A threat actor has advertised the ability to remotely exploit a victim’s phone’s NFC capabilities to initiate unauthorized Apple Pay or Google Pay transactions, likely through a remote code execution attack or social engineering.
Cybercriminals exploit mobile banking malware or phishing attacks to steal credit card details and OTPs, enabling them to link stolen cards to mobile payment systems like Apple Pay or Google Pay, facilitating unauthorized transactions.
They can use stolen card data to make offline purchases, but direct use increases the risk of identification by law enforcement during investigations initiated by the card owner.
Threat actors are using NFCGate to relay NFC traffic between attackers and mules, enabling scalable and anonymous cash-out of stolen card funds, mitigating the risk of card blocks and increasing the efficiency of fraud operations.
Weaponizing legitimate research tools like NFCGate for malicious activities, such as enabling remote cash-outs by establishing a relay between stolen cards and POS terminals, allows them to operate anonymously and conduct large-scale fraudulent transactions.
The attack involves an attacker using a device with stolen card details and NFCGate to relay transactions through a server, enabling a mule to purchase goods with a physical POS terminal.
They leverage mobile payment services to anonymously purchase goods remotely, enabling large-scale fraud operations by deploying multiple mules across various locations to simultaneously acquire goods within short timeframes.
According to Threat Fabric, exploiting NFC vulnerabilities, leveraging network speed and weak ATM/POS security, they remotely initiate transactions, bypassing physical proximity requirements, which enables attacks like NFCGate and NFSkate, where devices with stolen cards are used to authorize transactions at distant locations.
NFC skimming attacks, facilitated by relay attacks, are becoming more prevalent due to the lack of robust detection mechanisms on NFC readers and mobile payment services, which allows attackers to intercept and steal sensitive payment data without physical proximity to the victim or the reader.
Cybercriminals exploit the limitations of anti-fraud systems by making multiple small, legitimate-appearing transactions from a single device, often in airplane mode, to bypass detection and facilitate the purchase of high-value goods for resale.
Financial institutions can proactively combat Ghost Tap fraud by detecting suspicious device behavior, such as new device pairings with malware-infected devices or geographically impossible transaction sequences, to prevent unauthorized NFC transactions and mitigate financial losses.
NFC relay attacks, such as Ghost Tap, enable cybercriminals to remotely initiate NFC transactions, bypassing traditional security measures, which poses a serious threat to financial institutions and retailers as it allows attackers to steal sensitive payment information and execute unauthorized transactions.