Yesterday I reported that a new type of phishing attack uses progressive web apps (PWA) that specifically target Android users, swiping credentials to go after bank accounts. An update to the original report says some of the same phishing attacks also use malware to steal NFC information, allowing them to ‘clone’ phones and use them for contactless payment and ATM theft.
The scheme uses the same well-known vectors as the PWA attacks, sending mass text messages and emails to trick users into installing a web-based dummy app that mirrors a bank’s login, and then entering that data. collect data to carry out illegal transfers. In some cases observed by ESET in March this year, hackers had used the same techniques to trick users into installing apps based on the NGate NFC vulnerability.
This allowed them to duplicate the systems used to authenticate users through the NFC payment system installed on virtually every modern smartphone and built into most debit and credit cards. They can then transfer these credentials to a separate phone and go through tap-to-pay interfaces for stores or ATMs.
In March, a suspect was arrested in Prague for allegedly doing just that, apparently using stolen NFC credentials to withdraw money from ATMs. He was caught with 166,000 Czech crowns, approximately $6,500 USD or 6,000 euros.
The attack described by ESET and Bleeping Computer is sophisticated. The malware aims to guide a victim through several steps to capture NFC data, including scanning their own bank card with their phone. At that point, it copies the NFC authentication from the card (not from the phone, although it is often linked to the same account) and sends that information to the attacker.
Although actually spoofing the NFC information requires some technical knowledge, the victim’s phone does not need to be rooted or modified; it just needs to be compromised with a malicious app. ESET was able to mimic this attack using specific rooted phones.
ESET believes that the portion of malware attacks specifically targeting users’ NFC data has stopped following the arrest in March. But these techniques are often quickly spread among criminals: the NFC tools used were first developed by students at the Technical University of Darmstadt in Germany in 2017, and only recently adapted for theft.
To protect yourself from these types of attacks, always be wary of “banking” or financial messages from senders you don’t know, and avoid following direct links in those emails or text messages. If you have a problem with your banking or tax details, please visit the relevant site in a separate browser to check. Do not enter your login information on that message chain or on any linked sites. And of course, don’t install apps (or progressive web apps) from unverified sources.