ESET Warns of Cybercriminals Attacking NFC Data for Contactless Payment Fraud

ESET researchers have sounded the alarm over a dramatic escalation in cybercriminal activity targeting Near Field Communication (NFC) data, which underpins contactless payment systems. 

According to ESET’s Threat Report for H1 2025, the number of NFC attacks has surged more than 35-fold compared to the previous six months, highlighting a rapidly evolving threat landscape that now extends well beyond the initial incidents reported among Czech banking customers.

NFC technology, widely adopted for its convenience and security, enables short-range wireless communication between devices most notably, for tap-to-pay transactions using smartphones and contactless cards. 

The global NFC market is projected to grow from $21.69 billion in 2024 to $30.55 billion by 2029, driven by increasing smartphone penetration and the popularity of cashless payments. 

Despite built-in safeguards such as encryption and tokenization, ESET’s findings reveal that cybercriminals are successfully circumventing these protections through sophisticated social engineering and malware campaigns.

Novel Attack Vectors

The attack chain uncovered by ESET combines traditional phishing and Android malware with the abuse of NFCGate, a research tool originally developed for academic purposes at the Technical University of Darmstadt. 

Threat actors initiate their campaigns by sending SMS phishing messages, often referencing tax returns, that direct victims to fraudulent banking websites. 

These sites prompt users to install malicious progressive web apps (PWAs) that mimic legitimate banking applications.

Once victims enter their credentials, attackers gain unauthorized access to their accounts and escalate the scheme by impersonating bank representatives. 

Victims are manipulated into installing a second malicious app, dubbed NGate, which leverages NFCGate technology. 

Under the guise of a security procedure, victims are instructed to enter their PIN and scan their bank card, unwittingly handing over sensitive NFC data.

With this information, attackers can clone the victim’s card onto their own devices, enabling them to make fraudulent contactless payments or cash withdrawals without leaving a traceable link to their own accounts. 

ESET telemetry indicates that, following initial arrests and a temporary lull, NGate malware has proliferated across multiple regions, with detection rates rising from isolated incidents to dozens per week.

Payment Card Farming

Inspired by the success of NGate, cybercriminals have refined their tactics, culminating in the emergence of the “Ghost Tap” technique. 

This method streamlines the attack process, allowing for mass exploitation. Attackers use phishing to harvest payment card details and one-time passcodes, registering the stolen credentials in their own Apple or Google wallets. 

These digital wallets are then relayed to other devices, facilitating anonymous, large-scale fraudulent transactions worldwide.

The scalability of this approach enables the creation of “farms” of compromised Android devices, each loaded with stolen card data and capable of executing automated payment fraud at scale.

ESET emphasizes that users are not powerless in the face of these threats. Vigilance against phishing attempts, setting low payment limits, utilizing RFID blockers, and deploying comprehensive cybersecurity solutions are critical measures. 

ESET’s suite of security products including ESET HOME Security and ESET Mobile Security for Android offers multi-layered protection, featuring real-time malware detection, anti-phishing safeguards, payment protection, and security audits to monitor app permissions.

Despite the sophistication of these attacks, ESET reassures consumers that contactless payments remain safe when paired with robust cybersecurity practices and user awareness.

Indicators of Compromise (IOC) Table

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates