Ethical Hacking News
The use of phishing pages has evolved, with malicious actors now exploiting mobile wallets like Apple and Google to steal sensitive information. A new form of mobile fraud, dubbed "ghost tap," is on the rise, allowing cybercriminals to cash out mobile wallets by obtaining real point-of-sale terminals and using tap-to-pay on phone after phone. This article delves into the world of mobile phishing, exploring its tactics and implications for financial institutions.
The world of mobile phishing has taken a drastic turn with malicious actors using advanced techniques to exploit sensitive information from unsuspecting victims.Phishing pages spoof legitimate organizations, capturing sensitive data in real-time without requiring the victim's direct submission.Cybercriminals use mass-created Apple and Google user accounts to send spam messages, adding credibility to phishing campaigns.The "ZNFC" software allows users to tap-to-pay using any phone, even if it's not an Apple or Google device, cashing out digital wallets.Financial institutions are struggling to keep pace with the sophisticated mobile phishing threat, leading to increased losses.Experts recommend proactive measures such as secure authentication methods and vigilant monitoring of suspicious transactions to protect against ghost tap mobile phishing.
The world of mobile phishing has taken a drastic turn in recent months, with malicious actors now using advanced techniques to exploit sensitive information from unsuspecting victims. According to experts, the rise of "ghost tap" mobile fraud has left financial institutions reeling, as cybercriminals continue to find new ways to steal valuable data.
At the heart of this phenomenon are phishing pages that spoof legitimate organizations such as the USPS and various toll road operators. These sites are designed to extract sensitive information from unsuspecting victims, often under the guise of a legitimate transaction or notification. However, unlike traditional phishing tactics, which may require the victim to click on a link or submit their credentials directly, modern phishing techniques have evolved to capture data in real-time, regardless of whether the visitor actually submits it.
For instance, some phishing pages are designed to prompt users to enter their personal and financial information, only to abandon the process if the user decides not to proceed. In this case, any data entered into the fields is captured by the phisher's server, providing them with a wealth of sensitive information. Moreover, many phishing sites expose victim data by storing it directly on the phishing domain, ensuring that even when the site is taken down for fraud, the stolen data remains secure and accessible.
Another innovative tactic employed by cybercriminals is the use of mass-created Apple and Google user accounts to send spam messages to potential victims. These accounts are often created en masse and loaded onto Apple and Google phones in an "ashtray-like" arrangement, allowing operators to blast out a large number of messages simultaneously. The fact that these messages are being sent from legitimate-looking accounts only serves to add credibility to the phishing campaign.
However, the true extent of this mobile phishing phenomenon lies in its ability to cash out digital wallets. Cybercriminals have developed software called "ZNFC" which can relay valid NFC transactions to anywhere in the world. This software is available for purchase at a monthly fee of $500 and allows users to tap-to-pay using any phone, even if it's not an Apple or Google device.
The use of this software has been documented in several cases around the world, with organized crime gangs in Europe using similar tactics to take money out of ATMs made to work with smartphones. In one notable incident, authorities in Singapore arrested three foreign men who were recruited via social messaging platforms and given ghost tap apps with which to purchase expensive items from retailers.
Experts warn that this mobile phishing threat is far more sophisticated than traditional phishing methods, making it challenging for financial institutions to correlate the causes of their losses. The lag between the phishing of victim card data and its eventual use for fraud has left many in the industry struggling to keep pace.
In response, some banks in Europe and Asia are requiring customers to log in to the bank's mobile app before they can link a digital wallet to their device. Others are exploring updates to contactless payment terminals to better identify NFC transactions that are being relayed from another device.
However, experts say it is unrealistic to expect retailers to replace existing payment terminals before their expected lifespans expire. Moreover, Apple and Google have an increased role to play in addressing this issue, given that their accounts are being created en masse and used to blast out these smishing messages. Both companies could easily tell which of their devices suddenly have 7-10 different mobile wallets added from 7-10 different people around the world.
In light of this emerging threat, it is essential for financial institutions to take proactive steps to protect themselves against ghost tap mobile phishing. By implementing more secure authentication methods for mobile wallet provisioning and staying vigilant in monitoring suspicious transactions, they can reduce their exposure to these types of attacks. Ultimately, it will require a collaborative effort between banks, retailers, and technology companies to address this growing threat and prevent further exploitation of sensitive information.
Related Information:
https://krebsonsecurity.com/2025/02/how-phished-data-turns-into-apple-google-wallets/
Published: Tue Feb 18 14:39:25 2025 by llama3.2 3B Q4_K_M
