Two malware pieces targeting the Brazilian “boleto” payment instrument, one performing Document Object Model (DOM) manipulations, the other scanning web pages in search for boleto numbers, have been uncovered by security researchers.

At the beginning of the month, security experts at RSA published a report about cybercriminal activity in Brazil that focused on the boleto payment system.

They revealed that the malware family infecting most computers relied on web injects to modify the fields of the recipient of the money in order to divert the transfer into the fraudsters’ accounts.

Boletos are used in Brazil for all sorts of purchase, including online. A difference from other forms of payment is that such a transaction can be reversed only by bank transfer.

Security researchers at Trusteer, an IBM-owned security division, have found evidence of two new malware families that are also used for committing boleto fraud.

One of the samples has been named Domingo by Trusteer, and it works by performing DOM manipulations in Internet Explorer. By leveraging this technique, the criminals can change the information on the web page and thus modify the field for the receiver of the boleto. The entire manipulation process is hidden from the user.

Another sample, called Coleto by Trusteer, is from a different malware family and is designed for users of Mozilla Firefox and Google Chrome web browsers.

George Tubin, senior security strategist at Truesteer, says that this sample is not widespread and uses a malicious extension that can scan the web pages for patterns of boleto numbers.

When it finds a match, it switches the number with one that is linked to the crook’s account, thus succeeding in diverting the money.

Although there are solutions for mitigating the risk of falling victim to this type of fraud, such as the use of mobile applications, they have not been adopted at a larger scale.

Moreover, the malicious campaign described by RSA is believed to have been active for about two years, the malware developers constantly making modifications in order to bypass security measures and evade detection.

The sample analyzed by them is detected by some antivirus products as Eupudus. It leverages the man-in-the-browser technique and works with the three major web browsers on the market (Internet Explorer, Google Chrome and Mozilla Firefox).

According to Trusteer’s research, one in 900 computers in Brazil is infected with one form of boleto malware at all times, and they’ve been fighting this threat for over a year.
Kepler Reviewed by Kepler on . New Boleto Malware Families Discovered http://i1-news.softpedia-static.com/images/news-700/New-Boleto-Malware-Families-Discovered.jpg Two malware pieces targeting the Brazilian “boleto” payment instrument, one performing Document Object Model (DOM) manipulations, the other scanning web pages in search for boleto numbers, have been uncovered by security researchers. At the beginning of the month, security experts at RSA published a report about cybercriminal activity in Brazil that focused on the boleto payment system. Rating: 5