Cybersecurity researchers have spotted new versions of a known Point of Sale (PoS) malware(opens in new tab) that blocks advanced features to be able to steal credit card data. The team from Kaspersky observed the Prilex PoS malware versions 06.03.8070, 06.03.8072, and 06.03.8080, in the wild. These versions were released in November 2022, and prevent the terminal from accepting contactless credit card transactions.
Contactless transactions, made possible due to near-field communication (NFC) chips found in both PoS terminals on one end, and credit/debit cards, smartphones, and smartwatches on the other exploded in popularity during the Covid-19 pandemic. The technology allows consumers to purchase goods and services without actually inserting their credit cards, making it almost impossible for hackers to steal the data via PoS malware.
If a user tries to initiate such a transaction on a compromised endpoint, it will only get an error message, forcing them to swipe their cards and, ultimately, share sensitive data with the attackers. After stealing the data, the researchers say, the attackers can run cryptogram manipulation and “GHOST transaction” attacks.
Prilex operators have been busy, the researchers say. They’ve been adding new features for months now, and before these, they added EMV cryptogram generation which allows them to evade getting detected and initiate “GHOST transaction” attacks even on cards protected with CHIP and PIN. They also added a way to filter cards and grab data only from specific providers.
“These [filtering] rules can block NFC and capture card data only if the card is a Black/Infinite, Corporate or another tier with a high transaction limit, which is much more attractive than standard credit cards with a low balance/limit,” Kaspersky said.
