It is just another day with just another ATM malware targeting unsuspecting users – This time, the malware comes with cloning capabilities.
According to the findings of Kaspersky Lab researchers, an old point-of-sale malware program Prilex has now been transformed into a full-fledged tool suite that allows cyber-crooks steal PIN card and chip data for creating their own plastic cards to conduct frauds.
Previously, Prilex was used to steal cash and payment card information from Brazilian ATMs and retailers. It is the first time a full suite of tools has been developed and extensively used for conducting fraud.
Kaspersky Lab researchers revealed that Prilex malware has remained active since 2014; its original function was to modify malware with exclusive features of infecting point-of-service (POS) terminals and obtaining card data.
This means it is possible to modify POS software and let third-parties capture the transmitted data via the bank terminal. That is, when a customer pays for his card at an infected POS terminal, the data will automatically get transferred to the cybercriminals.
Now, the Brazil-based Prilex group has developed infrastructure that creates cards clones. It was quite easy for the firm since in Brazil there is the faulty implementation of EMV [PDF] standard and therefore, all the data that goes through the approval process remains unverified. It is also worth noting that these cloned cards are compatible with almost all POS systems in Brazil.
Kaspersky Lab researchers identified that Prilex’s infrastructure includes a Java applet and a client application titled Daphne that writes data on smart cards and assesses the amount that can be extracted. Moreover, Prilex also includes databases with card numbers. The information is sold as a package in Brazil.
Usually, when the chip is inserted into a POS terminal, four steps are required for chip-and-pin cards to work namely initialization, data authentication, cardholder verification, and transaction. Among these four, only the first and last steps are necessary while the other two can be skipped.
When using the cloned cards, which have been created with dedicated Java application, the POS terminal gets the signal that data authentication is not required and the terminal should not look for the cryptographic keys of the card.
Although the EMV standard has an option to enable card validation by checking the PIN cyber-crooks’ app can validate almost any entered PIN. Thiago Marques, Kaspersky Labs’ security analyst, stated in the company’s official press release:
“We are dealing here with a completely new malware, one that offers attackers everything from a graphic user interface to well-designed modules that can be used to create different credit card structures.”
Santiago Pontiroli, another Kaspersky researcher who worked with Marques on Prilex malware wrote in his blog post: “Prilex [is a] a complete malware suite that gives the criminal full support in their operations, all with a nicely done graphical user interface and templates for creating different credit card structures, being a criminal-to-criminal business.”
A modified version of Prilex can overwrite and infect POS terminal libraries to collect and exfiltrate Track2 magnetic strip installed in payment cards. There is high demand for this information on the black market, and Prilex users sell the data to their underground clients using Daphne.
“The new card, which is connected to the smart card writer, will receive the new information via GPShell scripts in charge of setting up the card’s structure and creating the ‘golden card’ that works on any POS machine.”
“Since [cybercriminals] cannot manipulate all the information of the ‘chip and PIN’ technical standard, they need to modify the application responsible for validating the transaction,” Kaspersky blog post explained.
Image credit: Shutterstock