>
Cybersecurity researchers have discovered new versions of a known Point of Sale (PoS) malware (opens in new tab) that blocks advanced features to steal credit card information.
Kaspersky’s team observed Prilex PoS malware versions 06.03.8070, 06.03.8072 and 06.03.8080 in the wild. Released in November 2022, these versions prevent the terminal from accepting contactless credit card transactions.
Contactless transactions, enabled by Near Field Communication (NFC) chips in both PoS terminals on the one hand and credit/debit cards, smartphones and smartwatches on the other, exploded in popularity during the Covid-19 pandemic. The technology allows consumers to purchase goods and services without actually entering their credit card, making it nearly impossible for hackers to steal the data via PoS malware.
Wipe the data
To get around this problem, the threat actors deployed a new version of Prilex, which blocks PoS terminals from accepting contactless payments.
If a user tries to initiate such a transaction on a compromised endpoint, they will only get an error message, forcing them to swipe their cards and end up sharing sensitive data with the attackers.
After stealing the data, the researchers say, the attackers can perform cryptogram manipulation and “GHOST transaction” attacks.
Prilex operators have been busy, the researchers say. They’ve been adding new features for months now, and before that, they added EMV cryptogram generation, which allows them to avoid being detected and launch “GHOST transaction” attacks, even on cards protected by CHIP and PIN. They also added a way to filter cards and only collect data from specific providers.
“This one [filtering] rules can only block NFC and capture card details if the card is a Black/Infinite, Corporate or other tier with a high transaction limit, which is much more attractive than standard low balance/limit credit cards,” said Kaspersky.
Through: Beeping computer (opens in new tab)