A notorious Point of Sale (PoS (opens in new tab)) malware has re-emerged after a year-long hiatus, and is now more dangerous than ever before, researchers have claimed.
Experts at Kaspersky claim to have seen three new versions of the Prilex malware, which now comes with advanced features helping it bypass contemporary fraud blockers.
Kaspersky says that Prilex can now generate EMV cryptograms, a feature Visa introduced three years ago as means of validating transactions and preventing fraudulent payments.
EMV is in use by Europay, MasterCard, and Visa (hence the name EMV), and what’s more, threat actors can use the EMV cryptogram to run “GHOST transactions”, even with the cards protected by CHIP and PIN technologies.
“In GHOST attacks performed by the newer versions of Prilex, it requests new EMV cryptograms after capturing the transaction,” which are then used in transactions, Kaspersky said.
Furthermore, Prilex, which was first spotted in 2014 as an ATM-only malware, and switched to PoS two years later, comes with certain backdoor features, as well, such as running code, terminating processes, editing the registry, grabbing screenshots, etc.
“The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software used for payment processing works,” Kaspersky added. “This enables the attackers to keep updating their tools in order to find a way to circumvent the authorization policies, allowing them to perform their attacks.”
Getting malware installed on PoS endpoints (opens in new tab) is not as easy, though. Threat actors either need physical access to the device, or they need to trick the victims into installing the malware themselves. The attackers would usually impersonate technicians from the PoS vendor, Kaspersky said, and claim that the device needs its software/firmware updated.
Once the malware is installed, the threat actors would monitor the transactions to see if there is enough volume to be worth their time.
Via: BleepingComputer (opens in new tab)