Chinese Cybercriminals Released Z-NFC Tool for Payment Fraud
Cybercriminals have been exploiting the growing popularity of contactless payments by leveraging Near Field Communication (NFC) technology to conduct massive-scale payment fraud. According to Resecurity, a cybersecurity firm, Chinese cybercriminal groups have released the "Z-NFC tool" to facilitate fraudulent transactions.
The threat actors primarily use Android-based phones, loading multiple cards into mobile wallets for further fraud. In one notable instance, cybercriminals targeted several major banks in the UK, including Barclays, Bank of Scotland, Lloyds Banking Group, Halifax, HSBC, Santander, Wise, and Revolut.
The attackers exploit Host Card Emulation (HCE) to mimic a physical ISO 14443 NFC smart card by registering a service that extends HostApduService. This allows the app to respond to APDU command sequences like a card. APDU (Application Protocol Data Unit) commands are the standardized communication units used between a smart card reader and a smart card.
Cybercriminals manipulate HCE for malicious purposes, processing compromised credit card data via NFC. The lack of Cardholder Verification Method (CVM) for low-value contactless payments below the "Contactless CVM limit" creates an opportunity for exploitation. Attackers execute multiple small transactions while leveraging a high volume of compromised cards.
Furthermore, cybercriminals abuse tap on phone software solutions (called Soft POS), turning NFC-enabled Android smartphones, tablets, and other handheld devices into payment terminals. With 1.9 billion NFC-enabled phones worldwide, the potential for exploitation is vast.
The Anatomy of Z-NFC Tool
According to Resecurity's HUNTER unit, a group on Telegram was offering the Z-NFC tool for sale, allowing cybercriminals to conduct fraudulent transactions. Another tool, King NFC, was previously marketed on the Dark Web as an alternative.
The Challenge of Stopping Chinese Cybercriminals
Stopping cybercriminals operating from China presents significant challenges due to geopolitical, technical, and organizational factors. The attackers' use of Android-based phones, HCE, and Soft POS solutions makes them difficult to detect and prevent.
Resecurity's investigation identified multiple Chinese cybercriminal groups targeting Google and Apple Wallet customers. Their tactics, techniques, and procedures (TTPs) center on the abuse of contactless payments and NFC technology for fraudulent purposes.
The Impact of NFC-Enabled Fraud
The Resecurity report highlights several million dollars in damages for one of the top Fortune 100 financial institutions in the United States due to NFC fraud. The incident underscores the severity of this threat and the need for effective measures to prevent it.
The Future of Payment Security
The rapid adoption of NFC technology has created new vulnerabilities. As payment security continues to evolve, it's essential to stay informed about emerging threats like the Z-NFC tool and take proactive steps to protect yourself.
Stay ahead of the threat curve with the latest cybersecurity insights from Resecurity. Follow us on Twitter: @securityaffairs and Facebook and Mastodon for the latest updates and analysis.