Prilex blocks NFC transactions

The new version of Prilex malware, used to attack POS terminals, now can block NFC transactions.

Prilex malware has learned how to block NFC based transactions to prevent contactless payments.

A customer holds their handheld device to the POS terminal — but the contactless payment doesn’t work. Why? Maybe the device itself is damaged, or maybe the NFC reader chip is failing, but it could be something else: the POS terminal might be infected with Prilex malware, which hunts for bank cards; and it’s now able to block contactless transactions.

What is Prilex and why does it block NFC transactions?

Prilex is a cybercriminal group that’s been hunting down bank card data since 2014. Recently it’s been focusing on attacks through POS terminals. At the end of last year, our Kaspersky Global Research and Analysis Team (GReAT) experts conducted a detailed study on the evolution of this malware, and concluded that Prilex is one of the first groups that learned how to clone credit card transactions, even those protected by chip-and-PIN technology.

But Prilex continues to evolve: while investigating an incident, our experts discovered new samples of this malware. One of its novelties is its ability to block transactions via NFC. NFC-based transactions can generate a unique identifier that’s valid for just one transaction — something that’s not too appealing to a scammer. So, by preventing the contactless payment, attackers are trying to convince the customer to put the card into the device.

How does Prilex infect POS terminals and who does it hunt for?

According to our expert’s report, the attackers use social engineering methods to infect a terminal. Usually they try to convince the employees of the retail outlet that they urgently need to update the terminal’s software. To do this, they ready to send their “technical specialist” directly to the store, or at least ask to provide them with remote access by installing the AnyDesk program.

The Prilex group is interested in organizations engaged in retail trade; i.e., using POS terminals. Of particular interest to them are devices that operate in busy shopping malls in large cities: thousands of cards can pass through them daily.

Prilex’s activity is mostly observed in the LatAm region. However, modern cybercriminals often borrow each other’s tools, so it’s possible that the same malware will be used in other regions. In fact there’s evidence that the same malware (or at least technology) has already been used in Germany.

How to stay safe?

If you work in retail and notice that your terminal has begun to reject contactless payments, this is a good reason to contact your IT staff, at a minimum (if the problem is the hardware, they’ll fix it; if there’s an infection, they’ll bring in information security or third-party experts for help).

For retail companies (especially large networks with many branches), it’s important to develop internal regulations and explain to all employees exactly how technical support and/or maintenance crews should operate. This should at least prevent unauthorized access to POS-terminals. In addition, increasing employee's awareness of the latest cyberthreats is always a good idea: that way they’ll be much less susceptible to new social engineering tricks.