Full Report
Threat actors are increasingly banking on a new technique that leverages near-field communication (NFC) to cash out victim's funds at scale. The technique, codenamed Ghost Tap by ThreatFabric, enables cybercriminals to cash-out money from stolen credit cards linked to mobile payment services such as Google Pay or Apple Pay and relaying NFC traffic. "Criminals can now misuse Google Pay and Apple
Analysis Summary
# Tool/Technique: Ghost Tap (NFC Relay Attack leveraging NFCGate)
## Overview
Ghost Tap is a novel cash-out technique discovered by ThreatFabric that leverages Near Field Communication (NFC) relay capabilities to fraudulently use stolen credit card details linked to mobile payment services (like Google Pay or Apple Pay) globally within seconds. It relies on relaying tap-to-pay information from the victim's device to an accomplice (mule) making physical purchases.
## Technical Details
- Type: Technique / Framework Misuse
- Platform: Mobile (Android, specifically targeting mobile payment services like Google Pay/Apple Pay)
- Capabilities: Real-time relaying and emulation of NFC traffic for fraudulent tap-to-pay transactions globally.
- First Seen: Details on the specific "Ghost Tap" campaign suggest recent activity, building upon prior NFC attacks documented around August 2024.
## MITRE ATT&CK Mapping
Since Ghost Tap is primarily a method for financial fraud execution and initial access/payment hijacking via mobile systems, relevant mappings focus on credential compromise leading to financial impact and the physical execution of payment fraud.
- **TA0001 - Initial Access** (If mobile malware is used to gain initial access/control)
- T1429 - Compromise Software Certification Authority (Relevant if underlying system elements are targeted, though less direct)
- **TA0002 - Execution** (Execution via overlay/keylogger/voice phishing to steal credentials)
- T1602 - Application Layer Protocol (If the malware interacts specifically with payment protocols, though keylogging is more common)
- **TA0005 - Defense Evasion** (Using legitimate tools for malicious purposes)
- T1070.002 - Indicator Removal: File Deletion/System Modification (If malware cleans up)
- **TA0011 - Command and Control** (Though not explicitly C2, the relay establishes an anomalous channel)
- **TA0040 - Impact** (The ultimate goal)
- T1561 - Impair Defenses (Related to bypassing issuer blocks)
*(Note: Specific ATT&CK mappings for relaying payment data via NFC emulation are often nuanced. T1561 relates to the goal of making successful payments under the radar.)*
## Functionality
### Core Capabilities
- Capturing tap-to-pay information remotely using stolen credentials linked to mobile wallets (Google Pay, Apple Pay).
- Relaying the captured NFC traffic in real-time via a server setup to an accomplice device (mule) located near a point-of-sale terminal.
- Emulating an NFC Tag using Host Card Emulation (HCE) on the mule's device to complete the payment transaction.
### Advanced Features
- Bypassing standard real-time fraud detection by distributing the action across multiple geographical locations and using a physical mule proxy.
- Leveraging the legitimate *NFCGate* framework for the relay functionality, masking malicious activity behind a known research tool.
- The precursor often involves Mobile Banking Malware used to steal credentials and One-Time Passwords (OTPs) via overlay attacks or keylogging, which is utilized to link the stolen card to the mobile wallet.
## Indicators of Compromise
*Note: Specific IOCs for the Ghost Tap campaigns are generally associated with the precursor mobile malware or the C2 infrastructure used to manage the relay, rather than the relay tool itself.*
- File Hashes: [Not explicitly provided in text]
- File Names: [Not explicitly provided in text]
- Registry Keys: [Not explicitly provided in text]
- Network Indicators: [Not explicitly provided in text - C2 servers/domains would be used by the precursor malware]
- Behavioral Indicators: Simultaneous detection of activity initiating NFC emulation/transfer commands alongside successful unauthorized mobile payment authorizations at physically distant locations.
## Associated Threat Actors
- Threat fabric attributes this technique to cybercriminals leveraging mobile banking malware ecosystems.
- Previously documented related activity (NGate malware) was associated with actors exploiting NFC capabilities prior to the "Ghost Tap" relay methodology refinement.
## Detection Methods
- Signature-based detection: [Requires signatures for the precursor mobile banking malware]
- Behavioral detection: Monitoring for unusual process behavior related to NFC traffic capture, modification, or external relaying applications running on victim devices. Monitoring for HCE emulation activity initiated by unauthorized applications.
- YARA rules: [Not explicitly provided in text]
## Mitigation Strategies
- **Prevention:** Strong user education against installing mobile banking malware (avoiding suspicious links, ensuring app source verification).
- **Hardening:** Utilizing strict application sandboxing and limiting NFC permission access for non-essential applications on Android/iOS devices. Security scanning of mobile devices for known banking Trojans.
- **Transaction Monitoring:** Enhanced monitoring by financial institutions for tap-to-pay transactions where the distance between the device compromise (if traceable) and the transaction location exceeds reasonable physical limits for immediate tap authorization.
## Related Tools/Techniques
- **NGate Malware:** Previously documented Android malware that utilized NFC capabilities, suggesting an evolutionary path towards the Ghost Tap relay technique.
- **NFCGate:** The legitimate research tool being misused to capture, relay, and emulate NFC traffic.
- **Overlay Attacks / Keyloggers:** Malware techniques used as the initial step to steal banking credentials needed to provision the card onto the mobile wallet.