The point-of-sale (PoS) malware named Prilex has been modified to block contactless transactions in an effort to force users to insert their credit cards into terminals and steal their information.
Initially detailed in 2017, Prilex has evolved from targeting ATMs into an advanced PoS malware that can perform a broad range of nefarious activities leading to credit card fraud.
Unlike other memory scrapers typically seen in attacks targeting PoS terminals, Prilex can perform real-time patching on targeted software, force protocol downgrades, manipulate cryptograms, and perform GHOST attacks, and also uses a unique cryptographic scheme.
Also capable of performing fraud on cards protected by chip-and-PIN technology, the latest Prilex versions can now capture data from contactless (NFC enabled) cards, Kaspersky has discovered.
Contactless payment systems rely on radio-frequency identification (RFID) or near-field communication (NFC) technology integrated into cards, mobile devices, key fobs, wearables, and other devices, allowing individuals to make secure payments by simply waving their card or mobile device over the PoS terminal.
When the card is placed near, the contactless-enabled payment terminal sends a signal to activate the RFID chip embedded in the card, which in turn responds with a unique identification number (ID) and transaction information.
This transaction information cannot be reused, so it is useless to cybercriminals who capture it.
To overcome this inconvenience, Prilex’ developers updated the malware with code that blocks contactless transactions, which results in the terminal prompting the buyer to insert their credit card in the device.
“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction,” Kaspersky notes.
The code was found in Prilex samples that emerged at the end of 2022, and which can also filter cards according to segment, such as to only block a contactless transaction and to capture the card information if the card is in a tier with a high transaction limit.
“Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal. While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating,” Kaspersky concludes.
Related: PyPI Users Targeted With PoweRAT Malware
Related: Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware

More from Ionut Arghire
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
- Australia Dismantles BEC Group That Laundered $1.7 Million
- GitHub Rotates Publicly Exposed RSA SSH Private Key
- GitHub Suspends Repository Containing Leaked Twitter Source Code
- Google Ventures Leads $16 Million Investment in Dope.security
Latest News
- 14 Million Records Stolen in Data Breach at Latitude Financial Services
- Webinar Today: Understanding Hidden Third-Party Identity Access Risks
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
- iOS Security Update Patches Exploited Vulnerability in Older iPhones
- Microsoft: No-Interaction Outlook Zero Day Exploited Since Last April
- US to Adopt New Restrictions on Using Commercial Spyware
- Hackers Earn Over $1 Million at Pwn2Own Exploit Contest
- GoAnywhere Zero-Day Attack Hits Major Orgs
