• Visit Our Network:
  • AFP
  • CTP Certification
  • FP&A Certification
  • AFP Annual Conference
  • CTC
  • CIEBA
The Resource for the Global Finance Profession

AFP Fraudwatch: Brazilian Fraud Ring Steals $3.75 Billion

  • By Andrew Deichler
  • Published: 2014-07-07

AFP compiles the most alarming—and informative—payments fraud news relevant to corporates in AFP Fraudwatch. This column is part of AFP’s Payments Fraud Resource Center and is intended to keep you aware of the latest threats to your organization.

Fraudsters Exploit Brazilian Payment Method to Net $3.75 Billion

While the World Cup is the biggest news coming out of Brazil these days, another, much more alarming story also is grabbing headlines. For the past two years, fraudsters exploiting Brazil’s popular boleto payment method are believed to have stolen nearly US$4 billion. That’s right: billion.

The boleto system, the second most popular payment method in Brazil, accounted for about 18 percent of all Brazilian spending in 2012. The system uses merchant-generated invoices (called boletos) for retail and business-to-business payments. Boletos are used to complete online purchases via bank websites, but unlike credit card transactions, boleto payments are not subject to chargebacks and can only be reverted by bank transfer.

RSA, the security division of EMC, has learned that a fraud ring known as the “Bolware” operation may have compromised nearly 500,000 boleto transactions through man-in-the-browser attacks, hitting 34 banks over a two-year period. RSA estimated that fraudsters may be responsible for US$3.75 billion in losses from more than 192,000 accounts.

The malware (known as “Eupuds”) lies undetected on a computer until the user visits their bank website and fills out account information for the recipient of a boleto transaction. The unknowing victim submits the transfer for payment and the malware modifies the request by substituting a recipient account controlled by the fraudsters, explained Brian Krebs of Krebs on Security. The criminals are believed to have used more than 8,000 separate accounts to receive stolen funds.

Though many of these hijacked boleto transactions have been for low-dollar amounts, this has been a lucrative endeavor for fraudsters. Krebs noted that one boleto botnet hijacked 383 transactions between February and June, stealing about US$250,000.

Most Brazilian banks require online banking customers to install security plug-ins that block malware attacks. However, the Bolware operation’s malware can disable those plug-ins. It also harvests usernames and passwords from victims’ computers. To date, more than 83,000 user credentials have been stolen.
The malware currently only targets transactions processed on PCs running Microsoft Windows. RSA recommends that Brazilians who still wish to use boletos for online payments use mobile devices to do so.

Still, transacting via mobile may not safe for long, either. “We’re concerned that the attackers will be able to develop the malware for other platforms,” said Jason Rader, director of cyber threat intelligence with RSA. “These attackers have online and offline techniques, and they’ve understood vulnerabilities in these operating systems.”

Anti-Spam Violations Already Sky-High in Canada

The Canadian Radio-television and Telecommunications Commission (CRTC) has received more than 1,000 complaints since Canada’s new anti-spam legislation took effect July 1, the Canadian Press reported. The new law aims to protect Canadian consumers from spam and online threats, such as identity theft, phish and spyware.

Manon Bombardier, chief compliance and enforcement officer for the CRTC, said Friday that hundreds of reports are being submitted daily at fightspam.gc.ca and investigators are already looking into potential violators. “We have received a number of complaints, and the numbers will keep going up for sure, but really for us the positive message is Canadians are seeing the importance of the legislation and they are reporting (spam) to the CRTC as the mechanism allows them to do,” she said.

Under the new law, companies must written or oral consent from consumers before they send emails or other digital messages. Companies are also required to clearly identify themselves in each message and provide an option to unsubscribe from mailings. Companies that violate the law face financial penalties of up to $10 million per violation, while individual violators face fines up to $1 million.

Late last month, Microsoft sent out a notice that it would cease informing IT professionals and others of security updates via email, due to Canada’s anti-spam law. However, it reversed that decision on June 30.

Copyright © 2015 Association for Financial Professionals, Inc.
All rights reserved.

Copyright © 2015 Association for Financial Professionals, Inc. - All rights reserved.
AFP, 4520 East-West Highway, Suite 750, Bethesda, MD 20814, Phone 1.301.907.2862
Follow Us AFP on LinkedInAFP on TwitterAFP on YouTubeAFP FacebookAFP Newsfeed