![](\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2023\/02\/01104439\/Prilex-blocks-nfc-Featured.jpg\"\/)
<\/p>\n<\/p>\n
Credit to Author: Hugh Aver| Date: Wed, 01 Feb 2023 15:51:47 +0000<\/strong><\/p>\n A customer holds their handheld device to the POS terminal \u2014 but the contactless payment doesn’t work. Why? Maybe the device itself is damaged, or maybe the NFC reader chip is failing, but it could be something else: the POS terminal might be infected with Prilex malware, which hunts for bank cards; and it’s now able to block contactless transactions.<\/p>\n Prilex is a cybercriminal group that’s been hunting down bank card data since 2014. Recently it’s been focusing on attacks through POS terminals. At the end of last year, our Kaspersky Global Research and Analysis Team (GReAT) experts conducted a detailed study<\/a> on the evolution of this malware, and concluded that Prilex is one of the first groups that learned how to clone credit card transactions, even those protected by chip-and-PIN technology.<\/p>\n But Prilex continues to evolve: while investigating an incident, our experts discovered<\/a> new samples of this malware. One of its novelties is its ability to block transactions via NFC. NFC-based transactions can generate a unique identifier that’s valid for just one transaction \u2014 something that’s not too appealing to a scammer. So, by preventing the contactless payment, attackers are trying to convince the customer to put the card into the device.<\/p>\n According to our expert’s report<\/a>, the attackers use social engineering methods to infect a terminal. Usually they try to convince the employees of the retail outlet that they urgently need to update the terminal’s software. To do this, they ready to send their “technical specialist” directly to the store, or at least ask to provide them with remote access by installing the AnyDesk program.<\/p>\n The Prilex group is interested in organizations engaged in retail trade; i.e., using POS terminals. Of particular interest to them are devices that operate in busy shopping malls in large cities: thousands of cards can pass through them daily.<\/p>\n Prilex’s activity is mostly observed in the LatAm region. However, modern cybercriminals often borrow each other’s tools, so it’s possible that the same malware will be used in other regions. In fact there’s evidence<\/a> that the same malware (or at least technology) has already been used in Germany.<\/p>\n If you work in retail and notice that your terminal has begun to reject contactless payments, this is a good reason to contact your IT staff, at a minimum (if the problem is the hardware, they’ll fix it; if there’s an infection, they’ll bring in information security or third-party experts for help).<\/p>\n For retail companies (especially large networks with many branches), it’s important to develop internal regulations and explain to all employees exactly how technical support and\/or maintenance crews should operate. This should at least prevent unauthorized access to POS-terminals. In addition, increasing employee’s awareness of the latest cyberthreats<\/a> is always a good idea: that way they’ll be much less susceptible to new social engineering tricks.<\/p>\n As for POS-terminal manufacturers, they’d be well-advised to embed integrated security solutions inside their devices<\/a>.<\/p>\nWhat is Prilex and why does it block NFC transactions?<\/h2>\n
How does Prilex infect POS terminals and who does it hunt for?<\/h2>\n
How to stay safe?<\/h2>\n