Kaspersky Antivirus has discovered three new variants of the “Prilex” malware, responsible for credit card fraud and considered by company experts as the most advanced threat for points of sale (POS). This was reported to Cointelegraph en Español through a statement.
The main finding of the new research reveals that recent modifications make Prilex the world’s first malware capable of blocking approach payments (via NFC) on infected devices. By preventing such a transaction, the consumer is forced to use the physical credit card, which allows the transaction type “GHOST”exposed by Kaspersky last year.
Prilex is a notorious Brazilian threat actor who gradually evolved from ATM-focused malware into a unique modular point-of-sale malware. The Prilex group carries out the so-called attacks “GHOST” that allows them to carry out credit card fraud, even when the cards are protected with CHIP and PIN technology, supposedly inviolable. Now, Prilex has gone even further.
Recently, during the response to an incident involving a client affected by Prilex, Kaspersky researchers discovered three new modifications that can block contactless payment transactionswhich have become extremely popular during and after the pandemic.
Contactless payment systems, such as credit cards, debit cards, key fobs, and other smart devices, including mobile devices, have traditionally included radio frequency identification (RFID). More recently, Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and mobile banking apps have implemented Near Field Communication (NFC) technologies to support secure contactless transactions.
Contactless credit cards offer a convenient and secure way to make payments without the need to physically touch, insert or swipe the card. However, Prilex has learned to block such transactions by implementing a file that is based on rules and specifies whether or not to capture credit card information.as well as an option to block NFC-based transactions.
Extract from the Prilex rules file referring to NFC blocking.
Because NFC-based transactions generate a unique card number that is valid for a single transaction, Prilex takes advantage of that detail to detect this type of transaction and blocks it. After blocking, the POS PIN pad will display the following message: “approximation error. insert card”.
Fake Prilex error on PIN reader saying “Approximate error. Please insert your card.”
The goal of cybercriminals is force the victim to use their physical card by inserting it into the PIN reader, so that the malware can capture the data coming from the transaction, using all the ways available to Prilex, such as manipulating cryptograms to perform attacks”GHOST”. Another new feature added to the latest Prilex samples is the possibility to filter credit cards according to their segment and create different rules for different segments. For example, they can block NFC and capture card data, only if the card is Black/Infinite, Corporate or another that has a high transaction limit, which is much more attractive than regular credit cards, with a balance or a low limit.
Fabio Assolini, Director of the Research and Analysis Team for Latin America at Kaspersky commented: “Contactless payments are now part of our daily lives and statistics show that the retail segment dominated the market with over 59% share of global contactless revenue in 2021. Such transactions are extremely convenient and particularly secure, which is why it stands to reason that cybercriminals create malware to lock down NFC-related systems. As the transaction data that is generated during contactless payment is useless from a cybercriminal perspective, it is understandable that Prilex needs to prevent such contactless payment in order to force victims to insert the card into the infected POS terminal.”.
Prilex has been operating in the Latin American region since 2014 and is believed to be behind one of the largest attacks carried out in the region. During the Rio carnival in 2016, this agent is suspected of capturing more than 28,000 credit cards and emptying more than 1,000 ATMs of a Brazilian bank.
Now, has expanded its attacks globally. As detected in Germany in 2019, when a criminal gang committed fraud with Mastercard debit cards issued by the German bank OLB and extracted more than 1.5 million euros from some 2,000 customers. As for recently discovered modifications, these have been detected in Brazil, but may also spread to other countries and regions.
Disclaimer: The information and/or opinions expressed in this article do not necessarily represent the views or editorial line of Cointelegraph. The information presented here should not be taken as financial advice or investment recommendation. All investment and commercial movement involve risks and it is the responsibility of each person to do their due research before making an investment decision.
It may interest you:
Investments in crypto assets are not regulated. They may not be suitable for retail investors and the entire amount invested may be lost. The services or products offered are not directed or accessible to investors in Spain.