Ethical Hacking News
A new type of tap-to-pay fraud has emerged, using mobile devices to relay transactions from anywhere in the world. China-based phishing cartels are behind this scheme, which uses sophisticated phishing tactics to steal payment card data and load it onto mobile phones.
Law enforcement agencies worldwide are cracking down on a novel form of tap-to-pay fraud using mobile devices. China-based phishing cartels use sophisticated tactics to steal payment card data and relay transactions from anywhere in the world. A custom Android app called "Z-NFC" is being used by these scammers to transmit tap-to-pay transactions. Sophisticated phishing messages are sent through Apple iMessage and Google RCS, tricking victims into verifying their financial information. Stolen payment card data is linked to new mobile wallets on controlled devices, which are then sold in bulk to scammers. The scheme has significant implications for consumers and businesses, requiring vigilance and cooperation from law enforcement agencies.
In recent months, law enforcement agencies around the world have been cracking down on a novel form of tap-to-pay fraud that uses mobile devices to relay transactions from anywhere in the world. At the heart of this scheme are China-based phishing cartels that use sophisticated tactics to steal payment card data and load it onto mobile phones, which are then used to conduct unauthorized transactions.
According to Ford Merrill, a security researcher at SecAlliance, a CSIS Security Group company, these phishing cartels have been using a custom Android app called "Z-NFC" to relay tap-to-pay transactions from mobile devices located in China. This app can work with both NFC-enabled tap-to-pay and any digital wallet, making it a versatile tool for the scammers.
One of the most striking aspects of this scheme is the use of sophisticated phishing tactics to obtain stolen payment card data. These phishing messages are sent through the Apple iMessage service and through RCS, the functionally equivalent technology on Google phones. The messages appear to be from legitimate sources, such as the U.S. Postal Service or a local toll road operator, and ask the victim to verify their financial information by sending a one-time passcode to their mobile device.
In reality, this code is sent by the victim's financial institution in response to a request by the fraudsters to link the phished card data to a mobile wallet. If the victim then provides that one-time code, the phishers will link the card data to a new mobile wallet from Apple or Google, loading the wallet onto a mobile phone that the scammers control.
These phones are then loaded with multiple stolen wallets, often between 5-10 per device, and sold in bulk to scammers on Telegram. The Chinese phishing groups offer these services for $500 a month, making it an attractive option for organized crime groups looking to cash in on the rising demand for tap-to-pay transactions.
The scheme is remarkable not only because of its sophistication but also because of the scale at which it operates. According to Knox County Sheriff's office in Tennessee, the scammers have been traveling nationwide, using stolen credit card information to purchase gift cards and launder funds. During a recent operation, law enforcement recovered gift cards valued at over $23,000, all bought with unsuspecting victims' information.
The arrests of Chinese nationals accused of perpetrating this scheme are considered the first in the nation for a new type of tap-to-pay fraud. The Knox County Sheriff's office said that while it appears the fraudsters are simply buying gift cards, in fact, they are using multiple transactions to purchase various gift cards and playing their scam from state to state.
The authorities have seized mobile devices from the suspects, including Android phones loaded with stolen wallets. According to Ford Merrill, there aren't many valid use cases for Android phones to transmit Apple Pay transactions unless they are running a custom Android app like Z-NFC.
The rise of China-based phishing cartels and their tap-to-pay schemes has significant implications for consumers and businesses alike. As these scammers continue to evolve and improve their tactics, it is essential that we stay vigilant and take steps to protect ourselves from these types of threats.
In conclusion, the global scourge of China-based phishing cartels and their tap-to-pay schemes is a complex issue that requires cooperation and vigilance from law enforcement agencies, consumers, and businesses. As we move forward, it is crucial that we understand the tactics used by these scammers and take steps to protect ourselves from these types of threats.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Global-Scourge-The-Rise-of-China-Based-Phishing-Cartels-and-Their-Tap-to-Pay-Schemes-ehn.shtml
Published: Fri Mar 21 15:03:10 2025 by llama3.2 3B Q4_K_M
