A virus that hides on the computers of shops and commercial establishments is used to steal customers’ credit card information and perform “phantom” transactions. Called Prilex, the author of the malware is a Brazilian group and has been around since 2016, but received an even more refined version in 2022, identified by cybersecurity firm Kaspersky. In this new approach, criminals use social engineering techniques to install remote access software into a store’s system and infect it, connecting to machines to capture customer card information without the customer and merchant noticing.
- Criminals earn BRL 88 million by selling personal data on the dark web; Take cover
Implemented by highly skilled criminals, the scam requires advanced knowledge of payment systems and meticulous work, which includes everything from prescreening victims to mechanisms that keep cloning invisible for as long as possible. In the following lines, TechTudo details how Prilex works and explains how businesses and customers can protect themselves.
Prilex infects systems of commercial establishments to clone consumer cards; understand — Photo: Reproduction/Unsplash
What are the best free or paid antiviruses? Check out the TechTudo forum
Prilex is a malware created by a Brazilian criminal group that targets point-of-sale (POS) systems and contaminates TEF-type software, which allows merchants to integrate all card payments in one place. In 2014, when it was first identified, the virus was used to implement jackpotting, a scam that makes ATMs release large sums of money in seconds.
A new version of the virus was spotted in 2018. Spread through phishing emails, the malware began reaching store systems to infect machines and steal customers’ credit card information. Thanks to a security hole in EMV, the standard used to confirm transactions, fraudsters were able to clone credit and debit cards. This version of Prilex was even used to defraud a German bank, which lost around 1.5 million euros (approximately R$7.7 million).
In the latest update, the Prilex scam has re-emerged with a new malicious approach: performing phantom transactions. The method stands out for its sophistication, as Fabio Assolini, director of the Kaspersky Global Research and Analysis Team (GReAT) in Latin America, points out.
“Prilex is a highly targeted hit. The group tours the facility to assess his movements, if the target is of interest they will make phone contact or even send a fake technician to “update” the system. The ultimate goal is to install a legitimate program that will allow remote group access and remote installation of Prilex,” explains Assolini.
Analysis by Kaspersky revealed that Prilex also operates in a malware-as-a-service (MaaS) model, in which the creators sell the virus to groups that will operationalize the attacks. In 2019, bids worth US$3,500 (approx. R$18,825) were identified, and recently an alleged bid of US$13,000 (approx. R$69,924) was found – which is still under investigation. “If this new figure is confirmed, we have a strong indication of how profitable this new approach is for criminals,” comments Assolini.
The Prilex scam begins with the use of social engineering tactics. At first, the scammer calls or presents himself at the target institution as a technician from the software company TEF. He then convinces employees to perform a supposed system update on a company device. But what will actually be installed is a legitimate remote access program, through which the gang will be able to monitor all operations on the computer of the store, gas station or market.
Then fraudsters begin to monitor the activities of the institution. If the sales volume is high, it becomes an interesting target for the application of fraud. In this case, the criminals’ next step is to uninstall the antivirus in order to install Prilex, which is capable of changing the routine of card devices that connect to the computer.
Prilex’s fraud strategy affects retailers and consumers — Photo: Reproduction/Kaspersky
Therefore, when the customer inserts the card to complete the purchase, the first password insertion is controlled by malware that steals the authentication key (called a cryptogram), which is always generated in the first transaction. Prilex will then simulate an error in the legitimate operation so that it can be performed again and completed normally. Because connection and authentication errors in machines are common, neither the consumer nor the institution realizes that fraud has occurred.
In possession of the card information and password, criminals make fraudulent purchases using the name of a legitimate establishment and the same amount as the customer pays, in order to camouflage the fraud. These transactions, however, are carried out on another machine, registered in the name of the criminals. It is worth noting that these attacks are not mass, but are aimed at specific objects, so as not to attract attention.
How the user can protect himself
Consumers, the ultimate victims of Prilex, unfortunately have no practical way to protect themselves from fraud. Fraud can only be proven after the first “spooky” purchase. It is possible, however, to keep the damage. For this purpose, the user must pay attention to the credit card account and identify double charges. The presence of transactions of the same value as those conducted in a legitimate business establishment, but with small changes in the name, such as the addition of a period, is a strong indication of Prilex activity.
If you recognize double billing on the invoice, the user should contact the bank as soon as possible. They will have the means to identify the origin of that transaction and find out whether it is legitimate or not. Once the fraud is confirmed, the financial institution must proceed with the process of canceling the card and reversing the fraudulent amount.
How companies can protect themselves
For business owners, the first security measure is to limit permissions to install other programs to specialized professionals. “By doing this, the cashier will not be able to install programs on the device at any time. They will only be able to use the software to process payments,” explains Assolini.
Additionally, it’s important to be suspicious of spontaneous contacts offering to update your computer, either in person or over the phone. If in doubt, contact the company that supplied the TEF software to make sure it is not a scam.
If your institution’s device is already infected with Prilex, it will need to be identified and removed. As malware can exploit security holes and “hide” in other files, it may even be necessary to format the computer.
with information from ZDNet
See also: how to remove virus on android phone
How to remove a virus from an android phone