Kaspersky warns: cybercriminals are now able to find an alternative

Kaspersky has revealed 3 new versions of the (Prilex) malware, made by a group of cybercriminals, named after the advanced malware that targeted points of sale in 2022.

The newly discovered versions can block the Near Field Communication (NFC) technology used to make contactless payments at infected points of sale, forcing customers to use plastic credit cards to make payments, and enabling cybercriminals to steal their money. While Prilex is currently being used in Latin America, its use is likely to expand to the Middle East, Turkey and Africa in the coming months.

The notorious Prilex gang has gradually evolved from ATM-focused malware to point-of-sale malware, and is the most advanced malware discovered to date.

And in 2022, Kaspersky dubbed “GHOST” Prilex attacks that defraud credit card transactions, even cards protected by CHIP and PIN technology that are allegedly unhackable.

Now, the gang and its software have gone further, according to security experts who wondered if Prilex could capture data from NFC-enabled credit cards.

Recently responding to an incident with a client affected by Prilex, Kaspersky researchers discovered three new versions capable of blocking contactless payment transactions that were so popular during and after the pandemic.

Contactless payment systems, such as: credit and debit cards, wireless access keys, and other smart devices such as mobile devices, are characterized by the fact that they include Radio Frequency Identification (RFID) technology.

Recently, electronic payment applications (Samsung Pay), (Apple Pay), (Google Pay), (Fitbit Pay), and banking applications have implemented NFC technology to support secure and contactless transactions.

Contactless bank cards provide a convenient and secure way to make payments without the need to insert the card into or pass the point of sale device, but (Prilex) was able to come up with a way to prevent these transactions through a conditional implementation of a file that determines whether credit card information will be obtained or not, with It includes the option to block transactions based on NFC technology.

Since NFC-based transactions generate a unique card number that is valid for only one transaction, if Prilex detects and blocks an NFC-based transaction, the PIN pad will display the following message:

The criminals aim to force the victim to use their plastic card by inserting it into a PIN pad reader, where the malware can capture the data received from the transaction, using all methods available to Prilex, such as tampering with secret codes to carry out GHOST attacks.

Another new feature added to the latest Prilex samples is the ability to filter credit cards according to their categories, and create different rules for each category. For example, NFC can be blocked and card data captured only if the card is in the category of (Black), (Infinite), Institutional or other with a high credit limit for transactions, which are more attractive than standard credit card categories with a balance or a low limit.

The Prilex gang has been active in Latin America since 2014 and is alleged to have been behind one of the largest attacks on the continent. During the Rio Carnival in 2016, the gang cloned more than 28,000 credit cards and robbed more than 1,000 ATMs belonging to Brazilian banks.

The gang expanded its attacks globally, as it was monitored in Germany in 2019 when a criminal gang cloned Mastercard debit cards issued by the German bank (OLB) and withdrew more than 1.5 million euros from about 2,000 customers. As for the newly discovered modified versions, they were in Brazil, but they may spread to other countries and regions, including the Middle East, Turkey and Africa in the coming months.

Fabio Assolini, Head of Global Research and Analysis Team in Latin America at Kaspersky, said that contactless payments have become a part of the daily life of individuals, noting that statistics show that the retail sector dominated the market with a share of more than 59 percent of contactless transaction revenues in 2021.

“These transactions are convenient and secure, so it makes sense for cybercriminals to create malware that disrupts NFC devices,” Assolini added. Since the transaction data generated during contactless payments remains useless from Prilex’s perspective, it will take care to block these transactions to force victims to insert the same card into the infected POS device.

In order to protect the users themselves from (Prilex), Kaspersky recommends that they implement the solution (Kaspersky SDK) in the POS modules to prevent malware from tampering with the transactions managed by these modules. It also recommends securing older systems with updated protection solutions, to improve and enable them to run old versions of Windows and the latest Microsoft packages with their full functionality, ensuring that organizations in the foreseeable future have full support for older Microsoft software, and gives them the opportunity to upgrade at any time they need it.

Users should also install a security solution, such as: (Kaspersky Embedded Systems Security) that protects devices from various attack vectors. If a device has very low system specifications, Kaspersky’s solution will still be able to protect it with a default rejection scenario.

Kaspersky recommends that financial institutions that fall victim to this type of fraud use the Threat Attribution Engine to help incident response teams find and detect Prilex files on attacked systems.