10:10 AM
George Tubin
George Tubin

The World Cup Wasnít Brazilís Only Loss: Boleto Malware Emerges

In light of the recent fraud campaign against Brazil's banking industry, what must payments industry players do to fight malware-based payments fraud?

While most of Brazil may still be recovering from their heartbreaking loss, cyber criminals were already busy at work before, after, and during the World Cup series. These cyber criminals were attacking enterprise infrastructures through data theft, jamming websites, and most notably, conducting a massive fraud campaign against Brazil’s banking industry through Boleto Bancario, a popular method of money order payment. As revealed in RSA’s recent report, a Boleto malware campaign resulted in a potential loss of US$3.75 billion as cyber criminals targeted the Boleto payment method throughout the past year, posing a major threat to the financial services system.

[The True Cost of Data Breaches]

Why Brazil?
For starters, Brazil spent $14 billion in federal funds to prepare for the World Cup. (Yes, that’s billion with a B!) With the country’s unique Boleto payment system being used for 100 percent of business-to-business payments, the World Cup preparation made the country an ideal target for cyber criminals. For Russia, the host of the next World Cup in 2018, the time is now to prepare for an onslaught of probable cyber attacks against widely used payment methods such as, Qiwi, WebMoney, and Yandex.Money -- Russian services equivalent to PayPal.

New additions to the Boleto malware family
In July, Trusteer researchers uncovered two additional malware families targeting the Boleto payment system. These variants operate quite differently from the Eupuds malware variant highlighted in the RSA report. As a result, we now know that there are three distinct major attack methods being used to conduct Boleto payment fraud that payment and banking security decision makers need to be aware of:

  • Web injection
  • DOM manipulation
  • Browser extension scanners

Unfortunately, the new Boleto malware families that Trusteer identified are not yet known to the industry as financial -- or Boleto-related -- malware. Our research indicates that approximately one in every 900 machines in Brazil is infected with some form of Boleto malware at any given point.

What the Boleto attacks can teach other payment systems
Cyber criminals have become so sophisticated and thorough in their attacks that it’s not unreasonable to expect that new approaches will soon start targeting other electronic payment forms. It’s imperative that we identify effective methods of protection that will be sustainable for the long run. Here are a few recommendations for companies involved in the payment system to keep in mind to fight malware-based fraud:

  • Stop thinking of security protection as a “post mortem” discussion. The best approach is to detect threats in real-time instead of after significant fraudulent transactions have occurred. Security needs to be a top-of-mind discussion for payment companies.
  • The most effective way to fight malware-based fraud is at the point of attack. That is, the customer’s device. By focusing on detecting and preventing the root cause of most financial fraud -- malware -- security solutions can, in turn, prevent fraudulent transactions from being created before they enter the payments system.
  • Focus on the root cause of fraud and winning the battle. Identify where security holes are likely to be found and take extra measures to make sure these holes are patched. Have you taken a holistic look at your security approach? If not, it’s time to analyze every pocket of security within your payment system.

With or without a worldwide sporting event stage, payment transactions will continue in all shapes on a regular basis. Financial data is personal and important, so it’s critical to reinstate customer confidence in their payment method options. The reality is that new forms of Boleto malware will continue to emerge; take the time to update your payment security now before valuable customer data, monetary funds, and trust are in danger.

George Tubin is the Senior Security Strategist for Trusteer, an IBM company, where he heads the thought leadership program to advance online and mobile banking security and adoption, and advise enterprises on best practices for protecting corporate assets from targeted ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.