Brazilian scammers score $3.75 billion in malware bank fraud

Brazilian criminal gangs have netted $3.75 billion in a micro-transaction fraud that compromises transactions made using the popular Boleto payment method.

  18 3 comments

Brazilian scammers score $3.75 billion in malware bank fraud

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

RSA Research has discovered a Boleto malware or 'Bolware' fraud ring that may have compromised 495,753 Boleto transactions over a two-year period. The malware uses Man-in-the Browser attack vectors to intercept and modify Boleto information so that payments are redirected to a fraudster's account.

The Boleto system - in which consumers use merchant-generated invoices for B2B and retail purchases - is regulated by Banco Central do Brasil and has become the second most popular payment method (behind credit cards) in Brazil, accounting for an estimated 18% of all spending in the country during 2012.

Boletos can be generated both offline (printed copies) and mailed to customers, or online (by online stores for example) for electronic payments. Their popularity has risen because of the convenience for consumers who don't require a personal bank account to make payments using Boletos. Importantly, for the scammers, payments made via this method are not subject to chargebacks and can only be reverted by bank transfer.

To date, RSA Research has discovered the total value of all Boletos that were harvested by the Bolware C&C server amount to a total of US$3.75 billion. While the scammers behind this operation may have had the potential to cash out these modified Boletos, it is not known exactly whether all the funds were successfully redirected to fraudster-controlled bank accounts.

Up to 34 banks are believed to have lost money to the operation. RSA has turned over its research to both US and Brazilian law enforcement and has been in direct contact with the banks in question.

Sponsored [Webinar] 2025 Fraud Trends: Synthetic Identity, AI and Incoming Mandates

Comments: (3)

A Finextra member 

Surely this is $3.75m not $3.75billion? If it were billion, then each payment would be worth $7,500 - not exactly "micro".

Gerard Hergenroeder

Gerard Hergenroeder Retired IBMer and Banking Executive at Payments Shark

I agree it must be $ millions, not $ bilions. But, the fact still remains the systems was compromised which hurts its future growth.

A Finextra member 

I have just seen a copy of the RSA report on this fraud, and it does seem that the losses could amount to US$3.75bn. Unbelievable.

[Webinar] Unifying Card Programmes: The cost-reduction imperativeFinextra Promoted[Webinar] Unifying Card Programmes: The cost-reduction imperative