Prilex malware can steal your credit card at checkout — here’s how

A shopper using tap to pay at checkout with their credit card
(Image credit: Shutterstock)

Paying for goods at checkout has never been easier thanks to mobile wallets and contactless credit cards but hackers have devised a new way to use the payment systems that enable these features against unsuspecting shoppers.

According to a new press release from the cybersecurity firm Kaspersky, its researchers have discovered new variants of the point-of-sale (PoS) malware Prilex that enables it to block contactless near-field communication (NFC) transactions.

While the cybercriminals behind Prilex started off by targeting ATM machines, they’ve now upgraded their malware to launch attacks against PoS systems like the ones you see at checkout at coffee shops, gas stations, convenience stores and other businesses.

Unlike other malware strains that infect users online, Prilex can now steal your credit card details in the real world where people rarely expect to fall victim to cybercrime.

GHOST attacks

With their malware deployed on a vulnerable PoS system, the cybercriminals behind Prilex are able to conduct “GHOST” attacks where they perform credit card fraud. Unfortunately, even credit cards protected by CHIP and PIN technology which was thought to be unhackable are at risk.

After responding to an incident involving one of its customers, Kaspersy’s researchers uncovered three new modifications to the Prilex malware that enable it to block contactless payment transactions.

Normally with a contactless credit card, you just tap it to pay but Prilex now has a way to block these transactions using a rule-based file that lets the malware know whether or not to capture credit card information. Since NFC-based transactions create a unique card number that’s only valid for one transaction, Prilex detects this and blocks it. When this happens, a message indicating there was a “contactless error” appears on a PoS system and shoppers are then prompted to insert or swipe their credit card instead.

Once a potential victim is forced to use their card, Prilex is able to capture all of the data from the transaction. However, the malware can also filter credit cards based on their type. This allows it to capture black or corporate credit cards with a higher transaction limit while ignoring cards with lower limits.

With a victim’s credit card details in hand, the cybercriminals behind Prilex can commit credit card fraud or even try to steal their identity.

How to stay safe from credit card fraud

five visa cards layered on top of each other

(Image credit: Shutterstock)

While the best antivirus software can help keep you safe from online threats, protecting yourself in the real world is a bit different. Especially when you’re used to being able to securely use your credit card at checkout.

To stay safe from the Prilex malware, you want to be extra careful when you see a “contactless error” after trying to use your credit card to tap to pay. When this happens, you’re better off trying to use cash if you have it but if you want to be extra careful, you can cancel the transaction altogether. It's also worth noting that this malware doesn't affect mobile wallets which is why you're better off using Apple Pay, Google Pay or Samsung Pay instead of your physical credit card.

In a blog post, the identity theft protection provider Aura recommends using a chip reader when possible as they’re more secure than tap to pay. At the same time, you should consider using one card for paying bills and another for everyday transactions. This way, you’ll know if your credit card information was stolen at a physical location instead of online.

The cybercriminals behind Prilex have been operating since at least 2014 and unless they’re apprehended by law enforcement, they and their PoS malware will likely remain a threat to watch out for.

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

  • ALee7
    Couple of questions for clarification: the goal of the malware is to block your contactless transaction in order to force you to insert your card into the chip reader so they can capture your card info correct? if yes then why do you state "In a blog post, the identity theft protection provider Aura recommends using a chip reader when possible as they’re more secure than tap to pay. " If you insert your card into the chip reader you are doing exactly what the malware was trying to get you to do in the first place. The other question: why is apple pay and google pay not affected by this malware since both of them are also using NFC to conduct the payment? Is it because even though they all use NFC, the malware can't intercept google pay the way it's able to intercept credit card contactless transactions?