New scam: The message that if you “succeed” effortlessly, you can find yourself with an empty account

The Prilex tweaks discovered can now block “infected” Near Field Communication (NFC) devices by forcing consumers to make transactions with their physical credit cards.

This, in turn, enables cybercriminals to steal card details and, in turn, funds.

Prilex is a notorious threat vector that has gradually evolved from malware targeting automated teller machines (ATMs) to unique point-of-sale (PoS) malware – the most advanced PoS threat discovered to date.

As Kaspersky also described in 2022, Prilex performs so-called “GHOST” attacks that allow it to carry out credit card fraud — even with supposedly unbreakable CHIP and PIN-protected cards. Now, Prilex has developed further.

Security experts wondered if Prilex would be able to capture data received from NFC-enabled credit cards. Recently, while responding to an incident involving a consumer affected by Prilex, Kaspersky researchers discovered three new tweaks that have the potential to block contactless payment transactions, which have become extremely popular during the pandemic and beyond.

Contactless payment systems, such as credit and debit cards, device authentication keys, and other smart devices, including wearables, have traditionally been characterized by Radio Frequency Identification (RFID).

Recently, Samsung Pay, Apple Pay, Google Pay, Fitbit Pay, and Mobile Banking have implemented Near Field Communication (NFC) technologies to support secure, contactless transactions.

Contactless credit cards provide a convenient and secure way to make payments without having to touch, insert, or swipe your card. However, Prilex has learned to block such transactions with a rule-based file implementation that specifies whether or not to capture credit card information and an option to block NFC-based transactions.

Since NFC-based transactions generate a unique card number that is only valid for a single transaction, if Prilex detects and blocks an NFC-based transaction, the EFT will program the PIN pad to display the following message:

Contactless transaction error, please enter your card

The cybercriminal’s goal is to force the victim to use their physical card by inserting it into a PIN pad reader.

In this way, malware can intercept the data received from the transaction, using any means available, such as manipulating encrypted messages to perform GHOST attacks.

Another new feature added in the latest Prilex sampler is the ability to filter credit cards by type and create different rules for different types.

For example, they can block NFC and capture card data only if the card is black/unlimited or to businesses or others with a high transaction limit, which is more attractive than standard low balance/limit credit cards.

Active in the Latin American region since 2014, Prilex is said to be behind one of the largest attacks in the region. During the 2016 Rio de Janeiro Carnival, the threat actor cloned more than 28,000 credit cards and drained more than 1,000 ATMs in Brazilian banks.

Now, he expanded his attacks all over the world. It was discovered in Germany in 2019 when a criminal gang cloned Mastercard debit cards issued by German bank OLB and extorted more than €1.5 million from around 2,000 customers.

As for the newly discovered modifications, they have been identified in Brazil – however, they may spread to other countries and regions.

Contactless payments are now part of our daily lives, and statistics show that the retail sector dominated the market with a share of more than 59% of global contactless revenue in 2021.

Such transactions are very convenient and very secure, so it makes sense for cybercriminals to create malware that obfuscates NFC-related systems.

Since transaction data generated during contactless payments is useless from a cybercriminals perspective, it is understandable that Prilex would need to prevent contactless payments in order to force victims to insert the card into an “infected” PoS device, he comments. Fabio Assolini, Head of the Latin America Global Research and Analysis Team (GReAT) at Kaspersky.