Prilex, a point-of-sale malware program that’s historically been used to steal money or payment card information from Brazilian ATMs and retailers, has now evolved into a comprehensive tool suite that lets cyber-criminals steal chip and PIN card data and create their own functioning, fraudulent plastic cards.
“This is the first time that the researchers have seen in the wild such a full suite of tools for carrying out fraud,” states a 15 March press release from Kaspersky Lab.
The fake cards work on virtually any Brazilian POS system, the company explains, due to a “faulty implementation of the EMV standard, whereby payment operators fail to perform all of the required validations on data before approving a transaction. This opens the door for criminals to install a malicious Java-based application, in the form of a modified CAP file, to the cloned cards’ chips, which forces POS solutions to automatically accept the PIN validation and bypass any other remaining validation processes.
“We are dealing here with a completely new malware, one that offers attackers everything from a graphic user interface to well-designed modules that can be used to create different credit card structures,” said Thiago Marques, security analyst at Kaspersky, in the press release.
Typically, cyber-criminals infect retailers such as supermarkets and gas stations with Prilex via fake remote support sessions, during which time the adversaries pose as IT specialists and install the malware. According to Kaspersky, Prilex infrastructure is composed of three distinct partners: the malware that actually modifies the POS system and intercepts card information, a server to store the stolen information, and a user application with an interface that bad actors can use to view attack statistics.
“When it comes to Prilex, we are dealing with a complete malware suite that gives the criminal full support in their operations, all with a nicely done graphical user interface and templates for creating different credit card structures, being a criminal-to-criminal business,” writes Marques and fellow researcher Santiago Pontiroli in a Kasperksky blog post that offers additional detail on the threat.
The newly discovered version of the malware is loaded with new functionality that allows its users to overwrite an infected POS system’s libraries so that it can subsequently collect and exfiltrate payment cards’ “TRACK2” magnetic stripe data. The stolen data is then packaged and sold on the black market by the Prilex criminals, who offer their underground customers a tool called Daphne for managing this information and using it to clone debit and credit cards.
“The new card, which is connected to the smart card writer, will receive the new information via GPShell scripts in charge of setting up the card’s structure and creating the ‘golden card’ that works on any POS machine,” the blog post adds, noting that blank cards and reader/writer hardware can be acquired easily online. “Since [cyber-criminals] cannot manipulate all the information of the ‘chip and PIN’ technical standard, they need to modify the application responsible for validating the transaction,” Kaspersky continues.
That’s why they install the aforementioned JavaCard applet into the duplicate smart card’s chip — so that the POS system is tricked into bypassing the flawed validation process.
Kaspersky continues: “GPShell sends commands to replace the PSE (Payment System Environment) by deleting the original one and installing a malicious counterpart. After that, the Smart Card just needs the stolen information to be written and it will be ready to use on POS devices.”