The hackers behind Prilex PoS (point-of-sale) malware have developed a new way to steal credit card information to target customers using contactless or “tap-to-pay” payments.
Prilex PoS malware has stolen credit card information from payment terminals and ATMs before, but only if the customer physically inserts their card. Originally, the malware targeted ATM users withdrawing cash, but during the COVID-19 pandemic, more people began relying on digital payments. In 2021, contactless payments netted over $34.55 billion.
Each time a customer pays for something using the NFC (near-field communications) contactless payment method, the PoS system generates a one-time-use credit card number unique to that transaction. These one-time credit card numbers are safe from hackers. So as more customers transition to using contactless pay, the Prilex malware has evolved to force customers to insert their cards. When the card is inserted, the Prilex malware can access the credit card information.
Three new Prilex variants (06.03.8070, 06.03.8072, and 06.03.8080) released in November 2022 can now block contactless transactions, forcing manual insertion of the credit card at the payment terminal. Prilex uses a rule-based file to detect when an NFC chip generates the one-time-use credit card number and rejects it as not working properly. Customers at grocery stores, coffee shops, and other establishments will see an error response stating, “Contactless error, insert your card.” When customers physically use their cards, Prilex gains access to their credit card information.
Prilex Targets High-Tier Credit Cards
While any type of malware that targets credit card information can cause significant issues for consumers, the hackers behind the Prilex POS malware want to focus on cards with a near guarantee to carry a high limit. The malware detects high-tier credit cards like corporate cards or Black cards and only steals that information. This system allows the malware creators and their users to target cards with high transaction limits and weed out credit cards with low limits or available balances.
Besides allowing access to credit card information, hackers using Prilex can use that information to discover further details on the owner of the card. Credit card users with high limits may discover that their identity has been stolen. With such private information, Prilex operators can open new credit cards, apply for loans, or even dox (spread private information in public internet forums) the user.
Response to Combat the New Prilex Malware
IR teams (incident response teams) within organizations should prepare for how to handle hijacked credit cards infected by Prilex-targeted modular point-of-sale systems. While no one can tell whether a PoS system carries the Prilex malware, keeping an eye out for unexpected purchases can help internal IT and accounting teams catch an affected card. Canceling the card and ordering a replacement stops fraudulent purchases by Prilex operators.
Malware such as this is a growing threat to businesses and consumers alike. With the ability to steal credit card information and target high-tier credit cards, it is important for business owners to be aware of the dangers of this malware and take steps to protect themselves and their customers. This can be done by monitoring for unexpected purchases, canceling affected cards, and implementing safeguards in their systems. By staying informed and proactive, businesses can avoid the costly consequences of a malware infection and ensure the security of their customer's sensitive information.