A sophisticated new cybercriminal technique known as “ghost-tapping” has emerged as a significant threat to contactless payment systems, enabling Chinese-speaking threat actors to exploit stolen payment card details linked to mobile wallet services such as Apple Pay and Google Pay.
This innovative attack vector leverages Near Field Communication (NFC) relay tactics to facilitate retail fraud, allowing cybercriminals to transform digital theft into physical goods through an elaborate network of mules and automated systems.
The ghost-tapping ecosystem represents a convergence of traditional phishing techniques with cutting-edge NFC relay technology, creating an end-to-end fraud operation that spans multiple countries and involves various criminal roles.
Unlike conventional card fraud that relies solely on online transactions, ghost-tapping enables criminals to conduct in-person purchases at retail stores, making detection significantly more challenging for traditional fraud monitoring systems.
The technique allows threat actors to relay payment information from compromised cards loaded onto mobile devices to separate payment terminals in real-time, effectively bypassing physical proximity requirements.
Recent data from Singapore authorities illustrates the scale of this emerging threat, with 656 reports of compromised payment cards involving mobile wallets recorded between October and December 2024, resulting in losses exceeding $1.2 million SGD.
Of these incidents, at least 502 cases specifically involved compromised cards linked to Apple Pay, demonstrating the particular vulnerability of popular mobile payment platforms to this attack method.
Recorded Future analysts identified key threat actors operating on Telegram platforms, particularly @webu8, who advertises specialized burner phones and ghost-tapping services to Chinese-speaking criminal syndicates.
Overview of ghost-tapping campaign involving mobile wallets (Source – Recordedfuture)
Through extensive research and direct engagement with these threat actors, analysts uncovered a sophisticated criminal infrastructure that extends across Southeast Asia, with operations centered in Cambodia and China but targeting victims globally.
Technical Infrastructure and Attack Methodology
The ghost-tapping attack chain begins with cybercriminals using automated systems to harvest payment card credentials through phishing campaigns and mobile malware.
These stolen credentials are then systematically added to contactless payment wallets on burner phones using proprietary software that can bypass traditional authentication measures.
The process involves sophisticated automation capabilities, as evidenced by observed attempts to add compromised DBS Bank cards to Apple Pay at precise four to eight-minute intervals, demonstrating the industrial scale of these operations.
# Automated card addition attempt simulation
import time
import requests
def attempt_card_addition(card_details, wallet_service):
“””
Simulates automated attempts to add stolen card to mobile wallet
“””
for attempt in range(1, 10):
response = wallet_service.add_card(card_details)
if response.status == “success”:
return True
elif “enable_mobile_wallets” in response.message:
# Wait for security feature timeout
time.sleep(600) # 10 minute window
else:
time.sleep(240) # 4 minute interval before retry
return False
The technical foundation of ghost-tapping relies on NFC relay tools such as NFCGate, an Android application originally designed for legitimate NFC traffic analysis but repurposed for criminal activities.
The attack requires two mobile devices with NFCGate installed and a server configured to relay traffic between locations.
When a money mule approaches a point-of-sale terminal, the system can relay tokenized card data in real-time from the attacker’s infrastructure to the mule’s device, enabling unauthorized transactions without the physical presence of the original card.
Overview of the ghost-tapping technique (Source – Recordedfuture)
The criminal ecosystem supporting ghost-tapping operations extends beyond simple card theft to encompass a sophisticated supply chain involving multiple specialized roles.
Cybercriminals like @webu8 operate as suppliers, providing not only burner phones loaded with stolen credentials but also offering phone recycling services to maximize operational efficiency.
These threat actors sell devices for approximately $500 USDT when loaded with ten compromised payment cards, establishing a clear economic model that incentivizes large-scale operations.
Payment card authentication systems face particular challenges when confronting ghost-tapping attacks, as the technique exploits legitimate NFC communication protocols.
The automation observed in these attacks suggests that criminals have developed sophisticated methods to overcome security features implemented by banks, including multi-factor authentication and time-limited approval windows.
Even security measures such as requiring mobile app authentication can be circumvented when criminals have gained access to victims’ banking credentials through comprehensive phishing campaigns or mobile malware infections.
Luxury goods purchased from various retail stores using ghost-tapping techniques (Source – Recordedfuture)
The geographical distribution of ghost-tapping operations reflects the global nature of modern cybercrime, with criminal syndicates based in Cambodia and China orchestrating attacks that target victims worldwide while deploying mules to conduct fraudulent purchases in countries with robust retail infrastructure.
This international scope complicates law enforcement efforts and enables criminals to exploit jurisdictional gaps in cybercrime prosecution, making ghost-tapping a particularly resilient threat to the global payment ecosystem.
Boost your SOC and help your team protect your business with free top-notch threat intelligence: Request TI Lookup Premium Trial.
Source: cybersecuritynews.com
