The Prilex Point-of-Sale Malware: A New Threat to Contactless Transactions

Introduction

The increasing popularity of contactless transactions has made it easier for consumers to conduct close-proximity payments using credit cards, smartphones, or even smartwatches. However, it has also made it harder for point-of-sale (PoS) malware to steal credit card information, causing threat actors to develop new methods to steal payment information.

What is Prilex PoS malware?

Prilex is a point-of-sale (PoS) malware that has been around for some time and has been actively monitored by Kaspersky. The malware has evolved over time and has added new features to evade transaction fraud detection and to perform "GHOST transactions" even when the card is protected with CHIP and PIN technology.

The latest variants of Prilex

Kaspersky recently reported that at least three new variants of Prilex have been seen in the wild, with version numbers 06.03.8070, 06.03.8072, and 06.03.8080. These new variants introduce a new feature that blocks secure, NFC-enabled contactless credit card transactions, forcing consumers to insert their cards, which are then stolen by the malware.

How does the new Prilex feature work?

When the new Prilex feature is enabled, it will block contactless transactions and display a "Contactless error, insert your card" error on the payment terminal. This forces the victim to finish the transaction by inserting a credit card, making capturing the card information through the payment terminal easier. The malware uses a rule-based file to determine if it should block a transaction based on whether it has detected the use of NFC. Prilex's operators block NFC transactions because those generate a unique ID or card number that's only valid for a single transaction, so if that data is stolen, it wouldn't be useful for the attackers.

How is the credit card data captured?

After the credit card data is captured, the Prilex operators use techniques seen in previous releases, like cryptogram manipulation and "GHOST transaction" attacks. The latest variants of Prilex have also added the ability to filter unwanted cards and only capture data from specific providers and tiers. These filtering rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive to the attackers than standard credit cards with a low balance/limit.

Protecting against Prilex PoS malware

Payees have limited means to protect themselves against PoS malware like Prilex, as there's no way to know if a payment terminal might be infected. Standard security measures include avoiding paying on terminals with visible signs of tampering, avoiding using public WiFi to access financial accounts without a VPN, or failing to validate the transaction details before and after its completion. It is also essential to regularly monitor financial statements to identify any potentially fraudulent transactions or charges that should be reported to the card issuer immediately.

Other current PoS malware families

HydraPoS: Despite not having been seen releasing new versions recently, HydraPoS remains a formidable threat in the POS landscape. Originating from Brazil, it is a PoS malware tool that is infamous for cloning credit cards. With hundreds of different builds and versions, HydraPoS combines several pieces of malware and uses a handful of legitimate third-party tools. In 2019, new features were added to the main module in order to improve persistence and make HydraPoS stealthier. This malware family has been spotted in attacks that utilized social engineering techniques, where cybercriminals would pose as employees of a credit card company over the phone, asking employees to access a website and install "an update," leading to an infection and giving the criminals access to the company's systems.

AbaddonPoS: This malware family was discovered in 2015, and is a generic and widespread type of PoS malware. Features of AbaddonPoS include anti-analysis, code obfuscation, persistence, credit card data location, and a custom protocol for exfiltrating data.

RawPoS: This malware family was first discovered by Visa and has been in use at least since 2008, initially targeting the hospitality sector. The malware comes in many modifications and is capable of extracting the full magnetic stripe data from volatile memory.

Conclusion

Prilex PoS malware is a new threat to contactless transactions, as it can block secure, NFC-enabled contactless credit card transactions, forcing consumers to insert their cards, which are then stolen by the malware. It is crucial to be aware of this threat and to take necessary measures to protect against it. Consumers should be cautious when making contactless transactions and regularly monitor their financial statements for any potentially fraudulent transactions or charges.