Cyber-Attacks Seen Defrauding Brazilian Payment System of Billions
Cyber-Attacks Seen Defrauding Brazilian Payment System of
Billions
By Robert Lemos
| Posted 2014-07-06
Cyber-criminals have abused the Boleto Bancário online
payment system to steal potentially billions of dollars, according to security
firm RSA.
Cyber-criminals have infected nearly 200,000 computers in
Brazil and used their access to issue payment vouchers with an estimated value
of $3.75 billion, according to an analysis of the attack published by security
firm RSA on July 1.
Dubbed the "Bolware" gang, the criminals abused
the Brazilian payment system known as Boleto Bancário, which allows customers
to promise to pay an online merchant, print out a payment slip with a barcode
and remit money at a bank. While previous attempts to defraud the payment
system used fake boleto, the latest attack, which started in late 2012, infects
Web browsers on compromised computers and modified legitimate boleto to route
payment to the criminal accounts.
"The Boleto Malware (is) a newer and more
sophisticated kind of fraud in Brazil that leverages MITB (man-in-the-browser)
technology to attack online operations, and is based on transaction
modification on the client side," RSA stated in its analysis. "Like
any substantial cyber-criminal operation, the Bolware gang has continued to
innovate, revising their purpose-built malware through 19 different
versions."
While the details of the fraud differ from payment fraud
in other nations, the techniques—such as using a man-in-the-browser attacks—are
similar to how criminals are attempting to steal money from financial
institutions in the U.S. and Europe. Criminals adopted man-in-the-browser
attacks to defeat additional countermeasures—such as IP address and device
identification—deployed by financial institutions.
"It is a class of problem where the arms race has
migrated," said Dan Kaminsky, co-founder and chief scientist of White Ops,
an anti-fraud technology firm. "Once upon a time, it was good enough to
steal a customer's username and password and log into the bank from wherever
and do whatever you wanted, but they soon figured out that a California
customer should not be logging in from Latvia."
While banks in Brazil and other nations continue to fight
against payment fraud, such attacks expose weaknesses and undermine trust in
the financial ecosystem in most countries.
Because customer-owned computers are generally thought to
work on behalf of the user, banks typically argue that any fraud that
originates from compromised customer systems are the responsibility of the
victims. Such fraud rose more than 200 percent in the first nine months of
2013, according to Symantec.
Small U.S. businesses, for example, have lost hundreds of
thousands of dollars to such attacks and sued their banks for allowing funds to
be transferred to foreign nations, even though it was the business's machine
that was compromised. Courts have generally split on whether the business is
responsible for the lost money or if banks should catch anomalous transactions
and perform extra security measures.
A similar scam, where the attacker changed the banking
information to which publisher Conde Nast sent funds, resulted in $8 million
being transferred in six weeks, but the money was frozen before attackers could
transfer it to their own bank accounts.
While the Brazilian crime network is not large compared
to other botnets, the potential profits for its operators are huge, according to
RSA.
"Boleto malware is a major fraud operation and a
serious cyber-crime threat to banks, merchants and banking customers in
Brazil," the company stated. "While the Bolware fraud ring may not be
as far-reaching as some larger international cyber-crime operations, it does
appear to be an extremely lucrative venture for its masterminds."
Comments
Post a Comment