Ghost Tap: How Hackers Use NFC to Steal Money from Apple Pay and Google Pay

By Ava McKinneyOnline Safety

Ghost Tap: NFC-Based Theft Targets Apple Pay and Google Pay

Cybercriminals have developed a new method to steal money from stolen bank cards linked to payment systems like Apple Pay and Google Pay. This attack, called Ghost Tap, involves transmitting NFC data to a global network of money mules.

How the Ghost Tap Attack Works

Researchers at Threat Fabric discovered Ghost Tap after noticing a post on a hacker forum where a user claimed they could “send their Apple Pay/Google Pay card from their phone to another phone for NFC transactions.” Another user mentioned that “others offer similar methods, and transactions are made using the phone’s built-in NFC reader.”

This method is similar to the NGate malware, which ESET reported on earlier this year. NGate also exploits NFC, allowing criminals to emulate victims’ cards, make unauthorized payments, and withdraw cash from ATMs.

Step-by-Step Breakdown of the Attack

  • Card Data Theft: The first step is stealing bank card data and intercepting one-time passwords (OTPs) needed to create a virtual wallet in Apple Pay or Google Pay.
  • Methods of Theft: Data can be stolen using banking malware that displays overlays mimicking real payment apps, phishing pages, or keyloggers. OTPs can be intercepted through social engineering or malware that monitors SMS messages on infected devices. Voice phishing may also be used.
  • Card Linking: Once the criminals have the card data, they attempt to link it to Google Pay or Apple Pay. To avoid detection and card blocking, tap-to-pay payment information is sent to a large network of money mules, who then make fraudulent purchases in stores.

Tools and Techniques Used

Hackers use a legitimate open-source tool called NFCGate, previously abused by the NGate malware. NFCGate can capture, analyze, and modify NFC traffic, and can transmit NFC data between two devices. One device acts as a reader, while the other emulates an NFC tag using Host Card Emulation (HCE).

In Ghost Tap attacks, NFCGate is used to transmit card information, with a relay server in between to distribute data to the mule network. The mules then make purchases in various retail stores using their own device’s NFC chip, making it much harder to trace the operators behind the scheme.

According to experts, “Cybercriminals can set up a relay between a device with a stolen card and a point-of-sale terminal in a retail store, maintaining anonymity and cashing out on a large scale. The criminal with the stolen card can be far from where it’s used (even in another country) and can use the same card in multiple places within a short time.”

Differences from Previous Attacks

With NGate, criminals were limited to small contactless payments and sometimes withdrew stolen funds directly from ATMs, which occasionally led to arrests. Ghost Tap operators avoid these risks by not cashing out at ATMs. In this scheme, only the mules are at risk. To avoid tracking, mules often put their devices in airplane mode, which does not affect NFC functionality.

Challenges for Financial Institutions

Threat Fabric warns that it may be difficult for financial institutions to prevent this type of fraud, as the transactions appear legitimate and seem to come from a single device in different locations. While many banks’ anti-fraud systems detect purchases in unusual locations (such as during international travel), numerous small payments may go unnoticed. This allows criminals to successfully buy goods that can later be resold, such as gift cards.

How to Detect and Prevent Ghost Tap

Researchers believe the only effective way to protect against Ghost Tap is to identify transactions made with the same card in locations that are physically impossible to reach within the time between payments. For example, if one fraudulent transaction occurs in New York and the next is made just 10 minutes later in Cyprus, this should raise a red flag.

Leave a Reply