New Ghost-Tapping Attacks Compromise Customers’ Payment Cards Linked to Services Such as Apple Pay and Google Pay

A sophisticated new cybercriminal technique known as “Ghost-Tapping” has emerged as a significant threat to contactless payment systems. This method enables Chinese-speaking threat actors to exploit stolen payment card details linked to mobile wallet services such as Apple Pay and Google Pay. Ghost-Tapping leverages Near Field Communication (NFC) relay tactics to facilitate retail fraud, allowing cybercriminals to convert digital theft into physical goods through an elaborate network of mules and automated systems. This ecosystem represents a convergence of traditional phishing techniques with cutting-edge NFC relay technology, creating an end-to-end fraud operation that spans multiple countries and involves various criminal roles. Unlike conventional card fraud that relies solely on online transactions, Ghost-Tapping allows criminals to conduct in-person purchases at retail stores, making detection significantly more challenging for traditional fraud monitoring systems.

Recent data from Singapore authorities illustrates the scale of this emerging threat, with 656 reports of compromised payment cards involving mobile wallets recorded between October and December 2024, resulting in losses exceeding $1.2 million SGD. Of these incidents, at least 502 cases specifically involved compromised cards linked to Apple Pay, highlighting the particular vulnerability of popular mobile payment platforms to this attack method. Recorded Future analysts identified key threat actors operating on Telegram platforms, particularly @Webu8, who advertises specialised burner phones and Ghost-Tapping services to Chinese-speaking criminal syndicates. Through extensive research and direct engagement with these threat actors, analysts uncovered a sophisticated criminal infrastructure that extends across Southeast Asia, with operations centred in Cambodia and China but targeting victims globally. The Ghost-Tapping attack chain begins with cybercriminals using automated systems to harvest payment card credentials through phishing campaigns and mobile malware. These stolen credentials are then systematically added to contactless payment wallets on burner phones using proprietary software that can bypass traditional authentication measures. 

Categories: Cybercrime Techniques, Mobile Payment Security, Fraud Detection Challenges 

Tags: Ghost-tapping, Cybercriminal, Contactless Payment, NFC Relay, Retail Fraud, Mobile Wallets, Phishing Techniques, Payment Card Credentials, Automated Systems, Criminal Infrastructure