Trusteer, an IBM company, revealed details on the bolware variants, which employ new tactics to manipulate web pages used for Boletos transactions.
Trusteer, an IBM company, revealed details on the bolware variants, which employ new tactics to manipulate web pages used for Boletos transactions.

Researchers recently shed light on the potential multi-billion dollar impact of malware targeting Boletos transactions in Brazil – and now, another security firm has revealed two new “bolware” variants in use by fraudsters.

According to Trusteer, an IBM company, the new variants entail a Boleto malware family capable of Document Object Model (DOM) manipulation in Internet Explorer browsers, and another family that adds malicious browser extensions in Firefox and Chrome.

Both of the attack methods help criminals intercept boletos transactions by altering financial information inputted into targeted web pages.

On Thursday, Trusteer detailed its malware discoveries on IBM's security intelligence blog.

Boleto, a popular payment method in Brazil, allows consumers to make electronic payments to merchants, whether for bills, taxes, or a variety of other purposes. Bolware targeting such transactions have been seen in the wild since late 2012, but last week RSA revealed the extent of the malware attacks. RSA found that, over a two-year period, one fraud ring may have compromised 495,753 Boletos transactions, worth up to $3.75 billion.

Bolware targets Windows PCs running Chrome, Firefox and Internet Explorer web browsers.

While RSA focused on one criminal operation using bolware with web injection capabilities, Trusteer's new findings (on the DOM manipulation variant and the malware family acting as a malicious Firefox and Chrome extension) highlight bolware attackers' growing arsenal of tricks.

Of note, the DOM manipulation variant allows the malware to change the internal data of targeted web pages, Trusteer revealed in a Thursday blog post.  "The malware uses these methods to manipulate payee fields while obfuscating this manipulation to the end-user," the firm explained.

The other malware family works by downloading and installing the malicious Firefox and Chrome extension, then scanning web pages for specific Boleto numbers, in order to alter them and divert funds from intended recipients to mule accounts, the blog continued.

On Thursday, George Tubin, senior security strategist at Trusteer, told SCMagazine.com that the original web injection malware was “becoming more known,” which likely provoked boleto malware authors to “keep innovating.”

“Time works against the criminals, because the security folks start to collect samples,” Tubin said. “The criminals keep innovating and changing [their malware] using fundamentally different techniques to avoid detection by the anti-virus engines and other means.”

Trusteer, which analyzed over a million of its banking customer endpoints, found that approximately one in every 900 Windows machines in Brazil was infected with some form of “bolware.”

In the IBM blog post, Tubin strongly urged users to get in front of the threat by employing client-side malware protection.

“The most effective way to fight malware-based fraud is at the point of attack – the customer's device,” Tubin wrote. “If malware is not identified and prevented from operating on the customer's device, all subsequent fraud prevention methods (such as authentication and anomaly detection) can be easily tricked and bypassed by the malware," he said.