Chinese cybercriminals have devised a novel method to monetize stolen bank card data, transforming them into digital wallets for both online and in-store purchases. While the global rollout of chip-enabled cards has weakened the carding market, Chinese cyber groups are pioneering innovative schemes that restore its profitability.
At the heart of this new operation are phishing attacks conducted via iMessage and RCS. Victims receive deceptive messages, purportedly from postal services or toll road operators, demanding payment for fictitious debts. Upon clicking the link and entering their card details, they encounter an additional security step—an authentication code sent by their bank. However, instead of verifying a transaction, fraudsters exploit this code to link the card to their own device via Apple Pay or Google Pay.
Security researcher Ford Merrill from SecAlliance revealed that fraudsters attach between four and six stolen bank cards to a single smartphone, which they then sell for hundreds of dollars through specialized Telegram channels.
Yet, Chinese cybercriminals have not stopped there. A more advanced technique known as “Ghost Tap” has emerged, significantly elevating the sophistication of digital fraud. The ZNFC application, available on the darknet for $500 per month, facilitates remote NFC transaction relay. By simply bringing their own smartphone close to a payment terminal anywhere in the world, fraudsters can execute transactions as if originating from their devices in China.
The Ghost Tap method has already led to multiple arrests in Singapore, where authorities apprehended individuals purchasing luxury goods with fraudulent digital wallets. According to police reports, over $100,000 was stolen using this technique in just one week.
However, the criminals’ arsenal extends beyond this method. To maximize profits, they deploy additional tactics. For instance, even if a victim realizes the scam and refrains from submitting their payment details, the fraudsters capture any data entered in real-time. Moreover, they manipulate users into entering multiple card details by falsely claiming that the first attempt failed verification.
Banks and payment systems are struggling to keep pace with these evolving attack vectors. While some financial institutions in Europe and Asia now require mobile app authentication before linking a card to a digital wallet, this safeguard has yet to become a universal standard.
Experts warn that combating Ghost Tap will necessitate significant upgrades to POS terminals and stricter regulations on mass account creation for Apple and Google services. However, thus far, neither tech giant has taken visible action to counter this escalating threat.
