NFC malware empties Czech bank accounts
An attacker combines phishing and malware to copy bank cards and withdraw money via NFC. This was observed in the Czech Republic.
Symbolphoto ATM
(Image: Hadrian/Shutterstock.com)
Android malware that copies and transmits data from NFC cards has been found in the wild by the Slovakian IT security company ESET. Over a period of several months, it was used to empty third-party accounts at three Czech banks. A suspect has been in custody since March, but copycats are probably only a matter of time. The malware called NGate is said to be based on software written by students at the Technical University of Darmstadt and published for research purposes.
This software is called nfcgate and collects, analyzes and modifies data transmitted via NFC connections. The purpose is to deepen the understanding of transmission protocols and determine their security. According to ESET, unknown persons have used the Darmstadt code to program the NFC malware NGate for illegal purposes.
NFC stands for Near Field Communication; this is a more than 20-year-old process for the contactless transmission of data over a distance of a few centimeters. NFC chips are used, for example, in cell phones, access cards, tickets and bank cards. The majority of German consumers now make contactless payments thanks to NFC. Bank cards with NFC have also long been standard in the Czech Republic. The perpetrator or perpetrators took advantage of this.
Multi-stage attack
The attacks began with text messages, probably sent to random Czech cell phone numbers. These promised the payment of a tax credit, which required the installation of a linked app that runs directly in the browser (Progressive Web App, WPA). No, this was not the NFC malware. Anyone who installed the app and entered their bank details gave the criminals access to their own bank account. This was followed by a call from a person pretending to be a "helpful bank employee". This person informed the victim (factually correct) that he had been the victim of an IT attack.
According to the story, the "necessary remedy" was to install another app to quickly change the PIN for their bank card. To do this, the victim was sent to websites mimicking the Google Play Store to download and install the NGate malware. This was then the NFC malware. (ESET did not find it in the real Google Play Store.) The software mimics the interface of real banking apps and asks for the customer number, date of birth and PIN. It also instructs the user to hold the appropriate bank card to the device. If necessary, the user is also asked to activate NFC on their cell phone.
In reality, none of this is intended to secure the bank account; instead, the malware sends PIN and NFC data to the rooted Android phone of the perpetrator. In the Czech Republic, a masked man then used such a cell phone to go to NFC-enabled ATMs and withdraw money from the foreign account. Thanks to the access to the victim's online banking gained through the first app, the perpetrators were able to increase the withdrawal limits.
Root not required
Incidentally, the victims' cell phones did not have to be rooted, emphasizes ESET. Its researchers have tracked down NGate variants for six different Czech banks, always signed with the same developer certificate.
Successful attacks on customers of three Czech banks are known. When the Czech police arrested a 22-year-old suspect in March, he had the equivalent of more than 6,000 euros on him. The cash is said to have come only from his last three victims, which is why the amount of damage is likely to be many times higher. The police are asking victims to file a complaint and, if possible, to tell them at which ATM their account was emptied.
Incidentally, if the perpetrators did not succeed in getting the victim to install the NFC malware, they were happy to enrich themselves by making transfers to other people's accounts. The first app was enough to do this, even without NFC.
(ds)