Recent advances in cybercrime strategies are reviving the carding sector, with threat actors leveraging stolen credit card data to create fraudulent Apple Pay and Google Wallet accounts.
Dubbed “Ghost Tap,” this new attack methodology uses Near Field Communication (NFC) relay techniques to enable large-scale, anonymous cash-outs at physical retailers.
Security analysts warn that the tactic poses significant challenges for financial institutions and underscores vulnerabilities in mobile payment ecosystems.
.png
)
KrebsOnSecurity reports that the Ghost Tap attacks begin with the compromise of payment card details and one-time passwords (OTPs), often obtained through phishing campaigns or mobile malware.
Threat actors link stolen cards to mobile wallets on compromised devices, bypassing traditional fraud detection mechanisms.
Unlike earlier carding methods reliant on cloned magnetic stripes, this approach exploits contactless payment infrastructure via NFC relay tools like NFCGate—a repurposed academic tool originally designed for testing NFC security.
Once a card is linked to a mobile wallet, attackers use a server to relay NFC signals between a “master” device (controlled by the attacker) and a “mule” at a point-of-sale (POS) terminal.
The mule’s device interacts with the terminal, while the master device—often located in a different country—authenticates the transaction remotely.
This relay bypasses geographic limitations, allowing simultaneous fraudulent purchases across multiple locations.
Phishing Innovations and Scalability
Chinese cybercrime groups have refined phishing campaigns to optimize data extraction.
Recent smishing (SMS phishing) kits impersonate entities like the U.S. Postal Service or toll operators, urging victims to resolve fake fees.
These kits capture payment details in real-time, even if users abandon the page before submission. Advanced groups also generate counterfeit card images, which are scanned into Apple Pay or Google Wallet to trigger OTP verification.
Picture from the Telegram channel, Chinese phishing gang depicts several toll road phish kits that are available.
Notably, the ZNFC Android app—sold for $500/month—enables global NFC relay attacks. Mules wave a device at a POS terminal, relaying transactions to a master device in China.
This method eliminates the need for physical card clones and scales operations by distributing cash-outs among multiple mules.
Despite built-in protections like tokenization (Apple Pay) and virtual cards (Google Wallet), attackers exploit weak authentication protocols during card enrollment.
Most financial institutions rely on SMS-based OTPs to verify mobile wallet linkages, which are easily intercepted by phishing or malware. Additionally, merchant adoption of 3-D Secure (3DS), a protocol for authenticating online transactions, remains inconsistent.
Ghost Tap transactions often involve small amounts (e.g., $100–$500) spread across multiple retailers, evading threshold-based fraud alerts.
A single compromised device can facilitate purchases at impossible travel speeds, e.g., transactions in New York and London within minutes.
ThreatFabric estimates that attackers using these tactics could generate $15 billion annually, based on median losses of $250 per card across 33,000 phishing domains.
Mitigation Strategies
Enhanced Authentication: Banks should mandate app-based verification for wallet enrollment instead of SMS OTPs. Apple’s Device Account Number (DAN) and Google’s virtual cards must integrate multi-factor authentication.
Behavioral Analytics: Monitoring for geographic inconsistencies (e.g., transactions in unreachable locations) and rapid serial purchases can flag Ghost Tap activity.
POS Terminal Upgrades: Implementing latency checks during NFC transactions could detect relay delays. The EMVCo specification for “transaction timestamping” is under development but not yet widely adopted.
Phishing Education: Users must recognize red flags, such as unsolicited OTP requests. Google Pay and Apple Pay never initiate contact for verification.
As Ghost Tap and similar NFC relay attacks gain traction, collaboration between financial institutions, payment networks, and device manufacturers is essential to curb losses.
Proactive adoption of 3DS, coupled with AI-driven anomaly detection, could mitigate risks—but only if deployed before threat actors further refine their tactics.
Free Webinar: Better SOC with Interactive Malware Sandbox for Incident Response and Threat Hunting – Register Here
