Tuesday, February 27, 2024

New Prilex Malware Blocks Contactless Payments to Steal Credit Card Data

Prilex is indeed a single threat actor that transformed from malware targeted at ATMs into distinctive modular point-of-sale (PoS) malware. Prilex has resurfaced with new upgrades that allow it to block contactless payment transactions.

This is extremely sophisticated malware that uses a special cryptographic technique, patches target software in real-time, forces protocol downgrades, manipulates with cryptograms, performs GHOST transactions, and commits credit card fraud—even on cards protected by unhackable CHIP and PIN technology.

Targeting Contactless Credit Card Transactions

Credit and debit cards, key fobs, smart cards, and other devices are included in contactless payment systems. 

Near-field communication (NFC), which is used by Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and any other bank mobile application that supports contactless payments, is also a component of these systems.

According to the Kaspersky report, the embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal.

“Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity”, Kaspersky.

Following the Prilex PoS malware closely, Kaspersky claims to have discovered at least three new variations with the version numbers 06.03.8070, 06.03.8072, and 06.03.8080, which were initially made available in November 2022.

The COVID-19 pandemic and other factors have made contactless payments quite popular, but the real purpose of this new functionality is to disable the feature and make the user insert the card into the PIN pad.

“Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions”, Kaspersky researchers.

Excerpt from a Prilex rules file referencing NFC blocking
Excerpt from Prilex rules file referencing NFC blocking
Prilex-generated error on the PoS

When the new Prilex feature is turned on, contactless transactions are blocked, and the payment terminal displays the message “Contactless error, insert your card.”

This makes it simpler to obtain the card information through the payment terminal because it forces the victim to complete the transaction by inserting a credit card.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques such as manipulating cryptograms and performing a GHOST attack”, researchers explain.

The option to filter unwanted cards and only collect data from particular providers and tiers is another interesting feature that can be found for the first time on the most recent Prilex variations.

“These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit”, researchers

It is obvious that Prilex needs to force victims to insert the card into the compromised PoS terminal because the transaction data created during a contactless payment are meaningless from a cyber criminal’s perspective.

Network Security Checklist – Download Free E-Book


Latest articles

ThreatHunter.ai Stops Hundreds of Attacks in 48 Hours: Fighting Ransomware and Nation-State Cyber Threats

The current large surge in cyber threats has left many organizations grappling for security...

WordPress Plugin Flaw Exposes 200,000+ Websites for Hacking

A critical security flaw has been identified in the Ultimate Member plugin for WordPress,...

Hackers Actively Hijacking ConnectWise ScreenConnect server

ConnectWise, a prominent software company, issued an urgent security bulletin on February 19, 2024,...

Heavily Obfuscated PIKABOT Evades EDR Protection

PIKABOT is a polymorphic malware that constantly modifies its code, making it hard to...

Anonymous Sudan Promoting New DDoS Botnet: Beware

It has come to light that a group known as Anonymous Sudan is actively...

Scattered Spider: Advanced Techniques for Launching High-Profile Attacks

Scattered Spider is a threat group responsible for attacking several organizations since May 2022...

8220 Hacker Group Attacking Linux & Windows Users to Mine Crypto

In a significant escalation of cyber threats, the 8220 Gang, a notorious Chinese-based hacker group, has intensified its attacks...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles