According to an investigation by RSA, as much as US $3.75 billion could have been stolen, based on the discovery of 495,753 fraudulent transactions over two years. The actual amount is not known because the investigation was not able to prove the exact amount stolen.
If it is revealed that half of this value ended up in criminal accounts, it will be the biggest electronic theft in Brazil’s history, reports the New York Times.
Criminals used malicious software to infiltrate payments made through the online payment system called the Boleto, and then transferred the payments to member accounts.
Boleto is Brazil’s second most popular payment method after credit cards and is regulated by the Brazilian Central Bank. It is popular because it does not require customers to have a personal bank account to make payments. Any merchant can issue a Boleto, allowing a customer to pay the exact amount for any type of electronic transaction, from utility bills to taxes, reports RSA.
According to RSA researchers, the Boleto Malware is a sophisticated and newer kind of fraud that is known as a man-in-the-browser threat. It infiltrates customers’ web browsers on Windows-based PC’s using malware to change the information so that payments are transferred to a fraudulent account.
The malware activity is invisible to customers, making it almost impossible for customers to detect this kind of fraud on their own.
A total of 192,227 PC’s have been infected, says RSA.
According to computer security analyst Graham Cluley, Brazil has always been a breeding ground for cyber crime, reports BBC News.
“Sadly Brazilian computers aren’t always necessarily running the very latest anti-virus software, and because Boletos aren’t used outside of Brazil it might have made security companies less vigilant about the threat,” said Cluley.
RSA has said that Brazilian banks have made significant progress battling malware, but that the “Bolware gang” continues to innovate.