Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

Prilex PoS Malware Evolves to Block Contactless Payments to Steal from NFC Cards

Feb 01, 2023Ravie LakshmananPayment Security / Risk

The Brazilian threat actors behind an advanced and modular point-of-sale (PoS) malware known as Prilex have reared their head once again with new updates that allow it to block contactless payment transactions.

Russian cybersecurity firm Kaspersky said it detected three versions of Prilex (06.03.8080, 06.03.8072, and 06.03.8070) that are capable of targeting NFC-enabled credit cards, taking its criminal scheme a notch higher.

Having evolved out of ATM-focused malware into PoS malware over the years since going operational in 2014, the threat actor has steadily incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions.

While contactless payments have taken off in a big way, in part due to the COVID-19 pandemic, the underlying motive behind the new functionality is to disable the feature so as to force the user to insert the card into the PIN pad.

To that end, the latest version of Prilex, which Kaspersky discovered in November 2022, has been found to implement a rule-based logic to determine whether or not to capture credit card information alongside an option to block NFC-based transactions.

“This is due to the fact that NFC-based transactions often generate a unique ID or card number valid for only one transaction,” researchers said.

Should such an NFC-based transaction be detected and blocked by the malware installed on the infected PoS terminal, the PIN pad reader displays a fake error message: “Contactless error, insert your card.”

This leads the victim to use their physical card by inserting it into the PIN pad reader, effectively permitting the threat actors to commit fraud. Another new feature added to the artifacts is the ability to filter credit cards by segments and craft rules tailored to those tiers.

“These rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit,” the researchers noted.

“Since transaction data generated during a contactless payment are useless from a cybercriminal’s perspective, it is understandable that Prilex needs to force victims to insert the card into the infected PoS terminal.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Related News

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari Discloses Ransomware Attack; Refuses to Pay Ransom

Ferrari, the renowned Italian luxury car manufacturer, suffered a cyber incident that compromised the company’s client data. According to a…
ChatGPT Bug Exposes Conversation History Titles

ChatGPT Bug Exposes Conversation History Titles

A ChatGPT user on Reddit first reported the bug after noticing Chinese language characters in the title of their conversation…
Breach Forums to Remain Offline Permanently

Breach Forums to Remain Offline Permanently

The decision to shut down the Breach Forums came after the admin noticed someone had logged into an old forum…