Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data

The Prilex point-of-sale (PoS) malware has been modified to block contactless transactions to force the insertion of credit cards and steal their information.

The point-of-sale (PoS) malware named Prilex has been modified to block contactless transactions in an effort to force users to insert their credit cards into terminals and steal their information.

Initially detailed in 2017, Prilex has evolved from targeting ATMs into an advanced PoS malware that can perform a broad range of nefarious activities leading to credit card fraud.

Unlike other memory scrapers typically seen in attacks targeting PoS terminals, Prilex can perform real-time patching on targeted software, force protocol downgrades, manipulate cryptograms, and perform GHOST attacks, and also uses a unique cryptographic scheme.

Also capable of performing fraud on cards protected by chip-and-PIN technology, the latest Prilex versions can now capture data from contactless (NFC enabled) cards, Kaspersky has discovered.

Contactless payment systems rely on radio-frequency identification (RFID) or near-field communication (NFC) technology integrated into cards, mobile devices, key fobs, wearables, and other devices, allowing individuals to make secure payments by simply waving their card or mobile device over the PoS terminal.

When the card is placed near, the contactless-enabled payment terminal sends a signal to activate the RFID chip embedded in the card, which in turn responds with a unique identification number (ID) and transaction information.

This transaction information cannot be reused, so it is useless to cybercriminals who capture it.

To overcome this inconvenience, Prilex’ developers updated the malware with code that blocks contactless transactions, which results in the terminal prompting the buyer to insert their credit card in the device.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction,” Kaspersky notes.

The code was found in Prilex samples that emerged at the end of 2022, and which can also filter cards according to segment, such as to only block a contactless transaction and to capture the card information if the card is in a tier with a high transaction limit.

“Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal. While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating,” Kaspersky concludes.

Related: PyPI Users Targeted With PoweRAT Malware

Related: Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives

Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.