Virus blocks proximity payment to fraud card

A group of Brazilian cybercriminals specializing in financial viruses has released malware (malicious program) capable of blocking contactless payments at points of sale. With this, they force consumers to insert their credit card into the machine, enabling fraud.

The novelty appears in a new version of the Prilex gang virus, which has been in circulation since November and was released by Kaspersky this Tuesday (31). According to the cybersecurity company, it is the first time in the world that a gang has managed to tie a knot in this transaction format.

Proximity payments, made by just touching a credit card or electronic device (such as a cell phone or smart watch) to the machine, have become popular in recent years and are considered to be safer. In them, each purchase has a unique identifier, that is, even if the information is captured by criminals, it is of no use.

The technique used by Prilex circumvents this security by forcing customers to pay in the traditional way: by inserting their card. When there is an attempt to pay by proximity, the infected machine displays the message “ERROR APPROXIMATION (sic) INSERT THE CARD (sic)”. This text may change in other versions of the malware.

According to Fabio Assolini, head of research at Kaspersky in Latin America, the number of detections of this virus in action is still not high, which may indicate that it is still being tested.

“Prilex is well targeted. They are not going to install the virus in the corner bakery. They prefer companies that move expressive values”, he says.

According to the expert, once validated, criminals can sell their virus to other fraudsters. Furthermore, other gangs may follow suit and adapt their own malware to use similar strategies.

The new version of the Prilex virus is also capable of filtering stolen data, for only flags or specific segments — to capture information only for “black” and corporate cards, which normally have higher limits, for example. With this, the group manages to make banks of more valuable cards to sell to other criminals.

HISTORIC

Prilex is one of the local groups seeking to stand out abroad with bank fraud, while the main gangs in the world direct their focus to ransomware practices (blocking information upon ransom), seen as even more lucrative. Its performance is tracked at least since 2014, and has already reached North America and Europe.

Prilex tools affect point-of-sale computers. The group’s strategy is said to be more sophisticated than that used by competing groups. While most create malware that monitors the memory of machines to extract card data, they create a false connection: instead of the card machine communicating with the financial institution, it sends the information directly to the criminals and makes a phantom purchase with them.

For the fraud not to be so obvious, once the data is sent, the virus causes the card machine to issue a payment error, forcing customers to do the process again. On the second attempt, everything goes smoothly and the impression is that it was just a common problem.

To install their viruses, criminals from Prilex get in touch with the commercial establishment and present themselves as employees of the machine companies or card brands. They say they need to do equipment maintenance and instruct the victim to access a website to install a tool that gives remote access to the computer.

PROTECTION

For the consumer, when detecting an undue expense on the card, the tip is to go to the bank to challenge the purchase and file an incident report.

As a preventive measure, customers can also pay attention to the error message displayed by the machine. “Then what the user can do is insist on paying by approximation. If there is no way, it is better to try to pay in another way”, says Assolini.