Prilex, initially designed to compromise ATMs, has evolved to target Point-of-Sales (PoS) systems, and recent findings by Kaspersky reveal that this malware now has the capability to obstruct contactless payments. By doing so, it coerces consumers into inserting their cards, allowing cybercriminals to capture PIN codes.
Since its emergence in the Latin American region in 2014, Prilex has been associated with one of the largest cyberattacks in that area. During the 2016 Rio carnival, this malware was responsible for cloning over 28,000 credit cards and draining more than 1,000 ATMs belonging to Brazilian banks. Its operations have since escalated globally, with a notable case in Germany in 2019, where a criminal group cloned Mastercard debit cards linked to the German bank OLB and illegally withdrew more than €1.5 million from approximately 2,000 customers.
The newly identified modifications to Prilex allow it to effectively disrupt NFC transmission on infected devices, a technique that has already been observed in Brazil. Additionally, the latest samples of Prilex incorporate a feature that enables it to filter credit cards based on their value. This allows for the creation of specific rules targeting high-value cards, such as Black/Infinite or Corporate cards, blocking NFC transactions and capturing card data, while excluding standard credit cards with lower limits.
Fabio Assolini, head of Kaspersky’s Latin American Global Research and Analysis Team (GReAT), states: “It’s logical for cybercriminals to develop malware that disables NFC systems. Since the transaction data from contactless payments holds no value for them, it makes sense for Prilex to prevent these transactions to force victims into inserting their cards into the infected PoS terminals.”