Prilex point-of-sale (POS) malware is back with a new improved version, and it has been spotted in the wild. Their new capabilities include blocking NFC credit card transactions. By which the users tend to use the machine to pay, allowing the malicious code to steal credit card details.
The NFC chips allow secure, contactless payments with credit cards, smartphones, or even smartwatches, and it is hard for POS malware to steal information. To overcome this , threat actors found alternate methods.
Three new variants of the Prilex malware, the first one being spotted in November 2022: 06.03.8070, 06.03.8072, and 06.03.8080, found by the researchers.
These variants block contactless transactions, making the POS display “Contactless error, insert your card”. The victim is forced to insert the card to finish the payment, and this is the moment when the data are stolen via the infected machine.
A unique ID per transaction is usual for an NFC, making the exfiltrated data useless. Threat actors use cryptogram manipulation and “GHOST transaction” attacks.
Customers have only a few measures available to protect themselves from the Prilex, and it is very hard to tell if a point-of-sale is infected or not.
Few steps for caution
- Try not to use POS machines that are visibly tampered with.
- Do not use public WiFi to access your bank account.
- Use a VPN when you are using your credit card information.
- Always confirm transaction information before and after completion.
- Closely monitor your bank statement for any suspicious transactions.