Watch Out: The Boleto "Robber" Shopping Trojan is Lurking!


Boleto is a very popular online payment method in Brazil. Users can go to any bank or ATM in Brazil to authorize account transfers so they don’t have to use their credit card or online bank. This ease of use makes lots of people who would normally be cautious, quite confident in this payment method. Unfortunately, cunning cybercriminals always seem to find a sneaky way to rob people of their money.


The Baidu Antivirus Security Center has recently discovered an online shopping Trojan called "robber" (Trojan.Win32.Badur.aQO) that is continuing to attack Boleto users. After this online shopping Trojan enters a user's computer, it can continuously monitor whether or not the user is using Boleto. The Trojan waits for the chance to tamper with the Boleto scan code information returned by a user’s bank, and then redirects the user's payment to a cybercriminal's account designated by the Trojan creator. After the user finishes offline payment, it looks as if the online purchase has been successfully completed – but in fact, the unlucky customer will never receive the things they bought. By the time the user discovers he or she has been scammed, it will be too late.


Baidu Antivirus security experts found that the Boleto "robber" online shopping Trojan uses an embedded Fiddler component to configure a browser proxy and hijack people’s network traffic. It can analyze whether or not the user is using Boleto. Once it discovers that the user is using Boleto, it will modify the returned network packet and use the account information specified by the publisher (generally stored on the Trojan publisher's server) to replace the original merchant account information in the scan code. This process is shown below: 



At the same time, Baidu Antivirus security experts also discovered that the Boleto "robber" Trojan uses a malicious Chrome extension to monitor and hijack users' network data. It will replace the merchant account information with the account of the cybercriminal.



Finally, Baidu Antivirus security experts would like to remind everyone that Trojans’ nefarious methods have evolved from host hijacking, DNS tampering, and proxy hijacking to order tampering, which shows that cybercriminals are rapidly learning new ways to steal more money. In order to protect the security of your computers, you should install full-featured security software and enable all defense functions. Currently, Baidu Antivirus users with all defense functions enabled can block the Boleto "robber" Trojan from infiltrating their computers. The Baidu Antivirus Security Center is also continuing to monitor the development trends of shopping Trojans so that they can respond quickly to changes and provide better security solutions for users.