Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label NFC. Show all posts
Vulnerabilities
Andriod ATR Cyber Hackers Cybersecurity CyberThreat MaaS malware NFC SiperCard TLS Vulnerabilities

New Android Threat Raises Concern Over NFC Relay Attack Vulnerabilities

 


In recent times, there has been considerable concern with regards to some newly uncovered Android-based malware-as-a-service (Maas) platforms, particularly those based on Android and known as SuperCard X. This is because this platform was able to execute these attacks in near-field communication (NFC). A sophisticated tool such as this enables threat actors to make unauthorised contactless payments, allowing them to withdraw money without requiring direct physical access to their cards. 

Through advanced near-field communication (NFC) relay techniques, this malware is able to allow threat actors to authorize illicit transactions at contactless-enabled ATMs and Point-of-Sale (POS) terminals without actually requiring the victim to give them their card details. Using such methods, the attacker deceives users into installing a malicious Android application, during which their payment cards are tapped against their compromised devices. 

The sensitive data from the NFC tags is intercepted and relayed in real time to the attacker-controlled infrastructure while the attack is taking place. It appears that the platform has been part of a Malware-as-a-Service MaasS) ecosystem for Chinese-speaking users. In addition, it appears to have a significant amount of code overlap with NGate, a malicious NFC toolkit that was previously documented by ESET in 2024. The campaign has had a wide-reaching impact on not only banking customers but also credit card issuers and payment processors as well. 

With the help of widely adopted contactless payment technologies, attackers are able to devise an extremely effective means of executing an unauthorised cashout, especially if they trick the user into disabling transaction limits. This campaign's success has been attributed to its combination of streamlined malware and persuasive social engineering, a development that signals a significant change in the tactics used by mobile threat actors in the future.

Apparently, the current campaign appears to be primarily targeting Italian bank customers and cardholders, according to recent research conducted by the fraud prevention firm Cleafy. It is reported that the attackers intend to collect sensitive payment card data through a methodical and layering approach in a very systematic way. Several analysts, including Federico Valentini, Alessandro Strino, and Michele Roviello, have concluded that SuperCard X uses a multiphase strategic attack method. 

Social engineering tactics are used to lure victims into installing malicious Android applications, which can intercept NFC data that has been compromised from a compromised device. This can include SMS-based phishing (smishing) as well as deceptive phone calls that lure victims into installing malicious Android applications. Additionally, preliminary findings indicate that the service is actively promoted on Telegram channels, which suggests that the tool’s distribution and monetisation are being supported by a larger underground network. 

The campaign's focus is on covert data harvesting and real-time exploitation of data, a trend which highlights the importance of mobile devices as a critical point of entry for financial fraudsters. A growing number of mobile payments is highlighting a need for enhanced awareness of users, robust security protocols, and real-time threat intelligence to combat the ever-increasing number of mobile-focused cyberattacks. As far as the malware's operational architecture is concerned, it displays a clever combination of sophistication and subtlety. 

To keep the component known as "Reader" from being detected by security platforms that are based on heuristics or signature-based and signature-driven algorithms, such as VirusTotal, the component is intentionally designed to only ask for basic system permissions as well as some NFC permissions, an intentional design choice. The technical findings of Cleafy indicate significant code reuse from the open-source relay toolkit NFCGate and the malicious variant NGate, both of which were identified by ESET in 2024. 

Using publicly available frameworks has probably accelerated development and led to a quicker onboarding process for new threat actor affiliates because it allows development to take place faster. When victims are coerced into tapping their credit or debit cards against a compromised device, they are silently captured, including low-level smart card responses such as the Answer To Reset (ATR) messages, from the compromised device. This is often done through social engineering.

Data such as this is sent instantly through a command-and-control network that is based on HTTP and protected with mutually negotiated TLS authentication, which limits communication to validated client instances and reduces the probability of external intrusion. During the same time, a secondary application on a separate attacker-controlled Android device called the "Tapper" is played that simulates the victim's card at a payment terminal or contactless ATM by using Host-Based Card Emulation (HCE). 

With a combination of disabling the card spending limits for the victim, this tactic can ensure that the maximum number of fraudulent withdrawals are made while remaining virtually undetectable by standard mobile security solutions. As a result of Cleafy's analysis, SuperCard X is designed to be stealthy, and it has remained undetected by all antivirus solutions listed on VirusTotal until today. 

Having such a restricted permission model, as well as the absence of overtly malicious behaviours, such as screen overlays and intrusive access requests, which are commonly flagged by heuristic-based security engines, contributes greatly to this success. There is an evident high level of technical competence among the threat actors behind SuperCard X, particularly in the implementation of an ATR-based (Answer to Reset) card emulation system, which demonstrates a high level of technical competence. 

