Prilex PoS Malware Adapts to Intercept Contactless Payments and Steal NFC Card Data

A new variant of the advanced point-of-sale (PoS) malware known as Prilex has emerged from Brazilian cybercriminals, introducing capabilities to disrupt contactless payment transactions. This follows the trend of malware evolution, as Prilex has shifted focus from ATM targeting to sophisticated PoS infiltration since its inception in 2014.

According to a report from Kaspersky, a leading Russian cybersecurity firm, three updated versions of Prilex—identified as versions 06.03.8080, 06.03.8072, and 06.03.8070—are now designed to specifically target NFC-enabled credit cards, thereby escalating the significant risk of credit card fraud. The modification allows attackers to implement a form of fraud that compels users to use their physical cards for transactions.

The growth of contactless payment methods, particularly during the COVID-19 pandemic, has provided new avenues for fraud. The latest functionality of Prilex aims to disable contactless features in order to force users to input their PIN by inserting their cards into card readers. This tactic substantially increases the vulnerability of users to cybercriminal exploitation.

Kaspersky’s findings indicate that the malware includes rule-based logic to assess when to capture credit card information, as well as new options to block NFC transactions. By preventing successful contactless payments, Prilex can relay fraudulent prompts to the terminal, suggesting users experience a “contactless error,” thereby steering them toward a more susceptible method of transaction.

This deceptive mechanism is particularly effective because NFC transactions often yield unique identification numbers intended for single use, rendering them ineffective for the objectives of cybercriminals. By blocking these transactions, the Prilex malware ultimately aims to compel victims into using their cards through physical PIN entry, thereby allowing attackers to gather sensitive card data more easily.

The malware’s recent enhancements also permit the grouping of card transactions based on varying tiers, specifically targeting high-limits cards such as Black or Corporate cards, which are more attractive for fraudulent endeavors. This focused approach amplifies the potential for significant financial gain for the threat actors.

The implications of such tactics, rooted in the MITRE ATT&CK framework, hint at various adversary techniques including initial access through malware delivery, persistence via installation on PoS systems, and data extraction through manipulation of user input methods. These tactics indicate a well-planned strategy aimed at maximizing fraud potential while minimizing detection risks.

As payment methods continue to evolve, it becomes crucial for businesses to enhance their cybersecurity measures and remain informed of emerging threats like Prilex. Protecting sensitive information and preventing potential fraud should be a priority to safeguard financial interests and maintain customer trust.