Banking malware in Brazil may be responsible for billions in losses

So many comments asking why people don&#x27;t use credit cards. The easy answer, already told, is that many Brazilian people don&#x27;t have bank accounts or credit card.<p>This is only half truth and probably not relevant to the case here, as the malware in question will only affect people accessing their bank accounts through the internet.<p>The &quot;boleto&quot; system is actually a very nice way to handle payments. The boleto mostly substitutes mailing checks: the company I owe send me the bill with a numeric code (and a corresponding bar code for convenience), and I can use this code to pay the bill at a bank, supermarket, lottery houses or, of course, directly from my bank account through the internet or ATM.<p>A boleto is different from a account deposit because each boleto is unique: the code identifies who that specific boleto was sent to, so payment processing is done automatically. No out-of-band bank codes or check handling involved.<p>Boletos are used in several contexts where a credit card is not appropriate, such as paying the credit card bill. However, it may substitute credit cards sometimes: an online commerce outlet will happily generate a boleto for you to pay instead of paying with credit card. You can then pay for you purchase without revealing personal information, having a credit card or sending checks by mail.<p>Actually, paper checks are very, very rare in Brazil nowadays, even in business contexts. Most retail business won&#x27;t accept them anymore.<p>Also, when you pay a boleto, you get an timestamped authentication code proving you paid it. The company can&#x27;t allege the check was incorrect, for example. The code may also carry the amount to be paid and&#x2F;or expiration date, preventing payment of the wrong value of after the due date.<p>This is actually a very functional system that credit cards cannot completely substitute, even if everyone had a bank account or credit card.<p>EDIT: clarity and a bit of extra info

This has been happening in Brazil for years. They use several methods: boletos for inexistent taxes, internet domain renewals, &quot;social contributions&quot; and others.<p>They make them look very legit: one we received even mentioned real legislation that said that a certain type of contribution(very similar name to what was on the boleto) was obligatory. We had to take it to our accountant, and he instantly found the fraud.<p>They also have access to Brazilian whois data somehow. The official whois is protected by captcha, but they&#x27;re able to obtain the whois database via some other method and then snail-mail boletos to millions of domain owners using their real personal data. It looks very convincing.<p>The sheer amount of such fake boletos that arrive in the mail every month indicates that this may be a successful scam after all.

Tangentially, in the documentary The Fog of War, Robert McNamara describes how accounting at Ford was so messed up that they had to weigh the invoices to estimate expenses. So this got me wondering if crooks don&#x27;t just mail false invoices to large firms in case some pay without checking.

Shameless plug: I recently created a boleto management iOS app called Zebra (<a href="http://zebrapp.co/" rel="nofollow">http:&#x2F;&#x2F;zebrapp.co&#x2F;</a>) If you&#x27;re brazilian and are looking for a better way to handle and pay your boletos, I think it can help you.

It seems that the criminals are actually from the USA: <a href="http://www1.folha.uol.com.br/mercado/2014/07/1479569-gangue-do-boleto-infectou-192-mil-computadores-detectam-fbi-e-pf.shtml" rel="nofollow">http:&#x2F;&#x2F;www1.folha.uol.com.br&#x2F;mercado&#x2F;2014&#x2F;07&#x2F;1479569-gangue-...</a> (Portuguese only, I&#x27;m afraid).

After getting a trademark in the US I got bombarded with fake Invoices from companies claiming I have to pay or I will loose the right to defend or even keep my trademark.

They say it doesn&#x27;t happen to mobile, but I&#x27;m not sure what happens if you root your phone and&#x2F;or install allow apk install from &quot;untrusted&quot; sources in the Dev Opts.<p>This kind of scam is old, but there are many, like local DNS redirect, keylogging &#x2F; input-logging, maybe even a piracy web-browser.

The first comment in the article (from someone who has clearly never left his hometown or is a five year old in disguise):<p>&quot;Brian, do you know why Brazilians would choose to use Boletos if they aren’t subject to chargebacks? It seems like a silly thing to do, especially when credit cards are acceptable forms of payment practically anywhere.&quot;<p><i>sigh</i>

Does anyone know what those bank plugins are supposed to do anyway? I never managed to get a good answer for that.

I only went to read this article because every title letter begins with B.

Awesomely alliterated amigo

I admit I initially upvoted because of the alliteration. Then I read the article, which was quite interesting (even more so because I&#x27;m Brazilian). Then I wanted to upvote it because of its content, but I no longer could. Which made me sad :&#x2F;