The new version of Prilex malware, used to attack POS terminals, now can block NFC transactions.
Kaspersky has uncovered three new variants of Prilex’s advanced Point-of-Sales (PoS) malware. The discovered Prilex modifications can now block contactless near-field communication (NFC) transactions on infected devices, forcing customers to use their physical credit cards, enabling cybercriminals to steal money.
Prilex is a notorious threat actor that gradually evolved from Automated Teller Machines (ATMs)-focused malware into a unique modular Point of Sales (PoS) malware, which is the most advanced PoS threat discovered so far. As described by Kaspersky previously in 2022, Prilex threat actor conducts so-called “GHOST” attacks, allowing them to perform credit card fraud — even on cards protected with the purportedly unhackable CHIP and PIN technology. Now, Prilex has gone even further.
Security experts wondered whether Prilex was able to capture data coming from NFC-enabled credit cards. Recently, during an incident response for a customer affected by Prilex, Kaspersky researchers uncovered three new modifications with the power to block contactless payment transactions.
Contactless payment systems such as credit and debit cards, key fobs, and other smart devices, including mobile devices have traditionally featured radio-frequency identification (RFID). More recently, Samsung Pay, Apple Pay, Google Pay, Fitbit Pay and mobile bank applications have implemented near-field communication (NFC) technologies to support secure contactless transactions.
Contactless credit cards offer a convenient and secure way to make payments without the need to physically touch, insert or swipe the card. However, Prilex has learned to block such transactions by implementing a rule-based file that specifies whether or not to capture credit card information, and an option to block NFC-based transactions.
The cybercriminal’s goal is to force the victim to use his/her physical card by inserting it into the PIN pad reader, so the malware can capture data coming from the transaction, using every way available for Prilex, such as manipulating cryptograms to perform GHOST attacks. Another new feature added to the latest Prilex samples is the possibility to filter credit cards according to their segment, and create different rules for different segments. For example, they can block NFC and capture card data, only if the card is Black/Infinite, Corporate or other with a high transaction limit, which is much more attractive than standard credit cards, with low balance/limit.
The recently discovered modifications have been detected in Brazil, may spread to other countries and regions as well.
“Contactless payments are now a part of our everyday life and the statistics show the retail segment dominated the market with more than 59 percent share of the global contactless revenue in 2021. Such transactions are extremely convenient and particularly safe, so it’s logical for cybercriminals to create malware that blocks NFC-related systems. As the transaction data generated during contactless payment is useless from a cybercriminal’s perspective, it’s understandable that Prilex needs to prevent contactless payment to force victims to insert the card into the infected PoS terminal,” comments Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky.