Authorities in multiple U.S. states have now taken action against Chinese nationals involved in a sophisticated tap-to-pay fraud scheme using mobile devices. Reports from law enforcement agencies reveal that the scammers were utilizing mobile wallets created through online phishing scams and a custom Android app to carry out tap-to-pay transactions remotely from China.
In Knoxville, Tennessee, authorities recently apprehended 11 Chinese nationals who were allegedly purchasing substantial amounts of gift cards at local retailers using mobile wallets obtained through online phishing schemes. This operation, as noted by the Knox County Sheriff’s office, marks the first of its kind in the nation and sheds light on a new wave of tap-to-pay fraud tactics.
Chief Deputy Bernie Lyon highlighted the gravity of the situation, emphasizing that these offenders engaged in cross-country travel to exploit stolen credit card information for purchasing gift cards and laundering illicit funds. The arrests led to the recovery of over $23,000 worth of gift cards acquired through unsuspecting victims’ data.
While providing limited information on the exact workings of the scam, Lyon revealed that the fraudsters were utilizing Android phones to execute Apple Pay transactions using compromised card details. The intricate details of the operation were kept under wraps due to an ongoing investigation into the matter.
Security researcher Ford Merrill, from SecAlliance, pointed out the rarity of legitimate use cases for Android phones facilitating Apple Pay transactions. He suggested that custom Android apps, such as the one mentioned in a previous report by KrebsOnSecurity on Chinese phishing cartels, could be enabling these fraudulent activities.
The method employed by these China-based phishing groups involves luring individuals into sharing their payment card data through sophisticated phishing kits disguised as official notifications or alerts. By prompting victims to input their card information and subsequent one-time passcodes, the fraudsters link the data to mobile wallets on Apple and Google devices controlled by the scammers.
Moreover, Merrill uncovered that a particular Chinese phishing group offers an Android app named “Z-NFC” to orchestrate valid NFC transactions worldwide. This malicious software allows fraudsters to relay tap-to-pay transactions using Apple and Google Pay-enabled terminals remotely from China. The illicit app is available for rent at $500 per month and supports various digital wallets, making it a lucrative tool for criminal activities.
Recent cases in Sacramento, California, and Tennessee unveiled the extent of this tap-to-pay fraud operation, with Chinese nationals exploiting stolen credit card data to purchase gift cards and merchandise. Despite facing multiple failed transactions due to increased fraud detection measures by financial institutions, the suspects managed to pocket substantial sums through fraudulent transactions.
The prevalence of declining card transactions indicates a growing awareness among banks regarding such fraudulent activities, ultimately resulting in a higher rate of unsuccessful transactions by the fraudsters. As law enforcement agencies continue to crack down on these criminal groups, it remains imperative for individuals to remain vigilant against phishing attempts targeting their financial information.
The intricate network of China-based phishing cartels operating on social media platforms and encrypted messaging services underscores the need for enhanced cybersecurity measures to combat evolving fraud schemes. By delving into the modus operandi of these criminal groups and raising awareness about the risks associated with mobile payment fraud, authorities aim to mitigate the impact of such illicit activities on unsuspecting victims.