Threat actors are scaling the cash-outs

Cash-out tactics of fraudsters are of particular interest for financial institutions for obvious reasons – the ability to detect anomaly in the flow of the customer assets that is matching the known cash-out tactic allows to protect unsuspecting customer’s assets as well as detect money laundering schemes as a part of anti-fraud compliance.

Knowing that, fraudsters are always on the lookout for the new ways to cash-out the stolen funds, both to avoid detection based on the transactions monitoring as well as to ensure the stability and scalability of the cash-out process, staying anonymous while easily finding new mules.

During our recent investigations, ThreatFabric analysts came across a new cash-out tactic being actively used by the threat actors as well as promoted on underground forums. This report is dedicated to explaining this new tactic we called "Ghost Tap" used by threat actors to cash-out money having stolen credit card details linked to mobile payment services like Google Pay or Apple Pay and involving relaying of NFC traffic.

New tactic in cash-out: Relaying NFC traffic

During the investigation, ThreatFabric analysts came across a post on one of the underground forums where a user was stating that they are able to “send my apple pay /google pay card from my phone to your phone for NFC operation”. Another user was mentioning that “There are also other people who offer a similar method, … transactions are made using the phone's built-in NFC reader”.

A post on underground forum

In these cases, the actors were referring to some way to cash-out money from stolen cards that were linked to mobile payment systems like Apple Pay or Google Pay. To link the card to a new device with Apple Pay or Google Pay, the cybercriminals would need to obtain OTP from the bank (likely sent via SMS). The most plausible scenarios for that are:

1. Victim has a mobile banking malware installed on the device. Credit card details are stolen with the help of overlay attack or keylogging capabilities. OTP code can be further intercepted by the malware (from SMS or push-notification) and sent to attackers successfully confirming the link of the card to mobile payment system.
2. Victim submits the credentials of the card on the phishing website, which further requests OTP (thus, again giving the attackers all the necessary details).

At this point the cybercriminals have the stolen card linked to their device, which they can further use and spend rather significant amounts at offline retailers.

However, it obviously poses significant risk for the actors – if they use the device with the stolen card directly, law enforcement can further identify them during the investigation after the report of the owner of the card. Moreover, if the actors are to “process” significant number of cards, they are unable to do it quickly, meanwhile increasing the risk of the cards being blocked by the issuer. This raises a challenge in front of the actors to scale the cash-out as well as remain anonymous during this final stage of the fraud execution.

Ghost Tap Concept

Cybercriminals are increasingly leveraging legitimate research tools for malicious purposes. A prime example is NFCGate, developed at TU Darmstadt, which was originally designed for research purposes but has been weaponized by threat actors. Notably, the NFSkate malware family is also based on this project, highlighting the growing trend of malicious actors exploiting academic research for illicit gains.

This time cybercriminals found another application of this tool: cashing-out the money. Cybercriminals can establish a relay between a device with stolen card and POS terminal at a retailer, staying anonymous and performing cash-outs on a larger scale. The cybercriminal with stolen card can be far away from the location (even different country) where the card will be used as well as use the same card in multiple locations within short period of time.

In the following explanation we use “Attacker” referring to the cybercriminal possessing the stolen card details and the device with enrolled stolen card and “Mule” as a person that interacts with POS and buys goods at offline retailers.

The prerequisites for the tactic to be executed are rather simple: a mobile device with NFC with stolen card linked to mobile payment system (could be iOS or Android device), two devices with NFCGate installed and a server that is setup to relay the traffic.

The list does not include any expensive or closed proprietary resources, everything can be easily obtained by the cybercriminals acting as attackers and, more importantly, easily obtained by the criminals acting as mules as no specific knowledge/skills are needed.

This approach allows the cybercriminals having the ability to link cards to mobile payment services to:

• Buy goods (i.e. gift cards) at offline retailers while staying anonymous and being far away from the location of the store.
• Scale the fraud execution by enabling multiple mules at different locations to buy goods within short period of time.

The following picture shows the scheme of interactions:

NFC-based attacks become popular

As it was mentioned previously in the blog, cybercriminals pay more and more attention to NFC-based attacks. Mobile malware like NFSkate, attacks with NFCGate-based tools on physical cards, relaying NFC traffic between device with linked stolen card and “mule” at POS – all these are recent examples of rising interest of cybercriminals to such attacks.

We suspect that the evolution of networks with increasing speed of communication together with a lack of proper time-based detection on ATM/POS terminals made these attacks possible, where the actual devices with cards are physically located far away from the place where transaction is performed (device is not present at POS or ATM).

Without further introduction of detection mechanisms on the side on NFC readers (ATM and POS should detect latency during the transaction and detect the actual device interacting with the reader), mobile payment services (detecting suspicious inconsistency of device location and payment location) these attacks might become even more popular amongst cybercriminals.

Spotting fraudulent cash-outs

The new tactic for cash-outs poses a challenge for financial organisations: the ability of cybercriminals to scale the fraudulent offline purchases, making multiple small payments in different places, might not trigger the anti-fraud mechanisms and might allow cybercriminals to successfully buy goods that can be further re-sold (like gift cards). The challenge  to detect Ghost Tap arises because of the several reasons:

• The transactions appear to come from the same device (no suspicious multiple new devices with linked card, no signs of other devices involved)
• The amounts spent with one transaction can be rather low, below certain threshold, while the total sum spent during short time might be significant
• The device with linked card might be put in “airplane” mode, making it more complicated to identify the location of the actual device with the card and detecting the fact that it is not actually present at the POS terminal.

However, awareness about the new tactic allows the financial organisations to adopt the anti-fraud mechanisms to detect suspicious events in customer’s behaviour. Such events include:

• Card linked to a new device (paired with mobile malware detected on the known customer’s device becomes a strong indicator of fraud)
• Multiple transactions performed in the locations that are unreachable within a timeframe between transactions (impossible travel time).

Since these Ghost Tap fraudulent cash-outs are in fact the final step of fraud execution, it is important to prevent (or be prepared) to the possibility of the fraud itself. Malicious/unusual behaviour detected on customer’s device (that could potentially be the reason of credit card details theft) can further increase the risk of the fraudulent events with customer account – card linked to a new device, transactions performed with this newly linked device, etc. – thus, providing the effective tool to prevent fraudulent transactions with NFC relay.

Conclusion

The growing focus on NFC-based attacks highlights a concerning trend in financial cybercrime, as more and more malicious actors recognise the potential of NFC relay techniques for fraudulent activity and cash-out schemes. This newly discovered approach Ghost Tap leverages publicly available technology, making it accessible to a wider range of cybercriminals without requiring expensive or specialised resources. With the ability to scale rapidly and operate under a cloak of anonymity, this cash-out method presents significant challenges for financial institutions and retail establishments alike. Detecting and mitigating such fraud will require advanced detection models, robust security measures, and collaboration within the industry to keep pace with this emerging threat and protect customer assets effectively.