Cyber Incident Victim: Boleto Bancario
Date:
Feb 2015
Location:
Brazil
Summary
Cybercriminals in Brazil compromised the Boleto Bancário payment system by poisoning DNS caches to redirect bank website visitors to malicious servers under their control. Attackers flooded local DNS servers with fraudulent responses during resolution requests, enabling substitution of legitimate banking resources with malicious JavaScript that generated fraudulent payment vouchers for customers while diverting authentic transaction details to criminal accounts. This manipulation allowed theft of funds through fraudulent voucher issuance without immediate detection.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The incident involved cybercriminals targeting Brazil's widely used Boleto Bancário payment system through DNS cache poisoning attacks. Security researchers at RSA identified that attackers compromised DNS servers to redirect users attempting to access legitimate banking websites. When customers requested a new boleto voucher via online banking services, the DNS manipulation caused their browsers to load a malicious JavaScript resource instead of the authentic bank file. This script generated fraudulent boletos with altered payment details while maintaining the appearance of validity, including correct expiration dates. The fraudulent vouchers directed funds to accounts controlled by the attackers, while legitimate payment information was silently diverted to the criminals. The attack exploited the DNS resolution process by flooding local DNS servers with forged responses during the brief window when servers queried root DNS authorities for uncached domain records. Successful poisoning allowed attackers to temporarily control the IP address mapping for the targeted bank domain, enabling their malicious server to intercept traffic without triggering user suspicion. This method specifically targeted the boleto regeneration process, capitalizing on the payment instrument's time-sensitive nature and high transaction volumes across Brazilian e-commerce and billing systems.
The DNS cache poisoning sequence began when threat actors queried a local DNS server for the bank’s domain to trigger a cache refresh. If the server lacked a cached record, it initiated a recursive query to root DNS servers. Attackers exploited this delay by overwhelming the local server with spoofed responses containing their malicious IP address for the bank’s domain. Once the poisoned DNS entry was accepted, all subsequent user requests for the bank’s JavaScript resource were redirected to the attacker-controlled server for the duration of the cache timeout period. The malicious script dynamically generated counterfeit boletos that appeared legitimate to customers but contained payment routing instructions favoring the fraudsters’ accounts. Legitimate merchants remained unaware as expired boletos were routinely reissued, allowing fraudulent transactions to blend with normal activity. Researchers confirmed the attack’s precision in substituting only specific financial resources rather than entire websites, reducing detection likelihood. No bank or customer remediation efforts were described in the source material, though the technical mechanism implied that DNS cache expiration eventually terminated individual attack windows. The impact centered on financial losses from misdirected payments and potential erosion of trust in the boleto system due to its infrastructure vulnerabilities.