SAN FRANCISCO — Security researchers have uncovered what they believe is a significant cybercrime operation in Brazil that took aim at $3.75 billion in transactions by Brazilians.

It is unclear what percentage of the $3.75 billion worth of compromised transactions was actually stolen. But if even half of that value was redirected to criminals, the scope of the swindle would eclipse any other previous electronic theft.

The thieves preyed on Boleto Bancário, or Boletos, a popular Brazilian payment method that can be issued online and paid through various channels like banks and supermarkets, said researchers at the RSA Security division of the EMC Corporation.

Researchers said the ring had been using what they called bolware — a play on Boletos and malware, a term for software intended for illegitimate purposes — to intercept legitimate Boletos payments and redirect them to the accounts of criminals or mules, who are people paid to stand in for the criminals.

Boletos can be used for every kind of transaction, from telephone bills and health insurance premiums to mortgages and school tuition. Over six billion were issued last year, according to Brazil’s central bank. In a country where many lack bank accounts and do not trust the postal service enough to send checks by mail, it is common to see long lines at banks as Brazilians carry their Boletos to pay their bills.


The Central Bank of Brazil’s headquarters in Brasília. Over six billion Boletos, a popular Brazilian payment method that can be issued online, were issued last year, the bank said.CreditPedro Ladeira/Agence France-Presse — Getty Images

Bolware was first detected in 2012, but this is the first time that security researchers have been able to trace bolware to a single criminal ring and determine the scope of compromised transactions.

RSA researchers in Brazil, Israel and the United States studied 19 variants of bolware for three months. Using digital logs, they were able to trace the bolware to what they believe is one group in Brazil. Based on the logs, researchers determined that 192,227 victims had been affected and 495,793 Boletos transactions worth $3.75 billion were hit.

“Cybercrime is a lot more rampant in Brazil than it is in the United States, and in many ways Brazil has been the trendsetter in cybercrime,” said Avivah Litan, a cybersecurity analyst at Gartner.

Cybercrime accounts for 95 percent of losses incurred by Brazilian banks, according to the Brazilian Federation of Banks, or Febraban. Brazil also has a large online population — about 107 million people, or more than 50 percent of the country’s population — and in 2012 an estimated $1.4 billion was lost to electronic fraud, according to Febraban.

Now, researchers say Boletos fraud has become a serious threat to banks in Brazil. After briefing Febraban on RSA’s findings, Uri Fleyder, a researcher for RSA based in Israel, said in an interview Monday that while Boletos fraud was a known issue, “No one realized it was on this scope.”

Febraban officials said they could not comment on a continuing police investigation but noted that Brazilian banks last year spent $910 million on digital security and that they were encouraging consumers to migrate from Boletos to a more secure, fully electronic payment system called Direct Debit Authorization, or D.D.A.

Boletos are an enticing target because they are so common.

The criminals infected PCs by sending emails with malicious links and attachments that, once clicked, downloaded the bolware onto a computer. The bolware burrowed into the Windows operating system of a computer and worked through Internet browsers — including Google’s Chrome, Mozilla’s Firefox and Microsoft’s Internet Explorer — where it modified Boletos transactions and redirected payments directly to the accounts of criminals. The bolware also collected users’ email credentials, most likely so more malicious emails could be sent to infect more computers.

RSA researchers said they had also briefed the Federal Bureau of Investigation and United States Secret Service and were working with local and international law enforcement officials to help prosecute the individuals behind the ring. The current assumption is that the group has ties to organized crime in Brazil, but Mr. Fleyder cautioned that for now, that was just an assumption.

Because the bolware affects only Windows PC users, researchers are advising PC users to take extra precautions before clicking on suspicious links or email attachments and to make Boletos payments using only the digital wallets on their mobile devices.

But the best advice, Mr. Fleyder offered, was simply to “be vigilant.”