Thursday 25 September 10:00 - 10:30, Green room.Fabio Assolini Kaspersky Lab This paper is available online (HTML, PDF). download slides (PDF) José is a very mistrustful person. He never uses Internet banking services or buys anything using a credit card. Indeed, he doesn't even have one. He doesn't trust any of these modern technologies in the slightest. He is well aware of all the risks that exist online, so José prefers to keep his life offline. However, not even that could save him from today's cybercriminals. He lost more than $2,000 in a single day: José was p0wned by a barcode and a piece of paper. Brazilian bad guys have created a unique way of stealing money from these kinds of users: changing 'boletos' - banking documents issued by banks and all kind of businesses, even govern institutions use it. Boletos are actually one of the most popular ways to pay bills and buy goods in the country. In a series of online attacks targeting flaws on network devices - especially DSL modems - and involving malicious DNS servers, fake documents, browser code injections in the style of SpyEye, fraudulent Android apps, malicious browser extensions and a lot of creativity, the crooks have successfully stolen vast amounts of money, even from people who don't have credit cards or Internet banking accounts, causing concern for banks and financial institutions in the country. In this presentation we will describe the details of such attacks and how the users can be protected - even those who have chosen to live offline.