).

Tweet translation: Our Safe Money technology protects against trojans and malicious BHO extensions that alter Boletos.