Η Kaspersky αποκάλυψε τρεις νέες παραλλαγές του κακόβουλου λογισμικού Prilex, που δημιουργήθηκε από μια ομάδα εγκληματιών του κυβερνοχώρου, η οποία πήρε το όνομά της από το πιο προηγμένο κακόβουλο λογισμικό για Point-of-Sales (PoS) του 2022. Οι τροποποιήσεις του Prilex που ανακαλύφθηκαν μπορούν πλέον να εμποδίσουν την ανέπαφη επικοινωνία κοντινού πεδίου (NFC) “μολυσμένων” συσκευών αναγκάζοντας τους καταναλωτές σε συναλλαγές χρησιμοποιώντας τις φυσικές πιστωτικές τους κάρτες. Αυτό, δίνει με τη σειρά του τη δυνατότητα στους εγκληματίες του κυβερνοχώρου να κλέψουν τα στοιχεία της κάρτας και συνεπώς χρήματα.
Prilex is a notorious threat vector that gradually evolved from malware targeting Automated Teller Machines (ATMs) to a unique modular Point of Sales (PoS) malware — the most advanced PoS threat discovered to date. As Kaspersky had described in 2022 as well, Prilex performs so-called "GHOST" attacks that allow it to carry out credit card fraud — even with cards protected by supposedly unhackable CHIP and PIN technology. Now, Prilex has evolved even further.
Security experts questioned whether Prilex was able to capture data coming from NFC-enabled credit cards. Recently, during a response to an incident involving a consumer affected by Prilex, Kaspersky researchers uncovered three new modifications that have the potential to block contactless payment transactions, which have become extremely popular during the pandemic and beyond.
Contactless payment systems, such as credit and debit cards, device authentication keys, and other smart devices, including wearable devices, have traditionally featured radio frequency identification (RFID). More recently, Samsung Pay, Apple Pay, Google Pay, Fitbit Pay and mobile bank applications have implemented near field communication (NFC) technologies to support secure contactless transactions.
Contactless credit cards offer a convenient and secure way to make payments without having to touch, insert or swipe your card. However, Prilex has learned to block such transactions by implementing a rules-based file that determines whether or not to capture credit card information and an option to block NFC-based transactions.
Excerpt from the Prilex rules file referring to NFC blocking
As NFC-based transactions generate a unique card number that is only valid for one transaction, if Prilex detects an NFC-based transaction and blocks it, the EFT software will program the PIN pad to display the following message:
The fake Prilex error that appears on the PIN pad reader saying “Contactless transaction error, please enter your card”
The cybercriminal's goal is to force the victim to use their physical card by inserting it into the PIN pad reader. In this way, the malware can intercept data coming from the transaction, using any means available, such as manipulating encrypted messages to perform GHOST attacks. Another new feature added in the latest Prilex samples is the ability to filter credit cards by type and create different rules for different types. For example, they can block NFC and capture card data only if the card is Black/Unlimited, Corporate or other with a high transaction limit, which is much more attractive than standard, low balance/limit credit cards.
Active in the Latin American region since 2014, Prilex is said to be behind one of the largest attacks in the region. During the 2016 Rio de Janeiro Carnival, the threat actor cloned more than 28.000 credit cards and drained more than 1.000 ATMs at Brazilian banks. Now, he has expanded his attacks worldwide. Found in Germany in 2019 when a criminal gang cloned Mastercard debit cards issued by German bank OLB and extorted over €1,5 million from around 2.000 customers. As for the newly discovered modifications, they have been identified in Brazil – however, they may spread to other countries and regions.
“Contactless payments are now a part of our daily lives and statistics show that the retail industry has dominated the market with more than 59% share of global contactless revenue in 2021. Such transactions are extremely convenient and highly secure, so it makes sense that its criminals cyberspace to create malware that blocks NFC-related systems. As the transaction data generated during contactless payment is useless from the perspective of a cybercriminal, it is understandable that Prilex needs to prevent contactless payment to force victims to insert the card into the “infected” PoS device,” comments Fabio Assolini, Head of Latin American Global Research and Analysis Team (GReAT) at Kaspersky.
Read more about the new Prilex PoS malware modifications on Securelist.
To protect yourself from Prilex, Kaspersky recommends:
- Use a layered solution that offers the optimal selection of protective layers to provide the best possible level of security for devices of different power and deployment scenarios.
- Apply it Kaspersky SDK on PoS modules to prevent malicious code from tampering with transactions handled by these modules.
- Secure older systems with state-of-the-art protection so they're optimized when running older versions of Windows and the latest Microsoft suite with full functionality. This ensures your business will have full support for older MS families for the foreseeable future and gives it the opportunity to upgrade whenever needed.
- Install a security solution that protects devices from different attack vectors, such as Kaspersky Embedded Systems Security. If the device has extremely low system specifications, the Kaspersky solution will still protect it with a Default Deny script.
- For financial institutions that fall victim to this type of fraud, Kaspersky recommends the Threat Attribution Engine to help IR teams find and locate Prilex files in compromised environments.