Prilex, a malware that was used originally to infect ATM’s and then evolved to Point-of-Sales machines has been found by Kaspersky to have modifications which now allow it to block a consumer's ability to make contactless payments, forcing them to put their cards in the machine in a bid to steal Pin codes.
Prilex has been operating in LatAm region since 2014 and is allegedly behind one of the largest attacks in the region. During the Rio carnival in 2016, the actor cloned more than 28,000 credit cards and drained more than 1,000 ATMs in Brazilian banks. Now, it has expanded its attacks globally. It was spotted in Germany in 2019 when a criminal gang cloned Mastercard debit cards issued by German bank OLB and withdrew more than €1.5 million from around 2,000 customers.
The recently discovered modifications, which effectively blocks NFC transmission on infected devices, have already been detected in Brazil.
Another new feature added to the latest Prilex samples is the possibility to filter credit cards according to their value, and create different rules for different segments. For example, they can block NFC and capture card data, only if the card is Black/Infinite, Corporate or other with high transaction limit, which is much more attractive than standard credit cards, with low balance/limit.
Fabio Assolini, head of the Latin American Global Research and Analysis Team (GReAT) at Kaspersky, comments: "It’s logical for cybercriminals to create malware that blocks NFC-related systems. As the transaction data generated during contactless payment is useless from a cybercriminal’s perspective, it’s understandable that Prilex needs to prevent contactless payment to force victims to insert the card into the infected PoS terminal."