The attackers are increasingly relying on a novel approach that employs near-field communication (NFC) to pay out victims' funds at scale. ThreatFabric's Ghost Tap technology enables fraudsters to cash out money from stolen credit cards related to mobile payment services such as Google Pay or Apple Pay while relaying NFC traffic.
"Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds," the Dutch security company stated. "This means that even without your physical card or phone, they can make payments from your account anywhere in the world.”
These attacks usually include deceiving victims into downloading malware for mobile banking, which subsequently uses an overlay attack or a keylogger to steal their banking credentials and one-time passwords. As an alternative, it can include a voice phishing feature.
Once the threat actors get the card information, they proceed to link the card to Apple Pay or Google Pay. However, the tap-to-pay information is sent to a mule, who is in charge of making fraudulent transactions at a business, in an effort to prevent the issuer from blocking the cards. A reliable research tool called NFCGate, which has the ability to record, examine, and alter NFC traffic, is used to achieve this. Using a server, NFC traffic can also be transferred between two devices.
Researchers from TU Darmstadt's Secure Mobile Networking Lab stated that one device functions as a reader reading an NFC tag, while the other device emulates an NFC tag using the Host Card Emulation (HCE).
The most recent development is the first instance of NFCGate being misused to relay data, even though ESET previously noted that bad actors have previously utilised the technology to transfer NFC information from victims' devices to the attacker using NGate malware back in August 2024.
"Cybercriminals can establish a relay between a device with stolen card and PoS [point-of-sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale," ThreatFabric explained. "The cybercriminal with the stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within a short period of time.”
The approach has further benefits in that it can be employed to purchase gift cards at offline businesses without the fraudsters being physically present. Even worse, it can be utilised to expand the fraudulent operation by recruiting the assistance of multiple mules in different locations over a short period of time.
Further complicating the detection of Ghost Tap assaults is the fact that the transactions appear as if they are originating from the same device, hence circumventing anti-fraud measures. It can be more difficult to determine their precise location and the fact that the associated card was not used to complete the transaction at the PoS terminal if the device is in flight mode.