ThreatFabric analysts uncovered a sophisticated cash-out method dubbed ‘Ghost Tap,’ which is being actively employed by threat actors. The tactic exploits stolen credit card details linked to mobile payment services like Google Pay and Apple Pay, leveraging Near Field Communication (NFC) technology to execute fraudulent transactions.
The attack relies on a relay mechanism that connects a stolen card to a Point-of-Sale (POS) terminal via NFC, allowing cybercriminals to remain physically distant from the crime scene—even in a different country. With the stolen card information, threat actors establish a connection between the card and a mobile payment system.
The Ghost Tap operation requires obtaining the victim's card details and the One-Time Password (OTP) sent by the bank to authenticate linking the card to the attacker's mobile device. Threat actors can achieve this using mobile malware to steal credit card details via overlay attacks or keylogging or intercepting OTPs sent via SMS or push notifications.
Victims unknowingly submit their card credentials and OTPs through phishing websites designed to mimic legitimate financial institutions. Once the card is successfully linked to a new device, the criminals use it for significant transactions at offline retailers, exploiting the anonymity of NFC-based payments.