Case Study : Proactive Threat Hunting. Uncovering Boleto Fraud in a Complex Financial Environment

  Threat hunting in Brazil


Online financial fraud in Brazil, particularly targeting the Boleto payment method, has been a persistent issue. With an estimated value of $3.75B over two years, cybercriminals have used specialized malware, known as “Bolware”, to compromise hundreds of thousands of transactions. Despite the introduction of instant payment systems like PIX, Boletos still made up 66% of all payments in Brazil in 2019 and remain a significant target for fraudsters.

Client Background

Our client is a leading global provider of technology, services, and solutions in the fuel and convenience retail industries. Facing ongoing Boleto fraud incidents, they engaged OSec to investigate the possibility of compromised financial information within their infrastructure.


The challenge was to find evidence in a large and complex environment with multiple processes and third-party interactions, including financial institutions.

Threat Hunting

The OSec team conducted a comprehensive threat hunting investigation, which included:

  1. Online research and intelligence gathering on known TTPs (Tactics, Techniques, and Procedures) and malicious code in the wild: The OSec team conducted extensive online research to identify any organized crime groups targeting Boleto transactions or using similar techniques. They also looked for malicious code samples related to Bolware and other known threats that could be used in such attacks. This process helped them understand the latest trends in financial fraud and tailor their investigation accordingly.
  2. Manual system review and investigation for malicious code and suspicious activities: The team performed a thorough manual review of the client’s systems, focusing on areas with potential vulnerabilities or past incidents. They analyzed logs, configurations, and system settings to identify any signs of unauthorized access, unusual activity patterns, or indicators of compromise (IoCs). Additionally, they searched for specific malicious code samples that could be used in Boleto fraud attacks.
  3. Timeline analysis of events: To understand the sequence and potential source of attacks, the OSec team constructed a detailed timeline of relevant events. This included system changes, user activities, security incidents, and any other occurrences that might have contributed to the fraudulent transactions. By analyzing this timeline, they could identify patterns or trends that helped pinpoint the origin of the threats.
  4. Providing best practices and security recommendations to restore potentially compromised devices: If any devices were found to be compromised during the investigation, the OSec team provided detailed instructions on how to clean and secure them. This included updating software, changing passwords, implementing multi-factor authentication, and applying other best practices to prevent future attacks.
  5. Testing vulnerabilities in the context of the investigation and reporting findings: The team proactively tested for vulnerabilities within the client’s infrastructure that could be exploited by threat actors. They used various tools and techniques to simulate potential attacks and identify any weak points in the system. Any discovered vulnerabilities were reported to the client along with recommendations for remediation.
  6. Reporting results, including an assessment of the client’s threat hunting maturity level: Finally, the OSec team compiled a comprehensive report detailing their findings, investigation process, and recommended next steps. This report included an evaluation of the client’s current defense and hunt capabilities, providing valuable insights into areas for improvement and growth in their overall security posture.

In this specific case, the client experienced firsthand the significant business benefits of proactive threat hunting. By engaging OSec to investigate potential vulnerabilities within their infrastructure, they were able to identify and address gaps in processes and technical controls that could have led to future attacks. Although no evidence was found to confirm a compromise, reinforcing their defenses against financial fraud demonstrated ABC’s commitment to protecting valuable assets and maintaining a strong security posture for customers and partners.

While there are costs associated with implementing a robust threat hunting program, the potential savings in terms of damage mitigation, reduced downtime, and improved customer trust can far outweigh these expenses. By investing in proactive threat hunting, organizations like our client not only protect their financial interests but also showcase their dedication to safeguarding critical assets and ensuring long-term business success.

Key takeaways

  1. Threat hunting is an essential proactive security measure in complex financial environments:
    Proactive threat hunting helps organizations identify potential threats before they escalate into major incidents. By continuously monitoring and analyzing system activities, security teams can detect unusual patterns or behaviors that might indicate a compromise. This approach complements traditional reactive security measures, enabling organizations to stay one step ahead of sophisticated cybercriminals.
  2. Understanding global context and collaboration with businesses are crucial for threat hunters to confirm or refute hypotheses: Threat hunters need to have a solid understanding of the latest trends in financial fraud and cybercrime. By staying informed about emerging threats, they can better anticipate potential attacks and tailor their investigations accordingly. Additionally, working closely with businesses ensures that hunters have access to critical information needed to confirm or refute hypotheses, ultimately leading to more accurate findings.
  3. People and processes are as important as tools and defensive systems when addressing financial fraud:
    While advanced security tools and technologies play a crucial role in detecting and preventing financial fraud, they are only part of the solution. A strong security posture also requires well-trained personnel who understand how to use these tools effectively and follow established processes for incident response and threat mitigation. By focusing on both technical capabilities and human factors, organizations can build robust defenses against cybercrime.
  4. A comprehensive approach, including timeline analysis, vulnerability testing, and best practice recommendations, is necessary for successful threat hunting investigations: Effective threat hunting requires a holistic approach that covers various aspects of security. By constructing detailed timelines, testing for vulnerabilities, and providing best practice recommendations, organizations can ensure that their defenses are comprehensive and up-to-date. This multi-faceted strategy helps uncover hidden threats and reduces the likelihood of future incidents.
  5. Continuous improvement is essential for maintaining an effective threat hunting program: Threat hunting should be viewed as a continuous process rather than a one-time event. Regular assessments of defense and hunt capabilities help organizations identify areas for improvement and ensure that their security posture remains strong in the face of evolving threats. By fostering a culture of learning and adaptation, organizations can stay ahead of cybercriminals and protect their valuable assets.