A malware program that replicates the initial response sequence of the smartcard convincingly allows fraudulent transactions to be processed without raising suspicions at a payment terminal by convincingly mimicking authentic smartcard behaviour. In addition to this, users have built a command-and-control infrastructure with mutual Transport Layer Security (MTLS), which ensures that no client devices are permitted to communicate unless they are authenticated. 

A certificate-based verification ensures that not only is data integrity protected, but the network traffic analysis process is hindered significantly by security researchers and law enforcement agencies due to the fact that this certificate is based on verification. Together, these technical safeguards ensure that this malware does not leave a large footprint on the networks and demonstrate how mature the campaign is operationally. 

There is some evidence that the activity associated with SuperCard X is currently restricted to Italy geographically, although Cleafy's report cautions that the threat could rapidly escalate on a global scale if the problem is not addressed promptly. Cybercriminals can acquire and deploy malware-as-a-service (MaaaS) tools on dark web marketplaces that are readily available, which makes it easy for them to acquire and deploy malware against targets from any region. This raises concerns about possible expansion into broader markets, including those in North America and Europe. 

Using convincing social engineering tactics, such as urgent text messages masquerading as official communication from financial institutions, the campaign leverages persuasive social engineering techniques. The messages are designed in such a way that they cause panic in users and prompt them to immediately act, such as clicking on malicious links or downloading unauthorised applications, in order to generate immediate results. 

Individuals should ensure that they verify such messages independently by contacting their financial providers directly through trusted channels in cases where the sender's number matches the victim's actual bank number, especially if the sender's number has been spoofed to match that number. Whenever users receive a request to download an application through an external link, they should be aware that it is a red flag. No legitimate bank would ever ask users for this type of request. 

The user should only install applications from verified sources, such as the Google Play Store, which offer banking apps. It is essential to maintain the functionality of built-in security features on users' Android device, such as Google Play Protect, to mitigate the risk of exposure to threats like SuperCard X. This service continuously scans every application users install and any new applications they download for malicious behavior. 

There are a few things users should consider, such as installing a third-party mobile security solution, as well as awareness and good cyber hygiene practices. As this malware continues to circulate in the wild, awareness and good cyber hygiene are the two best ways to combat the increasing number of mobile malware threats.
Read more »
Payment Fraud
Cyber Fraud Ghost Tap NFC Payment Card Payment Fraud

New Ghost Tap Assault Exploits NFC Mobile Payments to Steal Funds

 

The attackers are increasingly relying on a novel approach that employs near-field communication (NFC) to pay out victims' funds at scale. ThreatFabric's Ghost Tap technology enables fraudsters to cash out money from stolen credit cards related to mobile payment services such as Google Pay or Apple Pay while relaying NFC traffic. 

"Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds," the Dutch security company stated. "This means that even without your physical card or phone, they can make payments from your account anywhere in the world.”

These attacks usually include deceiving victims into downloading malware for mobile banking, which subsequently uses an overlay attack or a keylogger to steal their banking credentials and one-time passwords. As an alternative, it can include a voice phishing feature.

Once the threat actors get the card information, they proceed to link the card to Apple Pay or Google Pay. However, the tap-to-pay information is sent to a mule, who is in charge of making fraudulent transactions at a business, in an effort to prevent the issuer from blocking the cards. A reliable research tool called NFCGate, which has the ability to record, examine, and alter NFC traffic, is used to achieve this. Using a server, NFC traffic can also be transferred between two devices. 

Researchers from TU Darmstadt's Secure Mobile Networking Lab stated that one device functions as a reader reading an NFC tag, while the other device emulates an NFC tag using the Host Card Emulation (HCE).

The most recent development is the first instance of NFCGate being misused to relay data, even though ESET previously noted that bad actors have previously utilised the technology to transfer NFC information from victims' devices to the attacker using NGate malware back in August 2024. 

"Cybercriminals can establish a relay between a device with stolen card and PoS [point-of-sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric explained. "The cybercriminal with the stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within a short period of time.” 

The approach has further benefits in that it can be employed to purchase gift cards at offline businesses without the fraudsters being physically present. Even worse, it can be utilised to expand the fraudulent operation by recruiting the assistance of multiple mules in different locations over a short period of time. 

Further complicating the detection of Ghost Tap assaults is the fact that the transactions appear as if they are originating from the same device, hence circumventing anti-fraud measures. It can be more difficult to determine their precise location and the fact that the associated card was not used to complete the transaction at the PoS terminal if the device is in flight mode.
Read more »
Technology
Android Malware NFC NGate Payments Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Is Tap-to-Pay Dangerous? How New Android Malware Exploits NFC Technology

Tap-to-pay technology, which allows users to make quick transactions with a simple tap of their smartphone, has become increasingly popular. However, with convenience comes risk. A recent discovery of a new Android malware by ESET, known as NGate, has raised significant concerns about the security of tap-to-pay transactions. This blog will delve into how this malware operates, the potential risks it poses, and how users can protect themselves.

