In recent months, the CERT Polska team has observed new samples of mobile malware related to the NFC Relay (NGate) attack targeting Polish bank users.
The aim of such an attack is to enable unauthorized cash withdrawals from ATMs using the victims' payment cards. CERT, the network incident response team operating at the NASK Institute and receiving reports of suspicious and unusual events, explained that criminals do not physically steal the card, but transmit the card's NFC traffic from the victim's phone to the criminal's device standing at the ATM.
How the NFC Relay attack works
According to CERT, the way it works is that the victim receives a phishing message (e-mail/SMS) about an alleged technical problem or security incident. The link takes you to a page that prompts you to install the application. It may also be a call from a bank “employee” – the fraudster calls, pretending to be a bank employee, to “confirm identity” and authenticate the installation of the application. The user also receives an SMS confirming the identity of the alleged employee.
The victim is then asked in the app to verify their payment card directly in the interface. They must place a physical card on the phone (NFC) and then enter the card's PIN on the on-screen keyboard.
“When the victim brings the card to the reader, the application captures the card's NFC data (the same data that flows through the terminal/ATM) and sends it via the Internet to the attacker's device located at the ATM (or to the Command&Control server, which then sends it to the device at the ATM). The attacker's device recreates this data in the ATM. Thanks to the transferred card data and PIN, the attacker withdraws cash,” explained CERT.
Thieves targeted ATM users
Santander Bank Polska announced last Sunday that its monitoring had detected criminal transactions using customers' payment cards and that it had implemented solutions that prevented the criminals from further activities. The police received approximately 200 reports in this case.
The bank said that the stolen funds were returned to all affected customers, the refund was automatic and customers do not have to file a complaint. According to the bank, it “was not a mass incident” and did not involve the integrity of the breach of banking systems. The problem affected a “small number” of approximately several hundred customers, was regional in nature and involved only transactions in a few ATMs – said Santander bank, emphasizing that there was no leakage of personal data of the bank's customers. Santander also reported a crime.
See also: Fraudsters target more than just ATMs. They try to extort a loan every 36 minutes
The investigation into the case was initiated by the District Prosecutor's Office in Bydgoszcz. According to deputy district prosecutor Agnieszka Adamska-Okońska, this is a collective investigation into the theft of money from bank accounts of Santander bank customers, covering all cases in the country.
The bank informed that – as it suspected – the cause of the incident was the installation of scanning overlays on the ATMs of the cooperating network, and the technical teams of the operator of these devices are checking the selected ATMs. He also appealed to customers to pay special attention to the appearance of ATMs and check whether they raise suspicions about possible interference by third parties.
Banks urge users to exercise caution
Tadeusz Białek, president of the Polish Bank Association, indicated at a recent conference that currently the main direction of cybercriminals' activities is clients of the financial sector. Advanced methods of social engineering and manipulation are used for attacks. He added that the banking sector has recently taken a number of organizational actions aimed at limiting the possibilities of cybercriminals.
In various situations, bank customers are asked to provide an additional code, to call a hotline, or sometimes to go to a bank branch. Banks have introduced solutions that make it possible to immediately check whether a person who calls a customer and pretends to be a bank employee is actually a bank employee.
See also: Play, BLIK, Nowa Itaka, the number of failures in Poland is increasing. This is how you should protect yourself
The president of the Polish Bank Association added that banks decided to conduct large-scale educational campaigns. — I think everyone has come across spots on social media, on the radio and on television, which were prepared as part of the educational campaigns of the Polish Bank Association. They show the most common patterns of cybercriminals' activities and remind us of the need to pay attention to digital threats that appear in everyday life, said Tadeusz Białek. The Police is also involved in the educational campaign.
Michał Polak, vice-president of the Warsaw Banking Institute, which commissioned the study “Poles' attitudes towards cybersecurity”, stated that cybersecurity is no longer the domain of specialists. – In the current reality, it must be the domain of all of us, regardless of age, education and profession – he emphasized.
