Full Report
Carding -- the underground business of stealing, selling and swiping stolen payment card data -- has long been the dominion of Russia-based hackers. Happily, the broad deployment of more secure chip-based payment cards in the United States has weakened the carding market. But a flurry of innovation from cybercrime groups in China is breathing new life into the carding industry, by turning phished card data into mobile wallets that can be used online and at main street stores.
Analysis Summary
# Threat Actor: China-based Cybercrime Groups (Evolving Carding Entities)
## Attribution & Identity
The threat landscape around payment card fraud ("carding") is shifting from Russia-based hackers to **cybercrime groups based in mainland China**. These groups are innovating by using phishing to turn stolen card data into usable mobile wallets. No specific named threat actor group is formally attributed, but the activity centers around vendors selling sophisticated phishing kits via Telegram.
## Activity Summary
These groups are reinventing carding by:
1. Distributing sophisticated phishing kits that spoof legitimate entities (e.g., **U.S. Postal Service**, local toll road operators).
2. Bypassing traditional SMS smishing by utilizing **Apple iMessage** and **RCS** for message delivery.
3. Harvesting payment card data and One-Time Passwords (OTPs) needed for mobile wallet provisioning.
4. Loading multiple stolen digital wallets onto single mobile devices.
5. Selling these pre-loaded phones in bulk ($100s apiece) or utilizing them directly for cash-out operations.
6. Speeding up operations: The time between data theft and fraud has decreased from 60-90 days to just 7-10 days.
7. Cashing out via fake e-commerce businesses on platforms like **Stripe** or **Zelle** for small initial transactions ($100–$500).
## Tactics, Techniques & Procedures
- **Phishing/Smishing:** Using sophisticated kits sold on Telegram to acquire card data and OTPs.
- **Message Delivery:** Bypassing standard SMS networks by sending phishing messages via **Apple iMessage** and **RCS**.
- **Mobile Wallet Takeover:** Using harvested OTPs to link stolen card details to mobile wallets (Apple Pay/Google Pay) on attacker-controlled devices.
- **Fraudulent Transaction Processing:** Using linked wallets to conduct small-value transactions through compromised Stripe/Zelle accounts.
- **NFC Relay/Ghost Tap (Advanced):** Selling the "ZNFC" Android application for **$500 a month** which relays valid NFC transactions (tap-to-pay) over the internet from a low-risk location (e.g., China) to a point-of-sale terminal anywhere in the world.
- **Sales & Distribution:** Selling pre-loaded mobile phones containing multiple digital wallets in bulk.
## Targeting
- Sectors: **Financial Institutions** (whose OTP processes are exploited), **E-commerce/Payment Processors** (Stripe, Zelle), and general consumers using mobile devices.
- Geography: **Mainland China** (origin of the actors/kit vendors). Victims appear to include users of **U.S. Postal Service** related phishing and institutions associated with **UK financial institutions** (mentioned in one wallet video).
- Victims: General public targeted by mobile phishing campaigns; financial institutions are victim to fraud losses.
## Tools & Infrastructure
- **Malware families used:** **ZNFC** (Android application for real-time NFC relay/Ghost Tap). They advertise the sale of sophisticated **phishing kits**.
- **Infrastructure (C2, domains, IPs):**
- **Distribution Platform:** **Telegram** channels used for selling kits, tutorials, and advertising pre-loaded phones.
- **Payment/Cashout:** **Stripe**, **Zelle**.
- **Messaging Vector:** Exploitation of **Apple iMessage** and **RCS**.
## Implications
This represents a significant evolution in carding, effectively turning captured card data into functioning digital credentials usable for contactless payments globally, bypassing older security measures like chip-and-PIN or mag stripe cloning (dubbed "the best mag stripe cloning device ever"). The speed of operation (7-10 days) hinders detection and correlation efforts by financial institutions. The adoption of "Ghost Tap" technology introduces a cutting-edge fraud vector that payment terminals are currently ill-equipped to stop without upgrades.
## Mitigations
- **Authentication Enhancement:** Financial institutions should move beyond simple SMS OTPs for provisioning mobile wallets, potentially requiring customer login via the bank's verified mobile app before linkage.
- **Endpoint Security:** Apple and Google should use behavioral analytics to identify devices rapidly accumulating multiple distinct mobile wallets from disparate geographic locations for potential account suspension.
- **POS Terminal Updates:** Consideration for updating contactless payment terminals to better identify and flag NFC transactions that appear to be relayed remotely (anti-Ghost Tap measures).
- **Vendor Monitoring:** Increased scrutiny on commercial messaging platforms (like Telegram) used to openly sell sophisticated fraud infrastructure.