In the world of cybercrime, carding has long been associated with Russia-based hackers who steal, sell, and swipe payment card data. However, with the widespread adoption of more secure chip-based payment cards in the United States, the carding market has seen a decline. But a new wave of innovation from cybercrime groups in China is revitalizing the carding industry by transforming phished card data into mobile wallets that can be used for online and in-person transactions.
Mobile phone users may have received phishing messages over the past few years impersonating the U.S. Postal Service or local toll road operators, urging them to pay outstanding fees. These messages are facilitated by sophisticated phishing kits developed by cybercriminals in mainland China, which evade traditional SMS phishing methods and instead utilize Apple iMessage and RCS technology on Google phones.
Individuals who enter their payment card information on these phishing sites are prompted to verify the transaction by receiving a one-time passcode on their mobile device. However, this code is actually sent by the victim’s financial institution to confirm the link between the card information and a mobile wallet controlled by the scammers.
Ford Merrill, a security researcher at SecAlliance, has delved into the evolving tactics of China-based cybercrime groups. He revealed that these groups are loading multiple stolen digital wallets onto a single device and selling them in bulk, showcasing a new approach to carding that involves selling phones pre-loaded with fraudulent mobile wallets.
One method employed by criminal groups in China to cash out using stolen mobile wallets is through setting up fake e-commerce businesses on platforms like Stripe or Zelle and conducting transactions ranging from $100 to $500. Moreover, the waiting period before utilizing the stolen mobile wallets has significantly decreased, with criminals now exploiting them within just a few days of acquiring them.
Another advanced technique observed in the realm of mobile fraud is the use of an Android app called “ZNFC” by Chinese phishing groups, which enables relaying of valid NFC transactions worldwide. This “ghost tap” technology allows fraudsters to make transactions at point-of-sale terminals using smartphones or by mimicking tap-to-pay transactions supported by Apple and Google Pay.
The proliferation of “ghost tap” software has not gone unnoticed, with various criminal groups worldwide adopting similar methods to siphon funds from ATMs and retailers. Security experts have highlighted the need for heightened awareness and security measures, as the use of NFC-enabled transactions opens up a new avenue for fraudulent activities.
The ingenuity of Chinese phishing kits extends to capturing victim data in real-time, storing stolen information in a back-end database operated by the vendors, and utilizing mass-created Apple and Google accounts to send spam messages. These kits also automate the process of converting stolen card details into digital images of legitimate payment cards, facilitating the enrollment of stolen cards into mobile wallets with simplicity.
The profitability of these mobile phishing kits has been estimated to result in billions of dollars in losses annually, underscoring the scale of the illicit operations conducted by these cybercriminal groups. Security efforts have been ramped up to combat the rising threat posed by mobile phishing, with financial institutions implementing stricter authentication protocols and experts advocating for updates to contactless payment terminals to mitigate the risks associated with ghost tap technology.
While the fight against mobile phishing and carding continues, industry experts emphasize the need for collaboration between stakeholders, including financial institutions, tech companies, and retailers, to bolster security measures and protect consumers from falling victim to fraudulent activities. The evolving landscape of cybercrime necessitates constant vigilance and adaptation to stay one step ahead of threat actors seeking to exploit vulnerabilities in the digital realm.