A sophisticated ecosystem has emerged enabling cybercriminals to convert phished payment card data into digital wallets, exploiting vulnerabilities in the mobile wallet provisioning process. The development comes amid growing concerns about mobile payment security, with recent FBI and CISA warnings about messaging vulnerabilities in mobile devices.
The process begins with phishing kits, sold by Chinese vendors, that deliver messages through Apple iMessage and RCS. The messages commonly impersonate legitimate organizations like the U.S. Postal Service or toll road operators to collect payment card information from victims. The pattern matches recent toll payment scams targeting Massachusetts drivers.
When victims enter their payment card data, the system captures a verification code sent to their mobile device by their financial institution. The stolen card data is then converted into a digital image matching the victim’s bank, which can be scanned into Apple Pay or Google Wallet. The exploitation of one-time codes comes as Mastercard and other providers move toward more secure biometric authentication methods to replace traditional OTP systems.
The technical infrastructure supporting these operations is substantial. Phishing sites capture victim data in real-time, even if submissions are not completed, and store information in backend databases maintained by kit vendors. Chinese phishing groups use mass-created Apple and Google user accounts, with phones arranged in racks to manage the scale of operations.
A key component is “ghost tap” technology, implemented through an Android application called “ZNFC.” The software, priced at $500 monthly with continuous support, enables the relay of NFC transactions over the internet from devices in China to local payment terminals. The system represents a sophisticated evolution of traditional NFC relay attacks that have previously targeted automotive digital key systems.
The scale of these operations is significant. Security researchers have documented one group, the Smishing Triad, collecting 108,044 payment cards across 31 phishing domains, while another operation accumulated 438,669 unique credit cards through 1,133 domains. Estimated losses range from $100 to $500 per compromised card converted to a mobile wallet, potentially totaling $15 billion in annual fraudulent charges.
The current authentication system for mobile wallets, which relies primarily on one-time codes, has contributed to this fraud ecosystem. While some financial institutions require mobile app authentication before linking digital wallets, this practice is not universal. The vulnerability persists despite recent security enhancements to mobile platforms.
Technical solutions to address these vulnerabilities include updating contactless payment terminals to better detect relayed NFC transactions. Digital wallet providers could also implement enhanced monitoring to identify devices adding multiple wallets from different global locations, and develop more robust authentication protocols for wallet provisioning. The industry is increasingly moving toward biometric authentication systems as a more secure alternative to traditional methods.
Sources: KrebsOnSecurity, Tesorion
Follow Us