This PoS malware blocks contactless payments to steal credit card data

(Image credit: Barclaycard)

Cybersecurity researchers have spotted new versions of a known Point of Sale (PoS) malware (opens in new tab) that blocks advanced features to be able to steal credit card data.

The team from Kaspersky observed the Prilex PoS malware versions 06.03.8070, 06.03.8072, and 06.03.8080, in the wild. These versions were released in November 2022, and prevent the terminal from accepting contactless credit card transactions. 

Contactless transactions, made possible due to near-field communication (NFC) chips found in both PoS terminals on one end, and credit/debit cards, smartphones and smart watches on the other, exploded in popularity during the Covid-19 pandemic. The technology allows consumers to purchase goods and services without actually inserting their credit cards, making it almost impossible for hackers to steal the data via PoS malware.

Protecting your business from the biggest threats online (opens in new tab)

Protecting your business from the biggest threats online (opens in new tab)
Perimeter 81's Malware Protection intercepts threats at the delivery stage to prevent known malware, polymorphic attacks, zero-day exploits, and more. Let your people use the web freely without risking data and network security.

Swiping away the data

However to work around this issue, the threat actors deployed a new version of Prilex, which blocks PoS terminals from accepting contactless payments.

If a user tries to initiate such a transaction on a compromised endpoint, it will only get an error message, forcing them to swipe their cards and, ultimately, share sensitive data with the attackers. 

After stealing the data, the researchers say, the attackers can run cryptogram manipulation and “GHOST transaction” attacks.

Prilex operators have been busy, the researchers say. They’ve been adding new features for months now, and before these, they added EMV cryptogram generation which allows them to evade getting detected and initiate “GHOST transaction” attacks even on cards protected with CHIP and PIN. They also added a way to filter cards and grab data only from specific providers. 

"These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit," Kaspersky said.

Via: BleepingComputer (opens in new tab)

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.