Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim’s funds at scale.
The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic.
“Criminals can now misuse Google Pay and Apple Pay to transmit your tap-to-pay information globally within seconds,” the Dutch security company told The Hacker News in a statement. “This means that even without your physical card or phone, they can make payments from your account anywhere in the world.”
These attacks typically work by tricking victims into downloading mobile banking malware that can capture their banking credentials and one-time passwords using an overlay attack or a keylogger. Alternatively, it can involve a voice phishing component.
Once in possession of the card details, the threat actors move to link the card to Google Pay or Apple Pay. But in an attempt to avoid getting the cards blocked by the issuer, the tap-to-pay information is relayed to a mule, who is responsible for making fraudulent purchases at a store.
This is accomplished by means of a legitimate research tool called NFCGate, which can capture, analyze, or modify NFC traffic. It can also be used to pass the NFC traffic between two devices using a server.
“One device operates as a ‘reader’ reading an NFC tag, the other device emulates an NFC tag using the Host Card Emulation (HCE),” according to researchers from the Secure Mobile Networking Lab at TU Darmstadt.
While NFCGate has been previously put to use by bad actors to transmit the NFC information from victim’s devices to the attacker, as documented by ESET back in August 2024 with NGate malware, the latest development marks the first time the tool is being misused to relay the data.
“Cybercriminals can establish a relay between a device with stolen card and PoS [point-of-sale] terminal at a retailer, staying anonymous and performing cash-outs on a larger scale,” ThreatFabric noted.
“The cybercriminal with the stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within a short period of time.”
The tactic offers more advantages in that it can be used to purchase gift cards at offline retailers without the cybercriminals having to be physically present. Even worse, it can be used to scale the fraudulent scheme by enlisting the help of several mules at different locations within a short span of time.
Complicating the detection of Ghost Tap attacks is the fact that the transactions appear as if they are originating from the same device, thereby bypassing anti-fraud mechanisms. The device with the linked card can also be in airplane mode, which can complicate efforts to detect their actual location and that it was not actually used to make the transaction at the PoS terminal.
“We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where transaction is performed (device is not present at PoS or ATM),” ThreatFabric noted.
“With the ability to scale rapidly and operate under a cloak of anonymity, this cash-out method presents significant challenges for financial institutions and retail establishments alike.”
