Professor outlines the Boleto fraud and that you don't need a fast car to rob a bank anymore

05/07/2014

News image
The research team at Edinburgh Napier University have been investigating the methods behind the Boleto scam and have outlined these in this blog entry. Some outline details are given below. At Edinburgh Napier University, we have active research work on man-in-the-browser attacks, and which was the basis of this fraud.

Introduction

The number of actual physical robberies on banks has slipped to almost zero, but the amount of money that they are losing through electronic methods has rocketed. With physical security it's so easy to put up CCTV cameras, bullet proof glass, and have alarm bells, but in an electronic world there are an infinite ways to commit fraud. In fact there are so many targets in a electronic world, and criminals can focus their efforts on the customer, the bank, or the merchant. With virtually no effect at all criminal gangs can install malware within any part of the e-Commerce infrastructure, and either steal user credentials or modified transactions. While we may say that it is a victimless crime, we would be wrong, as large-scale fraud can have serious implications on the global financial market, and also on user trust. The large-scale fraud at Boleto should serve as a wake-up call for the finance industry, and governments around the World. In fact, it could be the largest electronic theft in history.

What happened at Boleto?

Boleto is one of Brazil's most popular payment methods, and just last week it was discovered to have been infected, for over two years, by malware. There are no firm figures on the extent of the compromise, but up to 495,753 Boleto transactions were affect, with a possible hit of $3.75bn (£2.18bn).

Boletol is the second most popular payment method in Brazil, after credit cards, and has around 18% of all purchases. It can be used to pay a merchant an exact amount, or, typically to pay for phone and shopping bills. The operation infected PCs using standard spear phishing methods, and managed to infect near 200,000 PCs, and stole over 83,000 user email credentials. It used a man-in-the-browser attack, where the malware sits in the browser, which included Google's Chrome, Mozilla's Firefox and Microsoft's Internet Explorer, and intercepts Boleto transactions. The reason that the impact was so great, is that Boleto is only used in Brazil, thus malware detection software has not targeted Boleto, as it is a limited market.

Was Boleto secure?

While it was seen to be generally secure, it has been identified as being open to a 'check-bounce' scenario, where a payment looks as it has went through, and the goods are received, but the transaction eventually bounces. A typical transaction involves the bank notifying the CyberSource Latin American Processing that a boleto has been paid, but can either indicate that the payment status is either paid or not. In the case of a check, the status will be set to non-payment. There can thus be fraud when the goods are received before the payment is cleared. When the payment status is set of 'paid' the transaction is reported to the Payment Events Report. Unfortunately there are no chargebacks on Boleto transactions, and the transaction is paid by cash, check, or through an online bank transfer. There is some protection, though, in using Boleto, as consumers are allowed to seven days to 'regret' the payment, and ask for a refund.

So who was the man-in-the-browser?

In this case the man-in-the-browser was Eupuds which infects web browsers on Windows-based PCs, including Internet Explorer, Firefox and Chrome, and also steals account information for live.com, hotmail.com and facebook.com. It manages to stay alive by created a program on the disk at (where c:\users\fred is the home directory):

c:\user\fred\Application Data\[RANDOM CHARACTERS].exe

and then makes sure that it is always started when the computer is booted by modifying the Windows registry key of:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS].exe" = "c:\use\fred\Application Data\[RANDOM CHARACTERS].exe"

In this way the Trojan program is always started when the computer is booted.

Conclusions

Spear phishing is the most common method of getting malware these days, where users are sent emails with links on them, and when the user clicks on them, they will run a program on their computer, and install the malware. In this case it was a Trojan which intercepted the communications between the browser and the Web site, and was setup to detect Boleto payments. The malware also was able to intercept email login details. So what's the solution? Users need to watch what the click, and also patch their systems.

What is most worrying about this type of fraud, is that it could compromise the whole of the finance industry, and could even bring down major finance companies, and even nation states, with a single large-scale event. The target is slowly moving to end-users, as, as long as there's one person will to click on a link in an email, there will be the potential for fraud.

if you are interested, this presentation shows a real-life Trojan infection, and which uses the same methods used in this fraud:

 
[Read More]

Associated people

William Buchanan
Director of CDCS
w.buchanan@napier.ac.uk
+44 131 455 2759
Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Resources