Threat actors are increasingly banking on a new technique that uses near-field communication (NFC) to capture a victim’s funds at scale.
Technique under the code name Ghost faucet by ThreatFabric, allows cybercriminals to cash out stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relay NFC traffic.
“Criminals can now abuse Google Pay and Apple Pay to transmit your click-to-pay information worldwide in seconds,” Dutch security firm The Hacker News said in a statement. “This means that even without your physical card or phone, they can make payments from your account anywhere in the world.”
These attacks typically work by tricking victims into downloading mobile banking malware that can capture their banking credentials and one-time passwords using a masking attack or keylogger. Additionally, it may include a voice phishing component.
After receiving the card data, attackers proceed to link the card to Google Pay or Apple Pay. But in an attempt to avoid the card being blocked by the issuer, the tap-to-pay information is passed on to the mullah responsible for fraudulent in-store purchases.
This is achieved through a legitimate research tool called NFC gatewaywhich can capture, analyze or modify NFC traffic. It can also be used to transfer NFC traffic between two devices using a server.
“One device works as a ‘reader’ that reads the NFC tag, the other emulates the NFC tag using Host Card Emulation (HCE),” say the researchers from the TU Darmstadt Secure Mobile Networks Laboratory.
While NFCGate has previously been used by attackers to transmit NFC information from victim devices to the attacker, such as documented ESET back in August 2024 with the NGate malware, the latest development marks the first case of the data transmission tool being misused.
“Cybercriminals can establish a relay between the device with the stolen card and the PoS (point of sale) terminal at the retailer, remaining anonymous and performing cashing at scale,” ThreatFabric noted.
“A cybercriminal with a stolen card can be far from the location (even in another country) where the card will be used, and use the same card in multiple locations within a short period of time.”
This tactic has the added advantage of being able to be used to purchase gift cards from offline retailers without the physical presence of cybercriminals. Worse, it can be used to scale a fraudulent scheme by enlisting the help of multiple mules in different locations in a short period of time.
Ghost Tap attacks are made more difficult to detect by the fact that transactions appear to originate from a single device, bypassing anti-fraud mechanisms. A device with a tethered card can also be in flight mode, which can make it difficult to detect their true location and that it wasn’t actually used to make a transaction at a PoS terminal.
“We suspect that the evolution of networks with increased communication speeds, together with the lack of proper time detection at ATM/POS terminals, has made these attacks possible when the actual card devices are physically far from where the transaction takes place. done (device not present at PoS or ATM),” ThreatFabric noted.
“With the ability to scale quickly and operate anonymously, this cash-out method presents significant challenges for both financial institutions and retail businesses.”
