RSA Uncovers Boleto Fraud Ring in Brazil

With the 2014 World Cup in full swing, all eyes have been on Brazil since the middle of June. As the world watches their favorite national teams battle on the pitch, IT security professionals at a number of Brazil’s banks are being challenged in a separate battle of their own with cybercriminals.

Through a coordinated investigation spanning three continents, RSA Research has uncovered details of a substantial malware-based fraud ring that is operating with significant effectiveness to infiltrate one of Brazil’s most popular payment methods – the Boleto.

Based on evidence gleaned from this fraud investigation, RSA Research discovered a Boleto malware or “Bolware” fraud ring that may have compromised 495,753 Boletos transactions over a two-year period. While the investigation did not yield evidence as to whether the fraudsters were successful in collecting on all of these compromised transactions, RSA researchers did find evidence of their value – estimated to be up to $3.75 Billion USD (R$ 8.57 Billion).

Boleto Bancário, or simply Boleto, is a financial instrument that enables a customer (“sacado”) to pay an exact amount to a merchant (“cedente”). Any merchant with a bank account can issue a Boleto associated with their bank; that Boleto is then sent to the consumer to pay anything from their mortgage, energy bills, taxes or doctor’s bills via electronic transfer. Boletos can be generated both offline (printed copies) and mailed to customers, or online (by online stores for example) for electronic payments. Their popularity has risen because of the convenience for consumers who don’t require a personal bank account to make payments using Boletos.

The Boleto system is regulated by Banco Central do Brasil (Brazilian Central Bank) and has become the second most popular payment method (behind credit cards) in Brazil. E-bit, an e-commerce market research firm in Latin America estimates that 18% of all purchases in Brazil during 2012 were transacted via Boletos.


Figure 1: example of a Boleto that was generated online

Boleto Fraud

Until recently, the most common attack used forged Boletos that are generated offline by fraudsters and sent to victims using social engineering (via e-mail spam or even by regular physical mail). The altered Boletos appear very similar to the legitimate Boletos, but the barcode and the ID number fields are modified so that payment is redirected to a fraudster’s (mule) bank account. On the other hand, fields such as due date, merchant’s identification and money value often remain unchanged, making the fraud very hard to notice.

Enter the Boleto Malware – a newer and more sophisticated kind of fraud in Brazil that leverages MITB (Man-in-the-browser) technology to attack onlineoperations, and is based on transaction modification on the client side.

The Boleto malware first seen in the wild in late 2012 (also known by AV engines as “Eupuds”), infects web browsers on Windows-based PCs (Google Chrome, Mozilla FireFox and Microsoft Internet Explorer), and then intercepts and modifies the Boleto information so that payments are redirected to a fraudster’s account. Since the malware is MITB, all malware activities are invisible to both the victim and the web application. Banks in Brazil have made significant investments to battle this malware using a variety of different security and anti-malware measures since its discovery. Like any substantial cybercriminal operation, the Bolware gang has continued to innovate, revising their purpose-built malware through 19 different versions.



Figure 2: Boleto malware – how it works

The Bolware gang’s methods appear to be quite effective. To date, RSA Research has discovered the total value of all Boletos that were modified by this malware and stored inside the Bolware C&C server is estimated to be up to US$3.75 billion. It is important to note that this is an estimated number based on the discovery of 8,095 fraudulent Boleto ID numbers tied to 495,753 compromised transactions. While the fraudsters behind this operation may have had the potential to cash out these modified Boletos, it is not known exactly how many of these Boletos were actually paid by the victims and whether all the funds were successfully redirected to fraudster-controlled bank accounts.

RSA Research has also discovered:

  • 192,227 – number of Bolware bots (infected and compromised computers) detected by RSA Research, according to unique IP addresses
  • 83,506 – number of email user credentials stolen and collected by the Boleto malware
  • 8,095 – number of fraudulent Boleto IDs
  • 34 – number of specific bank brands affected by the Bolware operation

Boleto malware is a major fraud operation and a serious cybercrime threat to banks, merchants and banking customers in Brazil. While the Bolware fraud ring may not be as far-reaching as some larger international cybercrime operations, it does appear to be an extremely lucrative venture for its masterminds.  As outlined in the detailed analysis from RSA Research, the developers have gone to great lengths to make Bolware effective and also hard to detect – refining features designed to evade detection and clean-up by endpoint anti-malware products.


Figure 3: Boleto malware geographic distribution

Mitigation and What’s Next?

RSA has turned over its research along with a significant number of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to both U.S. (FBI) and Brazilian law enforcement (Federal Police) and have been in direct contact with a number of Brazilian banks. RSA is working together with these entities in the investigation while also helping to develop and/or advise on the implementation of various mitigation countermeasures within the many banks in Brazil that process Boletos including leveraging RSA’s FraudAction Service to help with shutting down infection points in the wild and blacklisting fraudulent Boleto IDs.

RSA FraudAction can identify all Boleto malware-generated ID numbers and pass these altered Boleto numbers along to its customers as a blacklist feed. The altered fraudulent Boleto numbers contain information that the banks can use to block fraudulent transfers and track accounts that received the payment and prevent further payments to potentially fraudulent accounts.

While the Boleto malware and the manner in which it modifies Boleto transactions is difficult to detect, it appears to affect only Boletos that are generated or paid online via infected Windows-based PCs using three popular web browsers. RSA Research has not seen evidence of compromise with transactions via Boleto mobile applications or DDA (authorized direct debit) digital wallets. And while user adoption of Boletos transactions through these methods is still small, members of Brazil’s banking industry association FEBRABAN (Federation of Brazilian Banks) tell RSA that for the moment, these represent safe Boletos payment alternatives. Another silver lining is the fact that government-issued Boletos (for payment of taxes and other municipal fees) also don’t appear to be affected by the Bolware operation.

RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments. Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from unknown senders and to use updated anti-virus software to help protect their PCs from infection.

RSA is continuing to actively monitor this situation while working closely with Brazilian financial institutions and law enforcement to assist in mitigating the Bolware threat.

For more detailed information on the Bolware Operation, check out the full report by RSA Research:“RSA Discovers Massive Boleto Fraud Ring in Brazil.”

RSA Research Team members Rotem Kerner, James Winston, Jonathan Zkez contributed to this report.


Content and liability disclaimer

This Research Paper is for general information purposes only, and should not be used as a substitute for consultation with professional advisors. EMC has exercised reasonable care in the collecting, processing, and reporting of this information but has not independently verified, validated, or audited the data to verify the accuracy or completeness of the information.  EMC shall not be responsible for any errors or omissions contained on this Research Paper, and reserves the right to make changes anytime without notice. Mention of non-EMC products or services is provided for informational purposes only and constitutes neither an endorsement nor a recommendation by EMC. All EMC and third-party information provided in this Research Paper is provided on an “as is” basis.


In no event shall EMC be liable for any damages whatsoever, and in particular EMC shall not be liable for direct, special, indirect, consequential, or incidental damages, or damages for lost profits, loss of revenue or loss of use, cost of replacement goods, loss or damage to data arising out of the use or inability to use any EMC website, any EMC product or service. This includes damages arising from use of or in reliance on the documents or information present on this Research Paper, even if EMC has been advised of the possibility of such damages.

No Comments