The number of actual physical robberies on banks has slipped to almost zero, but the amount of money that they are losing through electronic methods has rocketed. With physical security it’s so easy to put up CCTV cameras, bullet proof glass, and have alarm bells, but in an electronic world there are an infinite ways to commit fraud. In fact there are so many targets in a electronic world, and criminals can focus their efforts on the customer, the bank, or the merchant. With virtually no effect at all criminal gangs can install malware within any part of the e-Commerce infrastructure, and either steal user credentials or modified transactions. While we may say that it is a victimless crime, we would be wrong, as large-scale fraud can have serious implications on the global financial market, and also on user trust.
In fact from the early days on the Internet, individuals have been find ways round the processes in the place (Figure 1). This includes John Draper (or Captain Crunch) who used a whistle tuned to 2.6kHz to place long distance calls that was given free in the cereal pack, to Vladmin Leven, from Russian, who siphoned off millions from Citibank. As we will find, these days, any script kiddie can create their own targeted attack on users, and it does not need extensive programming skills, or even a deep knowledge of how the e-Commerce infrastructure works. A key target, though, is the end user, as they tend to be the weakest link in the chain.
The latest targeted malware, most probably setup by Brazilian organized crime gangs has hijacked boleto transactions in Brazil for a vast amount of low-dollar transactions. It works by tricking users to install a piece of malware on their system which waits until the user visits their bank’s Web site. On detecting this, the malware fills-out all the required information for account require for the recipient of a boleto transaction. The malware then submits the transfer for payment, and modifies it by substituting a recipient account for the attackers one.
What happened with Boleto?
In July 2014, RSA announced a large-scale fraud of Boleto Bancário (or Boleto as it is simply known), and which should serve as a wake-up call for the finance industry, and governments around the World. In fact, it could be the largest electronic theft in history ($3.75bn). Overall with the fraud there were nearly 200,000 infected IP addresses that had the infection on their machine. A boleto is similar to an invoice issued by a bank so that a customer (“sacado”) can pay an exact amount of a merchant (“cedente”). These can be generated in an off-line manner (with a printed copy) or on-line (such as in on-line transactions).
Boleto is one of Brazil’s most popular payment methods, and just last week it was discovered to have been infected, for over two years, by malware. There are no firm figures on the extent of the compromise, but up to 495,753 Boleto transactions were affect, with a possible hit of $3.75bn (£2.18bn).
Boleto is the second most popular payment method in Brazil, after credit cards, and has around 18% of all purchases. It can be used to pay a merchant an exact amount, or, typically to pay for phone and shopping bills. There are many reasons that Boleto is popular in Brazil, including the fact that many Brazilian citizens do not have a credit card, and even when they do have one, they are often not trusted. Along with this the transaction typically has a fixed cost of 2 or 4 US dollars, as apposed to credit rates which is a percentage of the transaction (in Brazil, it can typically be between 4 and 7.5%).
The operation infected PCs using standard spear phishing methods, and managed to infect near 200,000 PCs, and stole over 83,000 user email credentials. It used a man-in-the-browser attack, where the malware sits in the browser, which included Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer, and intercepts Boleto transactions. The reason that the impact was so great, is that Boleto is only used in Brazil, thus malware detection software has not targeted Boleto, as it is a limited market.
The Web-based control panel  for the operation shows that fraudsters had stolen $250,000 from hijacked 383 boleto transactions from February 2014 until the end of June 2014 (Figure 2). Of the statistics received, all the infected machines where running Microsoft Windows, with the majority running Microsoft Windows 7 (78.3%), with Microsoft Windows XP being the second most popular (17.2%). Of the browsers detected the most popular was Internet Explorer (48.7%), followed by Chrome (34%) and Firefox (17.3%), and the most popular email domain used to steal user credentials was hotmail.com (94%).
Figure 2: Control panel showing fraud
Was Boleto secure?
While it was seen to be generally secure, it has been identified as being open to a ‘check-bounce’ scenario, where a payment looks as it has went through, and the goods are received, but the transaction eventually bounces (which is similar to a check bouncing). A typical transaction involves the bank notifying the CyberSource Latin American Processing that a boleto has been paid, but can either indicate that the payment status is either paid or not. In the case of a check, the status will be set to non-payment. There can thus be fraud when the goods are received before the payment is cleared. When the payment status is set of ‘paid’ the transaction is reported to the Payment Events Report. Unfortunately there are no charge-backs on Boleto transactions, and the transaction is paid by cash, check, or through an online bank transfer. There is some protection, though, in using Boleto, as consumers are allowed to seven days to ‘regret’ the payment, and ask for a refund. With Visa, there is payment protection for the consumer, which does not happen with Boleto.
So who was the man-in-the-browser?
Figure 3 shows an outline of the taxonomy of malware. It shows that it has a:
- Distribution method. In the case of the Boleto fraud this was through spear phishing emails.
- System compromise. After distribution, the malware then compromises the system and places itself in a persistent way. In this case it placed a program on the disk, and then added an entry into the Windows registry so that the program loaded ever time the computer was booted.
- Trigger event. After the compromise, the malware is then triggered by an event. In this case by the user accessing their Live/Hotmail email account or by when the made a transaction using Boleto.
