A NEW money scam targeting Android and iPhone owners can rinse victims bank accounts without needing their physical card or phone.
The attack, dubbed ‘Ghost Tap’, is cloning cards linked to Google Pay and Apple Pay, mobile security experts at Threat Fabric have warned.
Instead of making withdrawals from ATMs, Ghost Tap crooks can buy whatever they want from any card reader anywhere in the world[/caption]
Experts are concerned that the wide network of money mules globally can result in significant losses for victims[/caption]
Cyber crooks are able to relay victims’ card data to money mules worldwide, who can then withdraw cash without a credit card or device even going missing.
A similar strain of malicious software, known as malware, was detected last year.
This older malware, known as NGate and discovered by researchers at ESET, let criminals make small contactless payments and ATM withdrawals.
However, the recent Ghost Tap operation is even more dangerous and harder to detect, experts have warned.
Instead of making withdrawals from ATMs, Ghost Tap crooks can buy whatever they want from any card reader anywhere in the world.
Criminals do this first by stealing your card information and intercept one-time passwords needed for Google Pay and Apple Pay.
This is typically done through banking malware that lays on top of your legitimate banking or digital payment app.
One-time passwords can also be stolen through phishing scams or spyware.
Your card details are then fired out to an extensive network of money mules.
The mules use a relay server to transfer your payment information to their smartphone which can mimic your Google Pay or Apple Pay to purchase items with your hard-earned cash.
To evade tracking, crooks will put their device on “airplane mode”.
Threat Fabric has seen this type of attack become much more common recently, the security firm told Bleeping Computer.
Security experts note that while your bank’s anti-fraud mechanisms may catch out these rogue payments, smaller purchases may go under the radar.
“The new tactic for cash-outs poses a challenge for financial organisations,” ThreatFabric wrote.
“The ability of cybercriminals to scale the fraudulent offline purchases, making multiple small payments in different places, might not trigger the anti-fraud mechanisms and might allow cybercriminals to successfully buy goods that can be further re-sold (like gift cards).”
Yet, even small payments add up.
Experts are concerned that the wide network of money mules globally can result in significant losses for victims.
However, if payments are made that should not be physically possible – such as, purchases made in New York and Amsterdam within 10 minutes of each other – the bank should be able to detect that as fraud.
