The hackers behind Prilex PoS (point-of-sale) malware have developed a new way to steal credit card information to target customers using contactless or “tap-to-pay” payments.
Prilex PoS malware has stolen credit card information from payment terminals and ATMs before, but only if the customer physically inserts their card. Originally, the malware targeted ATM users withdrawing cash, but during the COVID-19 pandemic, more people began relying on digital payments. In 2021, contactless payments netted over $34.55 billion.
Each time a customer pays for something using the NFC (near-field communications) contactless payment method, the PoS system generates a one-time-use credit card number unique to that transaction. These one-time credit card numbers are safe from hackers. So as more customers transition to using contactless pay, the Prilex malware has evolved to force customers to insert their cards. When the card is inserted, the Prilex malware can access the credit card information.
Three new Prilex variants (06.03.8070, 06.03.8072, and 06.03.8080) released in November 2022 can now block contactless transactions, forcing manual insertion of the credit card at the payment terminal. Prilex uses a rule-based file to detect when an NFC chip generates the one-time-use credit card number and rejects it as not working properly. Customers at grocery stores, coffee shops, and other establishments will see an error response stating, “Contactless error, insert your card.” When customers physically use their cards, Prilex gains access to their credit card information.
Prilex Targets High-Tier Credit Cards
While any type of malware that targets credit card information can cause significant issues for consumers, the hackers behind the Prilex POS malware want to focus on cards with a near guarantee to carry a high limit. The malware detects high-tier credit cards like corporate cards or Black cards and only steals that information. This system allows the malware creators and their users to target cards with high transaction limits and weed out credit cards with low limits or available balances.
Besides allowing access to credit card information, hackers using Prilex can use that information to discover further details on the owner of the card. Credit card users with high limits may discover that their identity has been stolen. With such private information, Prilex operators can open new credit cards, apply for loans, or even dox (spread private information in public internet forums) the user.
Response to Combat the New Prilex Malware
IR teams (incident response teams) within organizations should prepare for how to handle hijacked credit cards infected by Prilex-targeted modular point-of-sale systems. While no one can tell whether a PoS system carries the Prilex malware, keeping an eye out for unexpected purchases can help internal IT and accounting teams catch an affected card. Canceling the card and ordering a replacement stops fraudulent purchases by Prilex operators.
Malware such as this is a growing threat to businesses and consumers alike. With the ability to steal credit card information and target high-tier credit cards, it is important for business owners to be aware of the dangers of this malware and take steps to protect themselves and their customers. This can be done by monitoring for unexpected purchases, canceling affected cards, and implementing safeguards in their systems. By staying informed and proactive, businesses can avoid the costly consequences of a malware infection and ensure the security of their customer's sensitive information.
Frequently Asked Questions:
Prilex PoS MalwareWhat is Prilex PoS malware?
Prilex is a sophisticated point-of-sale (PoS) malware that steals credit card information from payment terminals and ATMs. It has recently evolved to target contactless payments as well.
How does the new Prilex malware work?
The new Prilex variants can block contactless (NFC) transactions, forcing customers to insert their physical cards. When the card is inserted, the malware can access and steal the credit card information.
When were the new Prilex variants released?
Three new Prilex variants (06.03.8070, 06.03.8072, and 06.03.8080) were released in November 2022.
What types of credit cards does Prilex target?
Prilex specifically targets high-tier credit cards like corporate cards or Black cards, which typically have high transaction limits.
How can customers identify if a PoS terminal is infected?
Customers may see an error message stating "Contactless error, insert your card" when attempting to use contactless payment at an infected terminal.
What additional risks do cardholders face from Prilex?
Besides stealing credit card information, Prilex operators can potentially steal identities, open new credit cards, apply for loans, or even spread private information publicly (doxing).
How can businesses protect themselves from Prilex?
Businesses should:
- Monitor for unexpected purchases
- Cancel affected cards immediately
- Implement safeguards in their PoS systems
- Stay informed about the latest malware threats
- Regularly update and secure their PoS systems
What should customers do if they suspect their card information has been stolen?
Customers should immediately contact their bank, cancel the affected card, and request a replacement. They should also monitor their accounts for any unauthorized transactions.
How widespread is the use of Prilex malware?
While specific numbers aren't provided, the malware is described as a growing threat to businesses and consumers alike, particularly as contactless payments have become more popular.
Can antivirus software detect Prilex malware?
The article doesn't specifically mention antivirus detection. However, as Prilex is a sophisticated and evolving threat, businesses should use up-to-date security solutions and not rely solely on antivirus software for protection.
