The Boleto Bancário is a Brazilian payment system that is intended to make it easier for consumers to make payments. Apparently it's also making it easy for hackers to steal money.

Last week RSA reported that it had uncovered a Boleto malware ring that was siphoning off funds from the payment system. Today, a new report from IBM Trusteer reveals the Boleto problem is even broader, with multiple malware variants involved.

"Based on a statistically significant sample of over one million consumer and business machines, we estimate that approximately 150,000 machines in Brazil are infected with some form of Boleto malware," George Tubin, senior security strategist at Trusteer, an IBM company, told eSecurityPlanet.

Tubin noted that at this point IBM Trusteer only sees Windows PCs and servers infected with Boleto malware. Trusteer's research details two Boleto malware families that are different than the Eupuds malware detailed by RSA. With the Eupuds malware, the Boleto is modified via a Web injection that changes the payee filed, sending money to the attacker.

One of the Boleto malware variants found by Trusteer performs Document Object Model (DOM) manipulations on IE browsers via the Component Object Model (COM) interface. The end result is to change where the data is sent.

Human Error

The second new Boleto malware variant detailed by Trusteer, known as Coleto, installs a Web browser extension for Mozilla Firefox or Google Chrome and scans Web pages for Boleto numbers.

"These new variants are spreading the typical ways criminals infect user devices, via malicious email attachments and links, drive-by downloads, etcetera," Tubin said. "Human error is key to the Boleto attacks being successful. Recent IBM security research in fact found that 95 percent of attacks are the result of human error."

Tubin added that once infected, users will have no idea they’re compromised since their anti-virus (AV) solutions can’t detect this malware. While most AV engines now detect the known Eupuds variant, he said, common AV engines categorize the newest variants of Boleto malware as a generic threat rather than financial or Boleto malware.

Limiting Malware Risk

From a remediation perspective there are a number of things that can be done to limit the risk of Boleto malware. Tubin noted that the Boleto malware is endpoint/PC malware that affects the end-user device.

"Trusteer has a solution that works on the bank's online banking servers that can detect user PCs which are infected with Boleto malware," Tubin said. "Additionally, banks can verify when a user connecting to their website is protected by Trusteer Rapport."

While there are technology solutions to limit the risk, the problem of Boleto malware is likely to persist well into the future.

"Protected banks will see a significant drop in Boleto-related fraud, but the reality is that this is a never-ending game. New attack vectors will always appear," Tubin said. "The key for banks is choosing solutions that can easily and dynamically adapt to new threats."

Sean Michael Kerner is a senior editor at eSecurityPlanet and Follow him on Twitter @TechJournalist.