In the case of the Boleto fraud the man-in-the-browser was Eupuds (which is classified as an Information Stealing Trojan (MITB)) and which infects web browsers on Windows-based PCs, including Internet Explorer, Firefox and Chrome, and also steals account information for live.com, hotmail.com and facebook.com.
Eupuds manages to stay alive by created a program on the disk at (where c:\users\fred is the home directory):
c:\users\fred\Application Data\[RANDOM CHARACTERS].exe
and then makes sure that it is always started when the computer is booted by modifying the Windows registry key of:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM CHARACTERS].exe" = "c:\users\fred\Application Data\[RANDOM CHARACTERS].exe"
In this way the Trojan program is always started when the computer is booted. In many cases the malware will hide itself so that it can get round a virus scan. In this case, the malware creates random characters to the name of the file, and then creates a different name for the process. Along with this the malware is compiled AutoIt script, and uses UPX packing, which makes it difficult to analyse/reverse engineer.
The malware works by detecting traffic between the browser and the server, and searches for specific strings:
- pagador.com.br – this is the Brazilian online payment service.
- segundavia – this is used when requesting a Boleto reissue.
- 2via – this is used when requesting a Boleto reissue.
- ?4798 – this is part of a Brazilian bank URL.
- carrinho -this is a shopping cart of an online store
- live.com – this detects a login for the Microsoft Live email package.
This is a modification of the standard Eupuds malware, which also detected strings containing .gif, .png, .flv, and facebook.com. Once it is installed it then looks for client-side security plug-ins used by banks. The shared executables that the plug-ins use are then neutralised by downloading patched-versions, so that the user has no protection for the man-in-the-middle.
There have been many threat message which highlight the distribution of the spam emails, such as from Cisco Systems on 2012:
Cisco Security Intelligence Operations has detected significant activity related to spam e-mail messages that claim to contain an import assistant program for the recipient. The e-mail message attempts to convince the recipient to open a .zip attachment to preview the data to be imported. However, the .zip attachment contains a malicious .cmd file that, when executed, attempts to infect the system with malicious code. E-mail messages that are related to this threat (RuleID4218, RuleID4218KVR, and RuleID4349KVR) may contain an of the following files: Fatura_Cartao.txt.zip Fatura cartao.cmd Fatura-Boleto.zip Fatura-Cartao.cmd Fatura.zip Fatura.cmd Fatura.exe Boleto.zip
Boleto.cmd The Boleto.cmd file in the Boleto.zip attachment has a file size of 368,640 bytes. The MD5 checksum is the following string: 0x21E9F84477A48C63115FE0E9A22E4DA8. The following text is a sample of the e-mail message that is associated with this threat outbreak: Subject: Boleto@jcessoria.com.br Message Body: Zip archive attachment (Fatura_Cartao.txt.zip) or Subject: Boleto de cobranca Message Body: Demostrativo em anexo. or Subject: firstname.lastname@example.org
Demostrativo em anexo.
As this threat warning is nearly two years old, why did it take so long to actually discover the objectives of the malware? Other warnings, such as in 2013 also highlighted the threat. Along with this the first signs of the ZIP file containing the malware appeared in 2010:
2010/10/8_12:43 fileden.com/files/2010/9/27/2980248/Boleto.zip 2010/11/3_00:52 novemstn.webcindario.com/boleto.zip 2010/11/3_05:09 ormsoigso.webcindario.com/boleto.zip
The last two are Spanish hosting companies.
Detecting the Malware
Once the malware is installed on the machine, it communicates with the command and control (C&C) server using a basic encryption method, which encodes the messages with an exclusive-OR (XOR) operation using a key of
0xA4BBCCD4, followed by a modified Base64 encoding, with characters such as ‘+’ and ‘/’ replaced
by ‘-’ and ‘_’, respectively (Figure 4). The IP addresses detected for the C&C include 220.127.116.11, 18.104.22.168 and 22.214.171.124, which point to the hostforweb.com domain, and which is a general Web hosting infrastructure.
Spear phishing is the most common method of getting malware these days, where users are sent emails with links on them, and when the user clicks on them, they will run a program on their computer, and install the malware. In this case it was a Trojan which intercepted the communications between the browser and the Web site, and was setup to detect Boleto payments. The malware also was able to intercept email login details. So what’s the solution? Users need to watch what the click, and also patch their systems.
What is most worrying about this type of fraud, is that it could compromise the whole of the finance industry, and could even bring down major finance companies, and even nation states, with a single large-scale event. The target is slowly moving to end-users, as, as long as there’s one person will to click on a link in an email, there will be the potential for fraud.
if you are interested, this presentation shows a real-life Trojan infection, and which uses the same methods used in this fraud. For details of exploit kits (go to 57m6s), and on a real-life Trojan is at (13m30s):
 RSA DISCOVERS MASSIVE BOLETO FRAUD RING IN BRAZIL, https://blogs.rsa.com/wp-content/uploads/2015/07/Bolware-Fraud-Ring-RSA-Research-July-2-FINALr2.pdf, July 2014.
 Brazilian ‘Boleto’ Bandits Bilk Billions, http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/