Threat actors are actively using a new cash-out technique called “Ghost Tap” to cash out money using credit card information that has been stolen and connected to mobile payment services like Apple Pay or Google Pay.
This technique involves relaying near-field communication (NFC) traffic. Typically, NFC-based attacks are a form of cyber attack that can compromise the security of NFC-enabled devices and the personal and financial information they hold.
Recent instances of hackers’ growing interest in such attacks include mobile malware such as NFSkate, attacks using NFCGate-based tools on physical cards, and relaying NFC traffic between a device with a linked stolen card and a “mule” at POS.
“We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where the transaction is performed (device is not present at POS or ATM)”, ThreatFabric shared with Cyber Security News.
Cash-Out With NFC Relay
Researchers noticed a post on one of the underground forums during the investigation, in which a user claimed that they are able to “send my apple pay /google pay card from my phone to your phone for NFC operation.”
Another person mentioned that “there are also other people who offer a similar method, … transactions are made using the phone’s built-in NFC reader”.
The actors in these incidents involved in cashing out funds from stolen cards that were connected to mobile payment systems such as Google Pay or Apple Pay. To link the card to a new device using Apple Pay or Google Pay, criminals would need to obtain an OTP from the bank (often given via SMS).
The victim’s smartphone has malware related to mobile banking installed. Keylogging capabilities or overlay attacks are used to steal credit card information.
Malware can further intercept the OTP code (via push notifications or SMS) and send it to attackers, thus verifying the card’s connection to the mobile payment system.
The victim provides the card’s credentials to the phishing website, which then asks for an OTP (providing the attackers all the information they need again).
As a result, threat actors used the publicly available tool NFCGate to pass on NFC traffic between two devices using a server, essentially paying out money.
Threat actors have turned TU Darmstadt’s NFCGate—which was initially created for research—into a weapon.
It’s noteworthy that this effort also served as the basis for the NFSkate malware family, underscoring the growing practice of criminal actors using academic research for their own illegal ends.
Further, to remain anonymous and carry out cash-outs on a bigger scale, cybercriminals can set up a relay between a device that has a stolen card and a retailer’s point-of-sale terminal.
A cybercriminal with a stolen card may be located far from the intended use site (perhaps in a different country) and may use the same card in several different places in a short amount of time.
Implement Anti-Fraud Measures
By being aware of the new strategy, financial institutions can implement anti-fraud measures to identify questionable consumer behavior. These occurrences consist of:
- Card linked to a new device (when combined with mobile malware identified on the known customer’s device becomes strong evidence of fraud).
- Multiple transactions are carried out in inaccessible locations in a period of time between transactions (impossible travel time).
Therefore, to stay ahead of this new threat and successfully safeguard customer cash, detecting and preventing such fraud will need sophisticated detection models, strong security measures, and industry cooperation.
Are you from SOC/DFIR Teams? – Analyse Malware Files & Links with ANY.RUN -> Try for Free