Brazilian virus steals card data and makes ‘ghost’ purchases | Safety

A virus that hides on the computers of stores and commercial establishments is being used to steal customer credit card data and carry out “ghost” transactions. Called Prilex, the malware is authored by a Brazilian group and has existed since 2014, but gained an even more refined version in 2022, identified by cybersecurity company Kaspersky. In this new approach, criminals use social engineering techniques to install remote access software on the store’s system and infect it, connecting to the machines to capture customer card data without the customer and the retailer noticing.

  • Criminals profit BRL 88 million by selling personal data on the dark web; take cover

Applied by highly skilled criminals, the scam requires advanced knowledge of payment systems and meticulous performance, which includes everything from pre-screening victims to mechanisms to keep the cloning invisible for as long as possible. In the following lines, the TechTudo details how Prilex works and explains how companies and customers can protect themselves.

Prilex infects systems of commercial establishments to clone consumer cards; understand — Photo: Reproduction/Unsplash

What are the best free or paid antivirus? See the TechTudo Forum

Prilex is malware created by a Brazilian criminal group that targets point-of-sale (POS) systems and contaminates TEF-type software, which allows retailers to integrate all card payments in a single location. In 2014, when it was first identified, the virus used to apply jackpotting, a scam that makes ATM machines release large money in a few seconds.

A new version of the virus was observed in 2018. Spread through phishing emails, the malware began to reach store systems to infect machines and steal customer credit card data. Thanks to a security hole in EMV, the standard used to validate transactions, scammers were able to clone credit and debit cards. This version of Prilex was even used to scam a German bank, which lost around €1.5 million (approximately R$7.7 million).

In the latest update, the Prilex scam has resurfaced with a malicious new approach: performing phantom transactions. The method stands out for its sophistication, as Fabio Assolini, director of Kaspersky’s Global Research and Analysis Team (GReAT) in Latin America points out.

“Prilex is a highly targeted hit. The group goes around the establishment to assess its movement, if the target is interesting, they will make phone contact or even send a fake technician to “update” the system. The ultimate goal is to install a legitimate program to allow remote group access and remote installation of Prilex,” explains Assolini.

Kaspersky’s analysis revealed that Prilex is also operating in the malware-as-a-service (MaaS) model, in which the creators sell the virus to groups that will operationalize the attacks. In 2019, offers worth US$3,500 (about R$18,825) were identified and, more recently, an alleged offer of US$13,000 (about R$69,924) was found – which is still under investigation. “If this new figure is confirmed, we have a strong indication of how profitable this new approach is for criminals”, comments Assolini.

The Prilex scam starts with the application of social engineering tactics. At first, a scammer calls or presents himself in person at the target establishment as a technician from the TEF software company. He then convinces employees to perform a supposed system update on the company’s device. But what will actually be installed is a legitimate remote access program, through which the gang will be able to monitor all operations on the PC of the store, gas station or market.

Then the scammers begin monitoring the establishment’s activities. If the sales volume is high, it becomes an interesting target for the application of the scam. In this case, the criminals’ next step is to uninstall the antivirus to install Prilex, which is capable of altering the routine of the card machines that connect to the computer.

Prilex scam strategy affects shopkeepers and consumers — Photo: Reproduction/Kaspersky

Thus, when a customer inserts the card to complete a purchase, the first password entry is controlled by the malware, which steals the authentication key (called a cryptogram), always generated in the first transaction. Prilex will then simulate an error in the legitimate operation so that it can be redone and completed normally. As connection and authentication errors in the machines are common, neither the consumer nor the establishment realizes that a fraud has occurred.

In possession of the card’s data and password, criminals make fraudulent purchases using the name of the legitimate establishment and with the same amount paid by the customer, to camouflage the scam. These transactions, however, are made on another machine, registered in the name of the criminals. It is worth mentioning that these attacks are not massive, but are aimed at specific establishments, so as not to attract attention.

How the user can protect themselves

Consumers, the ultimate victims of Prilex, unfortunately have no practical way to protect themselves from the scam. Fraud can only be proven after a first “ghost” purchase. It is possible, however, to contain damage. For this, the customer must pay attention to the credit card bill and identify duplicate charges. The presence of transactions of the same value as those carried out in the legitimate establishment, but with small changes in the name of this, such as the addition of a period, is a strong indication of Prilex’s action.

If you identify a duplicate charge on the invoice, the customer should contact the bank as soon as possible. They will have the means to identify the origin of that transaction and find out if it is legitimate or not. Once the scam is confirmed, the financial institution must proceed with the process of canceling the card and reversing the defrauded amount.

How companies can protect themselves

For business owners, the first security measure is to restrict permissions for installing other programs to specialized professionals. “By doing this, at no time will the cashier be able to install programs on the machine. He will only be able to use the software to process payments”, explains Assolini.

In addition, it is important to be suspicious of spontaneous contacts offering computer updates, either in person or over the phone. If in doubt, contact the company that provided the TEF software to make sure it’s not a scam.

If your establishment’s device has already been infected with Prilex, it will need to be identified and removed. As the malware is able to exploit security holes and “hide” itself in other files, it may even be necessary to format the computer.

with information from ZDNet

See too: how to remove virus on android phone

How to remove virus from an android phone

How to remove virus from an android phone

Source link

About Admin

Check Also

Watch out for fakes! Learn how to spot a fake profile on social media

Imagine the following situation: you are liking a person, apparently very beautiful and you feel …

Leave a Reply

Your email address will not be published. Required fields are marked *