Yesterday, I reported that a new generation of phishing attacks are using progressive web apps (PWAs) specifically targeting Android users, stealing their login credentials to attack their bank accounts. An update to the original report indicates that some of these same phishing attacks are also using malware to steal NFC information, allowing them to “clone” phones and use them for contactless payment and ATM thefts.
The setup uses the same vectors as PWA attacks, sending mass SMS and emails to trick users into installing a fake web app that mimics a banking ID, and then collecting that data to make illicit transfers. In some cases observed by ESET in March this year, attackers used the same techniques to trick users into installing apps based on the NFC NGate vulnerability.
This allowed them to duplicate the systems used to verify users via the NFC payment system installed on almost all modern smartphones and built into most debit and credit cards. They could then transfer these credentials to a separate phone and access the tap-to-pay payment interfaces of retail stores or ATMs.
A suspect was arrested in Prague last March for doing just that, apparently using stolen NFC tags to make cash withdrawals from ATMs. He was caught with 166,000 Czech crowns on him, or about $6,500 US or $6,000.
The attack described by ESET and Bleeping Computer is sophisticated. The malware must guide the victim through several steps to capture NFC data, including scanning their own debit card with their phone. At this point, it copies the NFC authentication from the card (not the phone, although it is often linked to the same account) and sends this information to the attacker.
While NFC spoofing requires some technical skills, the victim’s phone does not need to be rooted or modified: it only needs to be compromised with a malicious app. ESET was able to replicate this attack with specific rooted phones.
ESET believes that the share of malware attacks specifically targeting users’ NFC data has stopped after the March arrest. But these techniques often spread quickly among criminals: the NFC tools used were first developed by students at the Technical University of Darmstadt in Germany in 2017, and have only recently been adapted for theft.
To protect yourself from this type of attack, always be wary of “banking” or financial messages from senders you don’t know, and don’t follow direct links in these emails or text messages. If you have issues with your banking or tax information, visit the site in question on a different browser to verify, and don’t enter your login information in that message chain or on linked sites. And of course, don’t install apps (or progressive web apps) from unverified sources.
