A notorious point-of-sale (PoS (opens in a new tab)) malware has resurfaced after a year-long hiatus and is now more dangerous than ever, researchers say.
Kaspersky experts claim to have seen three new versions of Prilex malware, which now comes with advanced features that help it bypass contemporary fraud blockers.
Kaspersky says that Prilex can now generate EMV cryptograms, a feature introduced by Visa three years ago to validate transactions and prevent fraudulent payments.
skillful opponents
EMV is used by Europay, MasterCard and Visa (hence the name EMV), and in addition, hackers can use the EMV cryptogram to execute "phantom transactions" even with cards protected by CHIP and PIN technologies.
“In GHOST attacks carried out by new versions of Prilex, it requests new EMV cryptograms after the transaction is captured,” which are then used in the transactions, Kaspersky said.
In addition, Prilex, which was first detected in 2014 as ATM-only malware and moved to PoS two years later, also comes with some backdoor features such as code execution, process termination, registry editing, capture screen etc .
“The Prilex group showed a high level of knowledge about credit and debit card transactions, and how the software used for payment processing works,” Kaspersky added. "This allows attackers to continue to update their tools to find a way around authorization policies, allowing them to carry out their attacks."
However, installing malware on PoS endpoints (opens in a new tab) is not that easy. Threat actors need physical access to the device or trick victims into installing malware themselves. The attackers often pose as PoS provider technicians, Kaspersky said, claiming that the device needs a software/firmware update.
Once the malware is installed, threat actors monitor transactions to see if there is enough volume to make it worthwhile.
Via: BleepingComputer (Opens in a new tab)