A month ago, the term “Boleto” might not have been familiar to anyone who is not from Brazil but that hasn’t stopped it from working its way into the vernacular of many other languages after Boleto were stolen for billions of dollars.
A popular method of payment in Brazil, the Boleto is a payment plan used to purchase goods in both consumer and business-to-business transactions. The consumer is given a series of tickets in which they must pay through their bank. With the ease of online banking, most people use the Internet to make these payments or even make purchases using Boletos via online shopping.
Using sophisticated malware, hackers were able to hijack online Boleto payments and steal an estimated 3.75 billion USD from unsuspecting victims.
Who was affected?
A security company called RSA conducted a lengthy investigation of this attack and found that:
- More than 30 different banks in Brazil were affected
- 8,095 fraudulent Boleto ID numbers were identified
- There were an estimated 495,753 fraudulent transactions associated with this attack
- 83,506 user credentials were stolen
How did this happen?
Victims were infected with malicious software known as Bolware (Boleto Malware) or Eupuds depending upon the anti-virus vendor. This malware affects computers using Microsoft Windows and activates when the victim opens up their browser, and a Boleto transaction is detected. The victim is tricked into thinking that they are making a payment to their vendor when in reality the malware intercepts the transaction and redirects the payment to the hacker’s bank account. Since the victim does not see anything, and they are given payment confirmation, nothing is suspected until the vendor files a complaint because they did not receive payment. More technical details can be found in the RSA report.
How were consumers notified?
Since this attack affects more than 30 banks, there was not a single notification that went out. Each institution is required to notify its customers individually which many have done through emails, letters and announcements on their bank’s website. Since the news media has also covered this story over the past few days, many victims were notified this way as well.
How were consumers impacted?
Unlike a credit card transaction that can be charged back when fraud is suspected these types of payments must be refunded. Since criminals are not issuing refunds, and no one has been caught yet, consumers who have fallen prey to this fraudulent activity have little recourse. Monies stolen cannot be recovered, and consumers still must make payments on Boleto transactions to the merchants they still owe, even if the transaction was hijacked.
How was the company impacted?
Since it was actually the customers who were attacked, and not the banking institutions, there is little that the banks will have to do in this case aside from providing customer assistance to those who were victimized.
A majority of Brazilian banks require online banking customers to install a security plug-in that hooks into the user’s browser that is designed to help block malware attacks. This type of malware however can circumvent these plug-ins. In an effort to better serve customers, most banks will likely research how these security features can protect against this type of attack as well.
How can they fix it?
Since this attack was launched against the user, fixing the problem falls into their hands. Not many people (including Brazilians) run the latest versions of their anti-virus software. This needs to change; AV software needs to be current with both its version and virus definitions. Additionally, people need to better learn how to spot malicious activity whether it be in their email, on their desktop or when surfing the web. Only until the user becomes better-educated will we start to see a reduction in cyber crime.