New versions of the Prilex point-of-sale malware can block secure, NFC-enabled contactless credit card transactions, forcing consumers to insert credit cards that are then stolen by the malware. On a payment terminal, contactless transactions use NFC chips embedded in credit cards and mobile devices to conduct close-proximity payments via credit cards, smartphones, or even smartwatches. The popularity of contactless payments has grown since the COVID-19 pandemic, with over $34.55 billion in contactless transactions recorded in 2021. To protect against credit card fraud, it is important to understand how PoS malware like Prilex can block contactless payments and steal credit card information.
Kaspersky, following the Prilex PoS malware closely, reports seeing at least three new variants in the wild, with version numbers 06.03.8070, 06.03.8072, and 06.03.8080, first released in November 2022. These new variants introduce a new feature that prevents payment terminals from accepting contactless transactions, forcing customers to insert their cards. In September 2022, Kaspersky reported that Prilex added EMV cryptogram generation to evade transaction fraud detection and to perform GHOST transactions even when the card is protected with CHIP and PIN technology. When the new Prilex feature is enabled, it will block contactless transactions and display a Contactless error, insert your card error on the payment terminal. This forces the victim to finish the transaction by inserting a credit card, making capturing the card information through the payment terminal easier. The malware uses a rule-based file to determine if it should block a transaction based on whether it has detected the use of NFC. Prilexs operators block NFC transactions because those generate a unique ID or card number thats only valid for a single transaction, so if that data is stolen, it wouldnt be helpful for the crooks.
After the credit card data is captured, the Prilex operators employ the techniques seen in previous releases, like cryptogram manipulation and GHOST transaction attacks. Another interesting new feature seen for the first time on the latest Prilex variants is the ability to filter unwanted cards and only capture data from specific providers and tiers. These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit.
Payees have limited means to protect themselves against PoS malware like Prilex, as theres no way to know if a payment terminal might be infected. Standard security measures include avoiding paying on terminals with visible signs of tampering, avoiding using public WiFi to access financial accounts without a VPN, or failing to validate the transaction details before and after its completion. It is essential to regularly monitor financial statements to identify any potentially fraudulent transactions or charges that should be reported to the card issuer immediately.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Tue, 31 Jan 2023 18:49:02 +0000