The Article Tells The Story of:
- Cybercriminals exploit Apple & Google wallets – Hackers from China turn stolen card data into mobile wallets, bypassing security checks.
- Phishing scams fuel billion-dollar fraud – Fake USPS and toll fee messages trick users into handing over card details.
- “Ghost Tap” app enables global fraud – Criminals relay NFC transactions remotely, draining victims’ funds.
- Banks struggle to keep up – Experts warn current security measures are failing against these evolving threats.
Cybercriminals Exploit Phished Data for Apple & Google Wallet Fraud
Phishing attacks have evolved into a dangerous new fraud method. Hackers steal payment card data and link it to Apple and Google wallets, enabling them to make fraudulent transactions online and in stores. Criminal groups, especially from China, use sophisticated phishing kits that deceive users into providing sensitive financial information.
Many people have received phishing messages claiming to be from postal services or toll road operators. These scams ask users to enter payment details for a supposed fee. Once the victim submits their card details, they receive a one-time code for verification. This code is meant to confirm the user’s intent to link their card to a mobile wallet. However, criminals use this verification process to attach the stolen card to a digital wallet under their control.
Check Out Our Article of X Partners with Visa to Launch Game-Changing X Money Wallet Published on February 16, 2025 SquaredTech
Carding Industry Adopts Mobile Wallets
Carding, the practice of using stolen card data for fraud, is evolving. Previously, Russian hackers dominated this underground market. However, the rise of secure chip-based cards in the U.S. made traditional carding difficult. Now, cybercriminals in China have found a way to bypass these security measures by integrating phished card data into mobile wallets.
Ford Merrill, a security researcher at SecAlliance, found that cybercriminals are loading multiple stolen wallets onto single mobile devices. These phones are then sold in bulk for hundreds of dollars each. Fraudsters use these devices to make unauthorized transactions through fake e-commerce stores set up on platforms like Stripe and Zelle.
Initially, hackers waited up to 90 days before using stolen card data. Now, they act within 7 to 10 days, maximizing their profits before detection.
Ghost Tap: The Latest Fraud Innovation
Hackers also use point-of-sale (POS) terminals to cash out stolen funds. Some even sell an Android app called ZNFC, which allows criminals to relay NFC transactions worldwide. This app enables a scammer to wave a phone at a payment terminal while an accomplice processes the transaction remotely. The app, which costs $500 per month, supports Apple Pay and Google Pay fraud and offers 24-hour customer support for criminals.
Security researchers at ThreatFabric first reported this “ghost tap” technique in late 2024. Organized crime groups in Europe have also adopted this method to withdraw money from ATMs that support smartphone transactions. Experts warn that banks are unprepared for the scale of this fraud.
Advanced Phishing Techniques Fuel Fraud
Phishing scams have become more sophisticated. Attackers can capture data even if users abandon the form before submitting. Many victims are tricked into entering multiple card details after being told their first attempt failed. This increases the number of stolen payment methods available to criminals.
These phishing groups don’t just collect data through fake websites. They also operate large-scale bot farms that generate Apple and Google accounts. These accounts are used to send phishing messages and automate fraud operations. Cybercriminals arrange hundreds of mobile phones in specialized racks to manage phishing attacks in real-time.
Most phishing sites only load on mobile devices, ensuring victims receive one-time codes on the same phone being compromised. Live operators interact with victims to ensure the stolen data is successfully linked to a fraudulent wallet.
Hackers also create realistic digital images of stolen cards, making it easy to scan them into Apple Pay. The system cannot differentiate between an actual card and a high-quality image, allowing seamless fraud execution.
The Scale of Mobile Wallet Fraud
The scale of this scam is staggering. In 2023, security firm Resecurity found that a single phishing group stole over 100,000 card details across 31 fake domains. In 2024, security researcher Grant Smith uncovered more than 438,000 stolen cards linked to 1,133 phishing sites.
Experts estimate that fraudsters generate between $100 and $500 per stolen card. Based on known phishing operations, the total financial impact could exceed $15 billion annually.
Can This Fraud Be Stopped?
Banks and tech companies are struggling to counter this fraud. Some European and Asian banks now require users to verify digital wallet links through their banking apps. However, most financial institutions still rely on SMS one-time codes, which hackers easily exploit.
Retailers may need to upgrade their payment terminals to detect fraudulent NFC transactions. However, replacing POS systems is expensive, and most businesses won’t make the switch until absolutely necessary.
Apple and Google have the power to limit this fraud. They can detect devices with multiple wallets from different locations and flag suspicious accounts. They could also enforce stricter verification processes for mobile wallet enrollment.
Cybercriminals continuously adapt to security measures, making it crucial for banks, tech firms, and law enforcement to stay ahead. As phishing scams grow more advanced, consumers must remain cautious and avoid entering financial details on unverified sites.
Final Thought
Phishing scams are no longer just about stealing passwords. Criminals now turn stolen data into real-world fraud, exploiting weaknesses in mobile payment systems. The financial losses are massive, and without stronger security measures, this problem will only get worse.
Stay Updated: Tech News
