The point-of-sale (PoS) malware named Prilex has been modified to block contactless transactions in an effort to force users to insert their credit cards into terminals and steal their information.
Initially detailed in 2017, Prilex has evolved from targeting ATMs into an advanced PoS malware that can perform a broad range of nefarious activities leading to credit card fraud.
Unlike other memory scrapers typically seen in attacks targeting PoS terminals, Prilex can perform real-time patching on targeted software, force protocol downgrades, manipulate cryptograms, and perform GHOST attacks, and also uses a unique cryptographic scheme.
Also capable of performing fraud on cards protected by chip-and-PIN technology, the latest Prilex versions can now capture data from contactless (NFC enabled) cards, Kaspersky has discovered.
Contactless payment systems rely on radio-frequency identification (RFID) or near-field communication (NFC) technology integrated into cards, mobile devices, key fobs, wearables, and other devices, allowing individuals to make secure payments by simply waving their card or mobile device over the PoS terminal.
When the card is placed near, the contactless-enabled payment terminal sends a signal to activate the RFID chip embedded in the card, which in turn responds with a unique identification number (ID) and transaction information.
This transaction information cannot be reused, so it is useless to cybercriminals who capture it.
To overcome this inconvenience, Prilex’ developers updated the malware with code that blocks contactless transactions, which results in the terminal prompting the buyer to insert their credit card in the device.
“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction,” Kaspersky notes.
The code was found in Prilex samples that emerged at the end of 2022, and which can also filter cards according to segment, such as to only block a contactless transaction and to capture the card information if the card is in a tier with a high transaction limit.
“Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal. While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating,” Kaspersky concludes.
Related: PyPI Users Targeted With PoweRAT Malware
Related: Self-Replicating Malware Used by Chinese Cyberspies Spreads via USB Drives
Related: Omron PLC Vulnerability Exploited by Sophisticated ICS Malware
