Yesterday, I reported on a new type of phishing assault that uses progressive web applications (PWA) to target Android users and swipe login credentials to access bank accounts. According to an update to the initial report, some of the same phishing assaults are also using malware to acquire and Cloning NFC information, allowing them to “clone” phones and use them for contactless payments and ATM fraud.
The setup employs the same common routes as PWA attacks, sending out bulk SMS and emails in an attempt to get people to install a web-based dummy app that mimics a bank login, before harvesting that data to perform illicit payments. In certain incidents detected by ESET in March of this year, hackers had used the identical approaches to gain users to install apps based on the NGate NFC vulnerability.
This enabled them to replicate the mechanisms used to verify customers using the NFC payment system, which is installed on almost every modern smartphone and embedded in the majority of debit and credit cards. They could then transfer those credentials to another phone and use tap-to-pay interfaces at retail establishments or bank machines.
In March, a suspect was detained in Prague for allegedly doing just that, using stolen NFC credentials to take cash from ATMs. He was arrested with 166,000 Czech koruna on his person, which is equivalent to $6500 USD or 6000 euros.
The assault described by ESET and Bleeping Computer is advanced. To obtain NFC data, the malware must take the victim through a series of steps, including scanning their own debit card with their phone. At that time, it copies the card’s NFC authentication (not the phone, which is frequently associated with the same account) and sends it to the attacker.
Though faking the NFC information involves some technical skills, the victim’s phone does not need to be hacked or modified; it only needs to be compromised by a malicious software. ESET was able to recreate this attack using specific rooted phones.
ESET estimates that the amount of malware attacks that explicitly target users’ NFC data has stopped since the arrest in March. However, these tactics are frequently transmitted quickly among thieves; the NFC tools in use were originally developed by students at Germany’s Technical University of Darmstadt in 2017 and were only recently repurposed for theft.
To avoid this type of attack, always be wary of “banking” or financial messages from unknown senders, and do not click on direct links in those emails or texts. If you notice a problem with your bank or tax information, go to the relevant site in a separate browser to investigate; do not enter your login details on that message chain or any related sites. And, of course, never install apps (or progressive web apps) from unknown sources.