Cybercriminals use Prilex malware to block contactless payments

Kaspersky says it has uncovered three new variants of Prilex malware, which can block contactless near-field communication (NFC) transactions on infected devices, forcing customers to use their physical credit cards, enabling cybercriminals to steal money.

Prilex is a notorious threat actor, that gradually evolved from Automated Teller Machines (ATMs)-focused malware into a ​unique modular PoS malware — the most advanced PoS threat discovered so far.

As described by Kaspersky previously in 2022, Prilex threat actors conduct so-called “GHOST” attacks, allowing them to perform credit card fraud — even on cards protected with the purported unhackable Chip and PIN technology.

Prilex has gone further

Security experts wondered whether Prilex was able to capture data coming from NFC enabled credit cards.

Recently, during an incident response for a customer affected by Prilex, Kaspersky researchers uncovered three new modifications with the power to block contactless payment transactions, that became extremely popular during and after the pandemic.

Contactless payment systems such as credit and debit cards, key fobs and other smart devices, including mobile devices have traditionally featured radio-frequency identification (RFID).

More recently, Samsung Pay, Apple Pay, Google Pay, Fitbit Pay and mobile bank applications have implemented NFC technologies to support secure contactless transactions.

Contactless cards offer a way to make payments without the need to physically touch, insert or swipe the card. However, Prilex has learned to block such transactions by implementing a rule-based file that specifies whether or not to capture credit card information, and an option to block NFC-based transactions.

Because NFC-based transactions generate a unique card number valid for only one transaction, if Prilex detects an NFC-based transaction and blocks it, the PIN pad will show the following message:

The cybercriminal’s goal is to force the victim to use his/her physical card by inserting it into the PIN pad reader, so the malware can capture data coming from the transaction, using every way available for Prilex, such as manipulating cryptograms to perform GHOST attacks.

Another new feature added to the latest Prilex samples is the possibility to filter credit cards according to their segment, and create different rules for different segments.

For example, they can block NFC and capture card data, only if the card is Black/Infinite, Corporate or other with high transaction limit, which is much more attractive than standard NFC cards, with low balance/limit.

Prilex has been operating in LatAm region since 2014 and is allegedly behind one of the largest attacks in the region.

During the Rio carnival in 2016, the actor cloned more than 28,000 credit cards and drained more than 1,000 ATMs in Brazilian banks. Now, it has expanded its attacks globally.

It was spotted in Germany in 2019 when a criminal gang cloned Mastercard debit cards issued by German bank OLB and withdrew more than €1.5 million from around 2,000 customers.

As for the recently discovered modifications, they have been detected in Brazil – however, they may spread to other countries and regions as well.

The post Cybercriminals use Prilex malware to block contactless payments appeared first on Payments Cards & Mobile.