Researchers have identified three new variants of the advanced Point-of-Sales (PoS) malware, Prilex. These new variants block contactless Near-Field Communication (NFC) transactions, forcing card users to physically insert the card into the infected device.
First observed in 2014, the Prilex malware has gradually evolved from ATM-focused malware into full-fledged PoS malware.
Variants and capabilities
According to Kaspersky researchers, Brazilian threat actors operating the Prilex malware have further updated their malware with new capabilities.
The three new Prilex versions are 06.03.8080, 06.03.8070, and 06.03.8072.
These new variants of Prilex have been modified with the ability to restrict contactless payment transactions.
Another new feature added to the recent Prilex samples includes the ability to filter credit cards according to their segment and create separate rules for different segments.
For example, an attacker can configure the malware to capture card data only if it is a Black/Infinite or Corporate card.
The most recent version was spotted in November 2022. It originated from a different codebase from the one found at the beginning of that year.
How it works
NFC-based transactions create a unique card number valid for only one transaction. If Prilex notices an NFC-based transaction, it blocks that and prompts users to insert their card.
The moment the user inserts the physical card into the PIN pad reader, the malware captures data from the transaction via various techniques, such as manipulating cryptograms or GHOST attacks.
Conclusion
The use of contactless cards is growing worldwide and attracting the attention of cybercriminals. The Prilex malware family has already released three variants that take advantage of this growing trend. Thus, retailers are suggested to use the right security solution in place in PoS modules to stop malicious code from tampering with the transactions.