Ghost Tap: How Phishers Stamp Stolen Cards Through Apple and Google Pay

Cloned Boy

Professional
Messages
876
Reaction score
697
Points
93
Contents of the article
  • Carding 2.0
  • Ghost Tap
  • Advanced Phishing Techniques
  • Profit
  • Counterattack

Carding — the dark craft of stealing, selling and pumping stolen payment cards — has been the domain of Russian hackers for years. The mass transition of the US to chip cards has cut this business off at the roots. But Chinese cybercriminals are not asleep: their new schemes are giving the industry a second wind. Now stolen card data is being transformed into mobile wallets, which can be used for shopping not only online, but also in regular stores.

From the editors​

We decided to start introducing readers to the best world research as an experiment. Below is a retelling of a post from Brian Krebs' blog, close to the text. This publication is available without a paid subscription.

Almost every American has received at least one phishing message in the last couple of years. Either the US Post Office urgently demands additional payment for delivery, or a “local toll road operator” threatens a fine for unpaid travel.

These messages are sent using advanced phishing kits peddled by cybercriminals in mainland China. But these aren’t just standard SMS smishings — they bypass mobile networks altogether. Instead, the attacks are carried out via iMessage on iPhones and RCS on Android.

Phishing Kits for Sale

Phishing Kits for Sale

If the victim enters card details on such a fake site, they will be convinced that the bank wants to verify a tiny payment by sending a one-time code. In fact, this code does not come for no reason - the bank confirms the linking of the card to the mobile wallet. In other words, the victim gives the scammers the keys to their safe with their own hands.

If the victim is taken in and enters the code, the phishers instantly link the card to a new Apple or Google mobile wallet, which they then download to their device. Now they have a fully functional digital copy of the card, ready for shopping.

Carding 2.0​

Ford Merrill, a security specialist at SecAlliance (a subsidiary of CSIS Security Group), has been digging into the topic of Chinese “smichers” for a long time and watching their evolution. Interesting fact: most of these groups post training videos on their Telegram channels, where they show in detail how to load a bunch of stolen digital wallets onto one phone. Then these “charged” smartphones are sold wholesale for several hundred bucks apiece.

"Who said carding is dead?" Merrill asks. "This is the best magnetic strip cloner ever! Sellers require a minimum of ten phones per customer, and are willing to ship them via air freight."

In one of the promotional videos, you can see whole stacks of boxes filled with phones for sale. If you look closely, each device has a sticker with scribbles: the date the wallets were loaded, their number, and the seller's initials. A real carding conveyor in action.

Phones with charged wallets

Phones with charged wallets

Merrill says Chinese carders cash out stolen mobile wallets through fake online stores registered with Stripe or Zelle. The scheme is simple: they run transactions of $100 to $500, and the money flows smoothly into their pockets.

Merrill notes that when these phishing gangs first started operating a couple of years ago, they would wait 60 to 90 days before dumping phones or using them in scams. Now, the time frame has been compressed to a week or two — the volume is growing, and no one wants to wait.

"These guys were playing for the long haul at first," Merrill says. "Now it's different: Ten days at most, and the wallets start getting pumped hard."

Ghost Tap​

Another way to cash out is through real POS terminals. Fraudsters simply swipe stolen mobile wallets through Tap to Pay, one after another. But there’s something even more interesting: Merrill found out that one of the Chinese phishing gangs is pushing an Android app called ZNFC. This thing can send legitimate NFC transactions anywhere in the world. All you have to do is hold your phone up to a local terminal that accepts Apple Pay or Google Pay, and then the app will send the payment over the Internet from the device, for example, in China (there’s a video demonstrating it).

“The software works from anywhere,” Merrill explains. “For $500 a month, they sell access to a program that can relay both NFC payments and any digital wallet. And yes, they even have 24/7 tech support!”

The emergence of mobile software for the so-called ghost tap was first recorded by ThreatFabric experts in November 2024. According to the company's commercial director Andy Chandler, since then their analysts have discovered that a number of criminal groups from different parts of the world have picked up this scheme.

Chandler notes that new players include organized crime groups from Europe. They use similar attacks on mobile wallets and NFC, but they target ATMs that support cash withdrawals from smartphones.

“Nobody talks about it, but we’ve counted 10 different schemes that operate on the same principle, and each one is unique in its own way,” Chandler says. “The scale is much larger than the banks are willing to admit.”

In November 2024, The Straits Times in Singapore reported the arrest of three foreign nationals who were recruited through social media, given “ghost” tap apps and sent on a shopping spree to buy expensive goods.

Since November 4, at least ten victims of the scammers have reported unauthorized transactions worth more than $100,000. The money was spent on iPhones, chargers and jewelry in Singapore, The Straits Times reported. In another case involving a similar scheme, police arrested a Malaysian couple on November 8.

Arrest of criminals in Singapore

Arrest of criminals in Singapore

Advanced Phishing Techniques​

According to Merrill, the fake pages of the US Post Office and toll road operators are equipped with a number of clever innovations designed to squeeze the maximum amount of data out of the victim.

For example, the victim may start entering their personal and financial data, but at the last moment suspect a trick and change their mind. However, this will not save them - everything they type in the form fields is leaked to the scammers in real time, even if they never press the coveted "Send" button.

