Yesterday I reported that a new breed of phishing attack is using progressive web apps (PWA) specifically targeting Android users, swiping login credentials to go after bank accounts. An update to the original report says that some of the same phishing attacks are also using malware to steal NFC information, allowing them to “clone” phones and use them for theft via contactless payments and ATMs.
The setup uses the same familiar vectors as the PWA attacks, sending out mass texts and emails trying to get users to install a web-based dummy app that mirrors a bank login, then harvesting that data to make illicit transfers. In some cases observed by ESET in March of this year, hackers had used the same techniques to get users to install apps based on the NGate NFC vulnerability.
This allowed them to duplicate the systems used to verify users via the NFC payment system installed on pretty much every modern smartphone and embedded in most debit and credit cards. They could then transfer those credentials to a separate phone and get through tap-to-pay interfaces for retail stores or bank machines.
A suspect was arrested in Prague allegedly doing exactly that in March, apparently using stolen NFC credentials to make cash withdrawals from ATMs. He was caught with 166,000 Czech koruna on his person, approximately $6500 USD or 6000 euros.
The attack detailed by ESET and Bleeping Computer is sophisticated. The malware has to walk a victim through several steps to capture NFC data, including scanning their own debit card with their phone. At that point it copies the NFC authentication of the card (not the phone, though it’s often linked to the same account) and sends that info to the attacker.
Though actually spoofing the NFC information requires some technical chops, the victim’s phone doesn’t need to be rooted or modified — just compromised with a malicious app. ESET was able to reenact this attack with specific rooted phones.
ESET believes that the portion of the malware attacks specifically targeting users’ NFC data has halted after the arrest in March. But these techniques are often spread rapidly among criminals — the NFC tools being used were first developed by students at the Technical University of Darmstadt in Germany in 2017, and only recently adapted for theft.
To protect yourself from this kind of attack, always be suspicious of “banking” or financial messages from senders you don’t know, and don’t follow direct links in those emails or texts. If you’re altered to some problem with your bank or tax information, go to the relevant site on a separate browser to check, don’t enter your login information on that message chain or any linked sites. And of course, don’t install apps (or progressive web apps) from unverified sources.
Leave A Comment
You must be logged in to post a comment.