The New York Times reports: Cybercrime Scheme Uncovered in Brazil. The very first sentence brings a shocking number: possibly US$3.75 billion stolen. But even if “only half” of that was actually taken by the criminals, says the NYT, “the scope of the swindle would eclipse any other previous electronic theft.” In other words, it would have been the largest cybercrime heist known to date.
Except it wasn’t.
In fact, nothing was. It’s not new. It was not unknown. It was not unaccounted for. But RSA, the one who sent this information all over the place, claims it was all done by a new piece of malware they discovered:
Did they perhaps found this new piece of malware by using Google and stumbling upon our report from April 2013? Much easier to check if a piece of malware does something if you already know it’s out there, yes?
But they still uncovered those billions, so let’s move on to that. Here’s what happened: RSA researchers found their way into the malware command-and-control (C&C) servers. This is not rare for researchers, in Brazil or elsewhere. Most, however, keep quiet about it, as they want to maintain their access inside the criminal networks. Publishing it can interfere with their access and compromise their operations.
Once inside the control panel, RSA found the values of all payments that the virus had redirected. They just did a sum and arrived at the US$3.75 billion mark. This figure, however, includes everything – including payments not made and payments that were made but not authorized by the bank (as the fraud was detected). It also includes any test payments made by other researchers trying to understand the malware behavior, since everyone is aware of the fraud.
Saying that “half” of it went through would still be way too much. Let’s give it some perspective.
- Febraban, the Brazilian bank association, publishes the amount lost to electronic fraud every year by all banks combined. The year with the most losses so far was 2011. That year, they lost R$ 1.5 billion, or US$ 680 million. However, of those, R$ 1.2 billion (US$ 545 million) are credit and debit card frauds. The remaining R$ 300 million (US$ 136 million) are frauds in other payment methods, including bank transfers and boletos. Which means boleto frauds alone are likely less than US$ 100 million a year, probably around US$ 20 million. It would take no less than 30 years to arrive at RSA’s figure. In 2012, the frauds went down to US$ 636 million, despite an increase in the number of transactions.
- No, the problem is not accounted for elsewhere. Electronic fraud is 95% of all fraud in Brazilian banks, as reported in the New York Times. Even if some boleto frauds are not in this number, they are not relevant and would not change the conclusion.
- The most common use of boletos in the country is in the payment of bills, such as eletricity and phone services. These boletos cannot be changed by the malware.
- Banco do Brasil is the largest bank in Brazil. They profit US$ 6.6 billion annually. RSA’s figure would put the criminal’s profit on the same scale as the largest banks.
- RSA found 495,793 boleto payments, which averages at US$ 7,563 for each boleto. This value is unreal — most boletos are of much lower value, and higher value boletos certainly go through more checks inside the banks: unlike credit or debit cards, in which the payment is verified instantaneously, boletos take a whole day for that. Many people cannot pay boletos of this value through internet banking for security reasons and the malware cannot change the boleto bar code, which would draw suspicion from the bank teller.
RSA also estimated a number of victims at 192,227. They did this by counting unique IP address, which is very unrealiable. Like in other parts of the world, most connections in Brazil use dynamic IP addresses.
Some criminals have the code report the hard drive’s serial number and computer hostname so they can have a more accurate count of the infected computers. Either the code that the RSA found didn’t do that or they were unable to do a count through this method, which means their number remained unreliable.
Take the Conficker virus, which six years after its discovery is still reporting over a million infected IPs.
The media blame
The original RSA research paper is very careful about how it words their findings. They make it clear about how they arrived at their figures. But journalists usually don’t read these papers. They read press releases, written by the companies, and fill in the blanks with questions by interviewing someone from the company.
But the original blame lies with the RSA’s PR team. They are the ones who did not explain correctly what exactly these numbers (don’t) mean. But still, they were not the ones who said the fraud was new and uncovered by them: that’s the title of their research paper. And it’s wrong.
Then there’s the New York Times blame, which, when citing Febraban’s numbers, forgot to do a currency conversion and cited the yearly loss as simply “$1.4 billion.”1 Perhaps if they did so they would realize the gap was too large and ask a few more questions.
Of course, the NYT is far from the only one guilty. The fake billions made headlines at Krebs on Security, Threatpost and many other websites. I work in Brazilian media, and it was no exception, either. We should have known better.
The problem with media, as it is now in the internet age, is that once people start talking about something, you have to publish. You have to get into the conversation. You need the cite the same data. And you can’t just say “hey, this isn’t even news.” There’s some unwritten code which prohibits people from being the party-wrecker2.
Further, if you can attribute some meaningless number to someone – in this case, RSA -, it’s fine. You are not committing a mistake, as far as journalism standards are concerned. Even if the number is completely groundless.
The companies know this. But only the media gets the blame, even if it’s the companies that are throwing numbers as bait and then making up excuses about the issue being complex, even though they never dare to simply say their number is almost meaningless. Shame on the media, yes. But shame on RSA, too.
And just to make it clear, this is not an ego issue. Linha Defensiva was the first to publish about this attack, but the information came from a reader who asked to remain anonymous. Plus, we do not sell blacklisting services to banks. We just like information, no matter where it comes from, as long as it’s accurate.