RSA researchers released details Wednesday of a botnet crime ring that has reaped an estimated US$3.75 billion through man-in-the-browser attacks that seamlessly intercept payment of Boletos -- Brazil's version of a money order.
The Boleto, or Boleto Bancário, is the second most common form of payment in Brazil, second to credit cards.
According to evidence published by RSA in a new report, the malware fraud ring RSA calls 'the Bolware operation' currently affects at least 34 different bank brands in Brazil.
The researchers believe that Boleto Malware (or "Bolware") likely compromised 495,753 Boleto transactions over a two-year period.
First spotted in the wild in late 2012, Boleto Malware uses MITB (Man-in-the-browser) attacks, based on transaction modification on the client side.
The Boleto malware (also known by AV engines as “Eupuds”), infects web browsers on Windows-based PCs, and then intercepts and modifies the Boleto information between customer, bank and merchant -- so payments are redirected to an account that belongs to the Bolware crime ring.
RSA notes that it appears to affect only Boletos generated or paid online with an infected Windows-PC -- it targets computers running Windows 7 (73%), Vista, 8 and XP (17%). "The malware relies on UPX to pack a compiled AutoIt script. The AutoIt script task is to inject binary code into a system process that will search for browser processes in order to inject malicious code inside of them."
On the Windows PC, Bolware leverages three web browsers: Internet Explorer (48.7%), Chrome (34%) and Firefox (17.3%).
RSA Research also reports:
- The overall amount of infected PC bots (infected computers, according to unique IP addresses) is 192,227
- 83,506 – number of email user credentials stolen and collected by the Boleto malware
- RSA Research has been able to identify 8,095 unique fraudulent Boleto ID numbers (tied to a total 495,753 potentially fraudulent transactions) that the fraudsters have been using to steal and transfer money to their (mule) accounts.
- RSA Research has discovered 83,506 user credentials that were stolen and collected by the Boleto malware.
- The total value -- potential loss -- of all Boletos that were modified by Bolware and are currently stored in the C&C server is estimated to be up to R$8,572,513,355.59 ($3,753,946,994.04 USD or €2,760,517,477.32 Euro).
RSA's paper explains, "The actual amount the fraudsters were able to redirect to their accounts and were actually paid by the victims is unknown."
Since the malware is MITB, all malware activities are invisible to both the victim and the web application.
The malware hides itself well. RSA's report explains, "The main protection is actually found in the malware itself. The malware is an obfuscated and compiled AutoIt script, packed with UPX, making it a challenge to analyze and reverse engineer. To make itself persistent, the malware copies itself into the Application Data folder, and adds a registry key to run at startup."
Once it has injected itself into the victim's browser, it looks for specific, bank-issued versions of client-side security plug-ins. Then the malware detects their shared libraries, and patches them in real-time, efficiently and effectively neutralizing their functions.
The security plug-in looks like it's functioning normally.
For example, in one specific case RSA Research analysts noticed that upon detection of one of these security solutions, the malware accessed the plug-in memory area, and modified a conditional JMP to a regular JMP operation, thus neutralizing the plug-in capabilities and presenting the user with a false sense of security.
RSA's paper on the massive fraud ring explains, "Because of its stealth capabilities, end users also have little chance of detecting Boleto fraud on their own."
On the other end-points, transactions are arriving from regular, well-known computers, IPs, and accounts -- so there is no reason for suspicion.
Boletos function the same way as an American money order, a payment voucher equivalent to cash that customers can obtain from ATMs, lotto houses, post offices, in person at a bank, and via electronic payment systems (online banking). Boletos are printed and mailed to customers, or utilized online by online merchants for electronic payments.
RSA notes, "Until recently, the most common attack used forged Boletos that are generated offline by fraudsters and sent to victims using social engineering (via e-mail spam or even by regular physical mail)."
Bolware finds its way onto computers in all the usual ways of malware: email.
One fateful unknowing click later, the browser is quietly infected.
After the malware injects itself into the browser, it starts to intercept all the communication through the code hooks, searching for the triggers. Once a trigger is found, the malware can perform some actions depending on the trigger.
It can search for bank codes and the ID number field in the HTML page to replace them if a Boleto was found, or it can search for [email] credentials in order to collect them.
The malware is harvesting its victims' email credentials to continue the spread of infection.
Although not directly related to the Boleto payment systems, the malware also collects user credentials from Microsoft online email services such as live.com, hotmail.com and outlook.com.
It appears that these stolen credentials are being used to support infection campaigns by spreading spam email.
Specifically, the researchers say Boleto malware creates three threads to perform the following operations:
1. Copies itself to the file system to maintain persistence, as a hidden file with random folder and filename under: C:\Documents and Settings\<username>\Application Data
2. Creates a new entry in Windows Registry to run automatically at the next system restart: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
3. Initializes Windows shared libraries, and creates hooks in communication APIs
With Boletos comprising 18% of payment processing in Brazil, the impact of RSA's discovery can't be underestimated.
One piece of good news is that no evidence has been found of Boleto Malware on Boleto mobile apps or digital wallets.
Members of Brazil’s banking industry association FEBRABAN (Federation of Brazilian Banks) tell RSA that for the moment, these represent safe Boletos payment alternatives.
Another silver lining is the fact that government-issued Boletos (for payment of taxes and other municipal fees) also don’t appear to be affected by the Bolware operation.
Prior to today's publication of its Boleto Malware report, the RSA provided its research and a stockpile of fraudulent Boleto ID numbers and IOCs (indicators of compromise) to the (FBI) and Brazil's Federal Police. RSA also reached out to some of the affected Brazilian banks.
RSA is working together with these entities in the investigation while also helping to develop and/or advise on the implementation of various mitigation countermeasures within the many banks in Brazil that process Boletos including leveraging RSA’s FraudAction Service to help with shutting down infection points in the wild and blacklisting fraudulent Boleto IDs.
Eli Marcus of RSA’s FraudAction Knowledge Delivery team wrote in its announcement blog post, "RSA urges consumers to be vigilant when handling Boleto payments and to verify that all the details, specifically the Boleto ID are genuine prior to confirming payments."
Because the Bolware gang has been spreading their malware mainly through phishing and spam, consumers in Brazil are also urged to take care when clicking on links or opening attachments in emails or social media messages from unknown senders and to use updated anti-virus software to help protect their PCs from infection.
It's amazing how often we hear this caution.
It's even more amazing to consider that if a few hundred thousand people hadn't clicked on random, yet inviting looking unknown links from a crime ring running a bait-and-switch browser attack, Brazil's banking system wouldn't be in the hole to the tune of an estimated US$3.75 billion.