Brazilian threat actors behind a modular and highly advanced point-of-sale (PoS) malware known as Prilex have updated their attacks that allow the malware to block contactless payment transactions.
Since Prilex came on the scene in 2014 as an ATM-based malware, the threat actor has continuously incorporated new features that are designed to facilitate credit card fraud, including a technique called GHOST transactions.
GHOST transactions
GHOST transactions work by way of a “stealer” component which intercepts the communications between the PoS software and the PIN pad used for reading the card during the transaction with the goal of obtaining the card information.
This syphoned information is then transmitted to a Command-and-Control (C2) server, allowing the threat actor to make transactions through a fraudulent PoS device registered in the name of a fake company.
Contactless Error
Three new versions of Prilex have been identified by Kaspersky labs which are capable of targeting NFC-enabled credit cards in a new approach.
The latest adaptations of Prilex has been found to implement some rule-based logic which determines whether or not to capture credit card information alongside an option to block NFC-based transactions.
The reasoning for the logic is due to the fact that NFC-based transactions generate a unique ID or card number valid for only one transaction. These transaction data generated during a contactless payment are useless from a cyber-criminal’s perspective as the GHOST transactions cannot be conducted.
So, should such an NFC-based transaction be detected and blocked by the malware installed on the infected PoS terminal, the PIN pad reader will display a fake error message along the lines of “Contactless error, insert your card.”
This now forces the victim to use their card the traditional way by inserting it into the card reader to enter their PIN, this bypasses the one-time code, effectively permitting the threat actors to commit fraud.