Fast-evolving Prilex POS malware can block contactless payments

The reasons businesses and consumers like contactless payment transactions – high security and speed – are what make those systems bad for cybercriminals.

If miscreants want to get back to stealing data and committing fraud, they need to find a way to force transactions away from tap-to-pay systems like Apple Pay and Google Pay and get people putting their credit cards back into the point-of-sale (POS) PIN devices.

According to Kaspersky researchers, that's what the Brazilian operators behind the Prilex POS malware have done.

Kaspersky discovered two new Prilex variants in early 2022 and found a third in November that can target NFC-enabled credit cards and block contactless transactions, forcing payers over to the less-secure PIN machines.

"The goal here is to force the victim to use their physical card by inserting it into the PIN pad reader, so the malware will be able to capture the data coming from the transaction," the researchers write in a report published this week.

The malware's new capabilities build on those that already make Prelix the most advanced POS threat, they add. It has a unique cryptographic scheme and can patch target software in real time, force protocol downgrades, run GHOST transactions, and run credit card fraud, including on the most sophisticated CHIP and PIN technologies.

Once the buyer puts the credit card into the PIN machine, all those techniques can go into action.

Prelix started off in 2014 targeting ATMs and within a couple of year brought POS systems into the mix. Yet contactless payments made stealing data from victims much more difficult and the adoption of the tool accelerated during the pandemic, when people became more wary of handling cash.

The tap-to-pay system activates the card's RFID chip, which sends a unique ID number and transaction to the terminal, neither of which can be used again. There is nothing for a cybercriminal to steal.

"Contactless credit cards offer a convenient and secure way to make payments without the need to physically insert or swipe the card," the researchers wrote. "But what happens if a threat can disable these payments in the EFT [electronic fund transfer] running in the computer and force you to insert the card in the PINpad reader?"

Doing a deeper dive into the last of the three Prilex variants found, the researchers said the malware includes a rule-based file that determines whether to capture credit card information that also includes an option to block NFC-based transactions.

• Payment terminal malware steals $3.3m worth of credit card numbers – so far
• UK arrests five for selling 'dodgy' point of sale software
• GPT-4 could pop up in Bing, as Google races to build chatbot search products
• The wages of sin aren't that great if you're a developer choosing the dark side

When Prilex detects and blocks a contactless transaction, the EFT software will have the PIN system show an error message that reads "Contactless error, insert your card."

It also can filter credit cards by segment and create different rules for each segment.

"For example, these rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit," the researchers wrote.

All this is a win for miscreants targeting POS systems while trying to find their way in this increasingly contactless world.

"While the group is looking for a way to commit fraud with unique credit card numbers, this clever trick allows it to continue operating," they wrote. ®