Understanding NGate Malware

NGate is a sophisticated piece of malware designed to exploit the Near Field Communication (NFC) technology used in tap-to-pay transactions. NFC allows devices to communicate wirelessly when they are close to each other, making it ideal for contactless payments. However, this same technology can be manipulated by malicious actors to steal sensitive financial information.

How NGate Works

The NGate malware is typically spread through social engineering and phishing tactics. Attackers often disguise the malware as legitimate banking apps or other trusted applications. Once a user unknowingly installs the malware, it begins to operate in the background, capturing sensitive information.

One of the most alarming features of NGate is its ability to clone contactless credit and debit cards. By exploiting the NFC feature, the malware can intercept and replicate the data transmitted during a tap-to-pay transaction. This cloned data can then be used by attackers to make unauthorized transactions, effectively draining the victim’s bank account.

The Impact of NGate

The implications of NGate are far-reaching. With the ability to clone contactless payment cards, attackers can carry out fraudulent transactions without the victim’s knowledge. This not only leads to financial loss but also undermines trust in tap-to-pay technology.

Moreover, the spread of NGate highlights the evolving tactics of cybercriminals. As technology advances, so do the methods used by attackers. This underscores the importance of staying vigilant and adopting robust security measures.

Protecting Yourself from NGate

  • Always download apps from official app stores like Google Play. Be cautious of apps that request unnecessary permissions or seem suspicious.
  • Use built-in security features on your smartphone, such as biometric authentication and two-factor authentication (2FA). These add an extra layer of protection.
  • Keep your device and apps updated. Security patches are often released to address vulnerabilities that could be exploited by malware.
  • Be cautious of unsolicited messages or emails that prompt you to download apps or provide personal information. Verify the source before taking any action.
  • Regularly check your bank statements and transaction history for any unauthorized activity. Report any suspicious transactions to your bank immediately.

Read more »
NGate
Android Malware malware NFC NFC Payment NGate

Protecting Your Wallet: Understanding NGate Android Malware

Protecting Your Wallet: Understanding NGate Android Malware

A new and sophisticated malware has emerged, targeting the increasingly popular Near Field Communication (NFC) payment systems. Known as NGate, this Android malware has been discovered by ESET Research and poses a significant risk to users’ financial security. This blog delves into the workings of NGate, its implications, and measures to protect against such threats.

Understanding NGate Malware

NGate is a type of malware designed to exploit the NFC capabilities of Android devices. NFC technology allows for contactless payments, making transactions quick and convenient. However, this convenience comes with its own set of vulnerabilities. 

NGate malware leverages these vulnerabilities by relaying NFC data from victims’ payment cards through their mobile phones to an attacker’s device at an ATM. This process enables the attacker to clone the card and withdraw money without the victim’s knowledge.

How NGate Operates

The operation of NGate malware is both ingenious and alarming. Once the malware infects an Android device, it gains access to the NFC functionality. When a victim uses their phone for an NFC transaction, the malware captures the payment card data and transmits it to the attacker’s device. 

The attacker, equipped with a device capable of receiving NFC signals, can then use this data to create a clone of the victim’s card. This cloned card can be used to withdraw cash from ATMs or make unauthorized purchases.

The Implications of NGate

Increased Vulnerability of Contactless Payments 

As contactless payments become more widespread, the potential for exploitation by cybercriminals also increases. NGate demonstrates how easily NFC technology can be manipulated for malicious purposes.

Financial Losses

Victims of NGate malware can suffer significant financial losses. Unauthorized transactions and cash withdrawals can drain bank accounts, leading to financial distress and the arduous process of disputing fraudulent charges.

Erosion of Trust

The success of digital payment systems relies heavily on user trust. Incidents like those involving NGate can erode this trust, making users hesitant to adopt new technologies and potentially slowing down the progress of digital financial services.

Protecting Against NGate and Similar Threats

1. Regular Software Updates: Keeping your Android device’s software up to date is crucial. Manufacturers often release security patches that address known vulnerabilities. Regular updates can help protect your device from malware like NGate.

2. Use Trusted Security Software: Installing reputable antivirus and anti-malware software can provide an additional layer of protection. These programs can detect and remove malicious software before it can cause harm.

3. Be Cautious with App Permissions: Pay close attention to the permissions requested by apps. If an app requests access to NFC functionality without a clear reason, it could be a red flag. Only grant permissions that are necessary for the app’s functionality.

4. Monitor Financial Statements: Regularly reviewing your bank and credit card statements can help you quickly identify any unauthorized transactions. Early detection is key to minimizing financial losses.

Read more »
Subscribe to: Posts (Atom)