

Banking malware in Brazil may be responsible for billions in losses - PaulSec
http://krebsonsecurity.com/2014/07/brazilian-boleto-bandits-bilk-billions/

======
aylons
So many comments asking why people don't use credit cards. The easy answer,
already told, is that many Brazilian people don't have bank accounts or credit
card.

This is only half truth and probably not relevant to the case here, as the
malware in question will only affect people accessing their bank accounts
through the internet.

The "boleto" system is actually a very nice way to handle payments. The boleto
mostly substitutes mailing checks: the company I owe send me the bill with a
numeric code (and a corresponding bar code for convenience), and I can use
this code to pay the bill at a bank, supermarket, lottery houses or, of
course, directly from my bank account through the internet or ATM.

A boleto is different from a account deposit because each boleto is unique:
the code identifies who that specific boleto was sent to, so payment
processing is done automatically. No out-of-band bank codes or check handling
involved.

Boletos are used in several contexts where a credit card is not appropriate,
such as paying the credit card bill. However, it may substitute credit cards
sometimes: an online commerce outlet will happily generate a boleto for you to
pay instead of paying with credit card. You can then pay for you purchase
without revealing personal information, having a credit card or sending checks
by mail.

Actually, paper checks are very, very rare in Brazil nowadays, even in
business contexts. Most retail business won't accept them anymore.

Also, when you pay a boleto, you get an timestamped authentication code
proving you paid it. The company can't allege the check was incorrect, for
example. The code may also carry the amount to be paid and/or expiration date,
preventing payment of the wrong value of after the due date.

This is actually a very functional system that credit cards cannot completely
substitute, even if everyone had a bank account or credit card.

EDIT: clarity and a bit of extra info

~~~
rahimnathwani
The closest equivalent to boletos in the UK are payment agents:

[https://www.paypoint.com/en-gb](https://www.paypoint.com/en-gb)

[http://www.payzone.co.uk/](http://www.payzone.co.uk/)

I don't believe the numbering is unique to specific bill, but to a specific
account, e.g. I'd use the same identifier each time I paid by gas bill.

~~~
aylons
Having a numbering for a specific account is also possible with Brazilian
boleto system, but it is common only for credit cards, which can be paid at
any time and at a wide range of values.

Gas and phone codes are always bill-specific. However, if you pay a boleto
like this twice, the provider will be informed and generally will give you the
chargeback in the next bill. I have already used this as a trick to pay a bill
when I was travelling and wouldn't get the most recent bill.

------
mercadoviagens
This has been happening in Brazil for years. They use several methods: boletos
for inexistent taxes, internet domain renewals, "social contributions" and
others.

They make them look very legit: one we received even mentioned real
legislation that said that a certain type of contribution(very similar name to
what was on the boleto) was obligatory. We had to take it to our accountant,
and he instantly found the fraud.

They also have access to Brazilian whois data somehow. The official whois is
protected by captcha, but they're able to obtain the whois database via some
other method and then snail-mail boletos to millions of domain owners using
their real personal data. It looks very convincing.

The sheer amount of such fake boletos that arrive in the mail every month
indicates that this may be a successful scam after all.

~~~
soneca
That happens _a lot_ after you incorporate a company here. The day after you
fill the forms to create a company you start to receive these bills pretending
to be something you have to pay. From associations, unions and similars.

The point is that in this particular case it is a "legal scam". There is
nothing illegal to pay to your company be part of an association or union. So
they send you a "boleto" that looks like something official, and if you don't
consult your accountant, you will think you should pay. Even your company's
address is open to the public when you incorporate. You pay because at least
one of these _boletos_ you actually must pay, it is a municipal fee (an
inspection fee, even though the municipality will never actually inspect your
office, unles there is some complaint). Also there is some mandatory payment
to unions, but only when you hire an employee.

Of course these "associations and unions" don't actually do anything for you.
They just exist to get money from entrepreneurs based on all the
misinformation and bureaucracy that exists to open a company in Brazil.

~~~
mercadoviagens
I recall that the association / union boleto we received was meant exactly for
joining a union of some sort.

And you are absolutely correct: the minute you go formal in Brazil, you become
a target for all kinds of scams. I believe all data should be public in a
democracy, but they should be public in a way that the person who queries it
should identify somehow. That way they would know who downloaded the entire
database and would have control of suspicious activity.

------
forinti
Tangentially, in the documentary The Fog of War, Robert McNamara describes how
accounting at Ford was so messed up that they had to weigh the invoices to
estimate expenses. So this got me wondering if crooks don't just mail false
invoices to large firms in case some pay without checking.

~~~
raverbashing
> So this got me wondering if crooks don't just mail false invoices to large
> firms in case some pay without checking.

They do

Example: a company I knew (in Canada) displayed some fake invoices for
"IP/Trademark registering" in Europe, of course the payment was optional, but
if you don't pay attention it gets payed

~~~
Ecio78
In my previous companies in Italy we received multiple times requests to renew
the registration on some kind of internet company registry in Germany.
Fortunately the accounting dept asked us in IT "what's this / should we pay
it?" and we directly sent those letters to the trash.

------
dccarmo
Shameless plug: I recently created a boleto management iOS app called Zebra
([http://zebrapp.co/](http://zebrapp.co/)) If you're brazilian and are looking
for a better way to handle and pay your boletos, I think it can help you.

~~~
lifeisstillgood
How can it help defend against this type of scam?

It seems what is needed seems out of band confirmations?

------
forinti
It seems that the criminals are actually from the USA:
[http://www1.folha.uol.com.br/mercado/2014/07/1479569-gangue-...](http://www1.folha.uol.com.br/mercado/2014/07/1479569-gangue-
do-boleto-infectou-192-mil-computadores-detectam-fbi-e-pf.shtml) (Portuguese
only, I'm afraid).

------
sschueller
After getting a trademark in the US I got bombarded with fake Invoices from
companies claiming I have to pay or I will loose the right to defend or even
keep my trademark.

------
gemignani
They say it doesn't happen to mobile, but I'm not sure what happens if you
root your phone and/or install allow apk install from "untrusted" sources in
the Dev Opts.

This kind of scam is old, but there are many, like local DNS redirect,
keylogging / input-logging, maybe even a piracy web-browser.

------
hyperliner
The first comment in the article (from someone who has clearly never left his
hometown or is a five year old in disguise):

"Brian, do you know why Brazilians would choose to use Boletos if they aren’t
subject to chargebacks? It seems like a silly thing to do, especially when
credit cards are acceptable forms of payment practically anywhere."

 _sigh_

~~~
raverbashing
This is the payment version of "Let them eat cake"
([http://en.wikipedia.org/wiki/Let_them_eat_cake](http://en.wikipedia.org/wiki/Let_them_eat_cake)
for those who don't know)

And of course in Europe Credit Cards are not widespread as well and there are
other popular payment options.

------
ufo
Does anyone know what those bank plugins are supposed to do anyway? I never
managed to get a good answer for that.

~~~
jjviana
I know some of them can be pretty aggressive, going as far as installing a
"root kit" on the machine. At some point one of these plugins conflicted with
a Windows 7 update, and caused the affected machines to crash at boot:
[http://gizmodo.uol.com.br/bug-windows-7-solucao-e-
causa/](http://gizmodo.uol.com.br/bug-windows-7-solucao-e-causa/)

------
vizzah
I only went to read this article because every title letter begins with B.

------
PLenz
Awesomely alliterated amigo

------
erre
I admit I initially upvoted because of the alliteration. Then I read the
article, which was quite interesting (even more so because I'm Brazilian).
Then I wanted to upvote it because of its content, but I no longer could.
Which made me sad :/

