Prilex POS malware evolves to block contactless transactions


A new version of the Prilex POS malware has found a novel way to steal your credit card information.

Image: WhataWin/Adobe Stock

According to Kaspersky, Prilex is a Brazilian threat actor that initially began in 2014 as an ATM-related malware and later switched to modular point-of-service malware. The threat actor was responsible for one of the biggest attacks on ATMs in Brazil, infecting and jackpotting more than 1,000 machines and cloning more than 28,000 credit cards used in the ATMs.

SEE: Mobile device security policy (TechRepublic Premium)

Prilex is particularly experienced with payment markets, electronic funds transfer software and protocols, and the threat actor has recently updated its POS malware to block contactless transactions to steal your credit card information.

Jump to:

What’s new in the latest Prilex malware

Contactless payment methods have become incredibly popular, especially since the COVID-19 pandemic when people wished to touch as public surfaces as possible. Such payments require the credit card to be really close to the payment device, which is typically a POS terminal.

As contactless payments are not handled by the POS terminal in the same way as usual payments, it’s not possible for cybercriminals to abuse and make fraudulent use of the system. This resulted in cybercriminals’ POS malware seeing a huge decrease in the number of transactions it could abuse.

Prilex malware developers have found a way to deal with this problem: The malware, once it sees a contactless transaction happen, blocks it. The PIN pad then tells the user that there is a contactless error and that the payment needs to be done by inserting the credit card. Once the victim pays by card, a GHOST transaction fraud can be operated by Prilex.

In GHOST transactions, the malware sits on the device, intercepting all communications between the POS software and the PIN pad. Once a transaction is ongoing, the malware intercepts the transaction content and modifies it in order to capture the credit card information and request new EMV cryptograms to the victims card. The new EMV cryptogram enables the attacker to initiate a new fraudulent transaction from a POS device they own (Figure A).

Figure A

GHOST transaction attack scheme as executed by the Prilex threat actor.
Image: Kaspersky. GHOST transaction attack scheme as executed by the Prilex threat actor.

How do POS malware infections work?

POS malware is not your average malware. Developing it requires a deep understanding of the whole payment market as well as its protocols, tools and deployment. As such malware is useless on usual endpoints, it needs to be executed on the computers who actually run the POS software and deal with payments.

The cybercriminals behind advanced POS malware cannot just send phishing emails to infect computers; they need to target specific people and use social engineering schemes to entice the victim to install a legitimate remote desktop application before infecting it. This explains why the fraudsters generally pretend to be technicians who need to update the legitimate POS software.

How to protect your organization from this threat

The end customer can not do anything against the threat, as it happens on infected devices that they can’t control. All protection must come from administrators of POS software.

As a company using POS systems, establish a detailed process with the POS provider in order to avoid any social engineering scams. All contacts between the POS software customer and the POS software provider need to follow specific rules that should be discussed over a secure channel and known by anyone who could access the devices running the POS software. Should any cybercriminal call and pretend to be an employee of the POS software supplier, this would help to immediately discover them.

Security solutions should be deployed on all devices running POS software to try to detect malware infection. As information is sent from an infected POS device to an attacker owned C2, network communications should also be monitored in order to detect any suspicious activity that could be a communication between a malware and a C2 server.

Finally, all software and operating systems should always be up to date and patched in order to avoid compromise by common vulnerabilities.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.



Source link