New Prilex Malware Blocks Contactless Payments to Steal Credit Card Data

Prilex is indeed a single threat actor that transformed from malware targeted at ATMs into distinctive modular point-of-sale (PoS) malware. Prilex has resurfaced with new upgrades that allow it to block contactless payment transactions.

This is extremely sophisticated malware that uses a special cryptographic technique, patches target software in real-time, forces protocol downgrades, manipulates with cryptograms, performs GHOST transactions, and commits credit card fraud—even on cards protected by unhackable CHIP and PIN technology.

Targeting Contactless Credit Card Transactions

Credit and debit cards, key fobs, smart cards, and other devices are included in contactless payment systems. 

Near-field communication (NFC), which is used by Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and any other bank mobile application that supports contactless payments, is also a component of these systems.

According to the Kaspersky report, the embedded integrated circuit chip and antenna enable consumers to pay by waving their card, fob, or handheld device over a reader at a point-of-sale terminal.

“Contactless payments are made in close physical proximity, unlike other types of mobile payments that use broad-area cellular or WiFi networks and do not require close physical proximity”, Kaspersky.

Following the Prilex PoS malware closely, Kaspersky claims to have discovered at least three new variations with the version numbers 06.03.8070, 06.03.8072, and 06.03.8080, which were initially made available in November 2022.

The COVID-19 pandemic and other factors have made contactless payments quite popular, but the real purpose of this new functionality is to disable the feature and make the user insert the card into the PIN pad.

“Prilex now implements a rule-based file that specifies whether or not to capture credit card information and an option to block NFC-based transactions”, Kaspersky researchers.

Excerpt from Prilex rules file referencing NFC blocking
Prilex-generated error on the PoS

When the new Prilex feature is turned on, contactless transactions are blocked, and the payment terminal displays the message “Contactless error, insert your card.”

This makes it simpler to obtain the card information through the payment terminal because it forces the victim to complete the transaction by inserting a credit card.

“The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction by using all the techniques such as manipulating cryptograms and performing a GHOST attack”, researchers explain.

The option to filter unwanted cards and only collect data from particular providers and tiers is another interesting feature that can be found for the first time on the most recent Prilex variations.

“These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit”, researchers

It is obvious that Prilex needs to force victims to insert the card into the compromised PoS terminal because the transaction data created during a contactless payment are meaningless from a cyber criminal’s perspective.

Network Security Checklist – Download Free E-Book

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Blue Yonder Ransomware Attack Impacts Starbucks & Multiple Supermarkets

A ransomware attack on Blue Yonder, a leading supply chain management software provider, has created…

45 minutes ago

Dell Wyse Management Suite Vulnerabilities Let Attackers Exploit Affected Systems Remotely

Dell Technologies has released a security update for its Wyse Management Suite (WMS) to address…

1 hour ago

CISA Details Red Team Assessment Including TTPs & Network Defense

The Cybersecurity and Infrastructure Security Agency (CISA) recently detailed findings from a Red Team Assessment…

1 hour ago

IBM Workload Scheduler Vulnerability Stores User Credentials in Plain Text

IBM has issued a security bulletin warning customers about a vulnerability in its Workload Scheduler…

2 hours ago

Multiple Flaws With Android & Google Pixel Devices Let Attackers Elevate Privileges

Several high-severity vulnerabilities have been identified in Android and Google Pixel devices, exposing millions of…

2 hours ago

Threat Actors Exploit Google Docs And Weebly Services For Malware Attacks

Phishing attackers used Google Docs to deliver malicious links, bypassing security measures and redirecting victims…

18 hours ago