A popular way to make payments of any kind in Brazil is the boleto. Boletos have a number (called typable line) and a barcode. They can be paid in banks, lottery shops and some post offices. Online stores allow people to generate a boleto to pay for the goods they ordered. Most bills, like health insurance, school and rent, might also be paid with boletos. Essential services, like power and telephone services have special boletos, as well.
They are like an invoice which you can you also make a payment with, with the transaction cost included in the price. The barcode and the typable line have the same function – only one or the other is used -, and both include information such as document number, destination bank, account, due date and the amount to be paid. Written in readable text is additional information in case the bill is being paid after the due date, so as to allow the bank teller to calculate the correct amount.
Following reports from readers, Linha Defensiva has found a new Brazilian trojan capable of modifying boletos viewed with the user’s web browser. The malware changes the typable line in such a way that the payment will be redirected to another bank account, while the due date and the money value remain unchanged, probably to make the fraud harder to notice.
The malware is unable to manipulate the boleto’s barcode. However, to make up for this limitation, the code will add a “spam” HTML element (probably a mistype of “span”) in order to add white space to the barcode, breaking it. In the end, the user is forced to use the typable line, which was already modified.
The malware also cannot change the bank’s logo, which is normally included in boletos. This is a noteworthy limitation, as next to the bank’s logo is the bank code. In this example, “033” is the bank code for Santander, while the logo is from state bank Caixa Econômica Federal (bank code 104). Someone who knows a bit about boletos will immediately see the issue. unless, the bank numbers match.
At this time, the malware authors are unable to modify special boletos issued by telephone and power companies.
The changes will work with possibly any browser (we tested Internet Explorer, Firefox and Chrome) and any web page as long as it has the word “boleto” somewhere, so it doesn’t matter where the boleto is being generated.
The information the code needs to replace the numbers is obtained in real time from a web server, which generates a small delay in the rendering of the boleto, but guarantees a working account will be used (and might overcome the bank mismatch issue, as long as the malware authors have enough bank accounts).
This malware is very interesting, as even people who do not use their online banking services or do not generate a boleto from the same machine as the one they use to pay it are at risk. Further, if public computers are infected, people might be victims of fraud when they try to print a boleto to be paid “offline” in an internet café, for example.
Facebook and Microsoft accounts are also targets of the malware. It’s around 500 KB in size and distributed through standard Brazilian methods: email messages with social engineering tricks.
More boleto samples
These were all generated as tests and do not represent actual boletos issued by companies. It’s important to note that only the paying bank and the paid bank have access to the funds. As such, a modified boleto may mislead a consumer to think that the problem lies with the bank represented by the logo or the company that issued the boleto. That’s incorrect. The original issuer has no control over what happens, and will also be a victim (since they won’t receive the payment). Further, the malware does not change the readable fields in the boleto.