New Prilex Malware Blocks Contactless Payments to Steal Credit Card Data

Prilex is indeed a single threat actor that transformed from malware targeted at ATMs into distinctive modular point-of-sale (PoS) malware. Prilex has resurfaced with new upgrades that allow it to block contactless payment transactions.

This is extremely sophisticated malware that uses a special cryptographic technique, patches target software in real-time, forces protocol downgrades, manipulates with cryptograms, performs GHOST transactions, and commits credit card fraud—even on cards protected by unhackable CHIP and PIN technology.

Targeting Contactless Credit Card Transactions

Credit and debit cards, key fobs, smart cards, and other devices are included in contactless payment systems. 

Near-field communication (NFC), which is used by Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and any other bank mobile application that supports contactless payments, is also a component of these systems.

According to the Kaspersky report, the embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal.

“Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity”, Kaspersky.

Following the Prilex PoS malware closely, Kaspersky claims to have discovered at least three new variations with the version numbers 06.03.8070, 06.03.8072, and 06.03.8080, which were initially made available in November 2022.

The COVID-19 pandemic and other factors have made contactless payments quite popular, but the real purpose of this new functionality is to disable the feature and make the user insert the card into the PIN pad.

“Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions”, Kaspersky researchers.

Excerpt from Prilex rules file referencing NFC blocking
Prilex-generated error on the PoS

When the new Prilex feature is turned on, contactless transactions are blocked, and the payment terminal displays the message “Contactless error, insert your card.”

This makes it simpler to obtain the card information through the payment terminal because it forces the victim to complete the transaction by inserting a credit card.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques such as manipulating cryptograms and performing a GHOST attack”, researchers explain.

The option to filter unwanted cards and only collect data from particular providers and tiers is another interesting feature that can be found for the first time on the most recent Prilex variations.

“These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit”, researchers

It is obvious that Prilex needs to force victims to insert the card into the compromised PoS terminal because the transaction data created during a contactless payment are meaningless from a cyber criminal’s perspective.

Network Security Checklist – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Check Point Software to Open First Asia-Pacific R&D Centre in Bengaluru, India

Check Point Software Technologies Ltd. has announced plans to establish its inaugural Asia-Pacific Research and…

2 hours ago

PoC Exploit Released for Ivanti EPM Vulnerabilities

A recent investigation into Ivanti Endpoint Manager (EPM) has uncovered four critical vulnerabilities that could…

2 hours ago

Ransomware Trends 2025 – What’s new

As of February 2025, ransomware remains a formidable cyber threat, evolving in complexity and scale.…

2 hours ago

Hackers Delivering Malware Bundled with Fake Job Interview Challenges

ESET researchers have uncovered a series of malicious activities orchestrated by a North Korea-aligned group…

2 hours ago

New Bookworm Malware Using SLL Sideloading Technique To Windows

Cybersecurity researchers from Palo Alto Networks' Unit 42 disclosed the resurgence of the Bookworm malware,…

3 hours ago

Fake Chrome Update Delivers DriverEasy Malware by Abusing Dropbox

A recent investigation has uncovered a malicious application, DriverEasy, masquerading as a legitimate Google Chrome…

3 hours ago