Merrill notes that after entering the card details, the victim is often shown a message that the payment failed and is asked to try another card. This trick often allows scammers to steal not one, but several mobile wallets from one person.

Usually, phishing sites store stolen data directly on their own, which is why it can be leaked along with the domain. But Chinese whales work differently: all the information immediately flies to the backend, which is controlled by the sellers of these phishing tools themselves. So, even if one of the sites is closed for fraud, the stolen data will remain safe and sound.

Another trick is the mass generation of Apple and Google accounts, through which the scammers send out their spam messages. In one of the Telegram channels, Chinese phishers even posted a photo of their “farming” setup: dozens of phones filled with bot accounts, neatly arranged on a multi-tiered stand, and opposite is the operator of this entire phishing factory.

Fishing is in full swing

Fishing is in full swing

These phishing sites are run by real people who are busy doing something while new messages are being sent out. According to Merrill, the scammers only send a few dozen SMS at a time, because then they have to manually bring each victim to the end themselves. After all, one-time codes for linking cards to mobile wallets only work for a couple of minutes, so you need to act quickly.

An interesting detail: fake mail and toll road sites do not open in a regular browser at all. They load only if it is determined that the victim has entered from a mobile device.

“It’s important for them that the victim logs in from a phone,” Merrill explains. “This way, they guarantee that the one-time code will be sent to the same device, and not to some other gadget. Plus, there’s less chance that the person will change their mind and leave. And to quickly pick up this code and activate the mobile wallet, you need a live operator.”

Merrill found another insidious upgrade in Chinese phishing kits — they automatically turn stolen card data into digital copies of the real thing. The system generates an image of the card with the correct design, corresponding to the victim's bank. As a result, linking a stolen card to Apple Pay becomes elementary — just scan the fake with your iPhone camera.

In the Telegram channel of one of the Chinese phishing groups, you can find an advertisement for their service, which clearly shows how stolen card data is transformed into realistic images of the cards themselves.

Phishing Kit Ad Shows How Data Is Turned Into A Card

Phishing kit ad shows how data is turned into a card

"The phone doesn't know the difference between a real card and a picture," Merrill explains. "It just scans the picture into Apple Pay, which then says, 'OK, now confirm that this is your card,' and sends a one-time code."

Profit​

How profitable are these mobile phishing whales? The best guesses so far come from other cybersecurity researchers who have long been tracking Chinese phishers and their advanced schemes.

In August 2023, Resecurity specialists uncovered a vulnerability in the platform of one of the popular Chinese phishing services. It accidentally opened access to the personal and financial data of victims. Researchers named this group Smishing Triad and found out that during its operation, it collected 108,044 payment cards through 31 phishing domains - an average of 3,485 cards per site.

In August 2024, security researcher Grant Smith spoke at DEFCON about how he came across the Smishing Triad after his wife was scammed by scammers posing as the U.S. Post Office. By finding another vulnerability in their phishing kit, Smith was able to see that 1,133 fake sites had passed 438,669 unique credit cards — an average of 387 cards per domain.

Merrill estimates that each card turned into a mobile wallet costs the victim between $100 and $500 in damages. In the year between Resecurity’s report and Smith’s DEFCON talk, researchers identified nearly 33,000 unique domains associated with Chinese smishers.

If we take the average of 1,935 cards per domain and the minimum loss of $250 per card, it turns out that this scheme brought in about $15 billion in fake transactions for the scammers over the course of a year.

Merrill is hesitant to reveal whether he has found new vulnerabilities in the phishing kits sold by Chinese groups. He noted that after the article was published, the scammers quickly patched up any holes they had exposed.

Counterattack​

Contactless payments took off in the US after the pandemic, and banks rushed to simplify the process of linking cards to mobile wallets. As a result, a one-time code via SMS became the main method of identity verification - which, as it is now clear, played into the hands of fraudsters.

Experts are sure that banks' dependence on one-time codes when linking cards to mobile wallets is fueling a new wave of carding. Krebs on Security spoke with a top manager of a large European bank (the employee agreed to speak only on condition of anonymity - he was officially prohibited from commenting on the topic).

The delay between the theft of card data and its use in fraudulent schemes makes it very difficult for banks to find the root cause of leaks, the expert said. Many simply cannot connect phishing attacks with subsequent losses.

"That's why the industry was caught off guard," the expert says. "Many are perplexed: how is this even possible if we have already tokenized a process that was previously open? We have never seen such a scale of attacks and complaints from victims as we are now seeing with these phishers."

To enhance the security of linking cards to digital wallets, some banks in Europe and Asia require customers to first log into their banking app before adding a card to a device.

Combating the ghost tap threat may require updating POS terminals to detect when an NFC transaction is coming from a fake device. But experts doubt retailers will rush to replace their equipment before it reaches its end of life.

Of course, Apple and Google will also have to take responsibility — after all, their platforms are used for mass registration of bots that send out phishing spam. The companies can easily track devices that are suddenly linked to 7-10 mobile wallets of people from all over the world. In addition, they could recommend that banks switch to more reliable authentication methods when adding cards to wallets.

(c) Source
 
Top