DBS Bank, a leading financial institution in Singapore, fell victim to a **ghost-tapping** cyberattack targeting its customers' payment cards linked to mobile wallets like **Apple Pay**. Between **October and December 2024**, cybercriminals—primarily Chinese-speaking threat actors—exploited **NFC relay techniques** to conduct **in-person retail fraud** using stolen card credentials. The attack involved **automated systems** to harvest and add compromised DBS Bank cards to mobile wallets at **4-8 minute intervals**, bypassing authentication measures. A total of **656 incidents** were reported, with **502 cases** specifically tied to Apple Pay, resulting in **financial losses exceeding $1.2 million SGD**. The **ghost-tapping ecosystem** leveraged **burner phones**, **NFCGate tools**, and a **criminal supply chain** spanning **Cambodia and China**, enabling real-time relay of tokenized payment data to money mules at retail terminals. The attack exploited **legitimate NFC protocols**, circumventing multi-factor authentication and time-limited security features. While no **large-scale data breach** of DBS’s core systems was confirmed, the incident exposed vulnerabilities in **contactless payment security**, leading to **direct financial fraud** against customers and reputational risks for the bank due to **media coverage** of the sophisticated attack method.
Source: https://cybersecuritynews.com/new-ghost-tapping-attacks-steal-customers-cards/
TPRM report: https://www.rankiteo.com/company/dbs-bank
"id": "dbs540081825",
"linkid": "dbs-bank",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"{'affected_entities': [{'customers_affected': '502 (Singapore, Q4 2024)',
'industry': 'Financial Technology (FinTech)',
'location': 'Cupertino, California, USA',
'name': 'Apple Inc. (Apple Pay)',
'size': 'Large (Global)',
'type': 'Technology Company'},
{'customers_affected': 'Unspecified (Part of 656 total '
'cases)',
'industry': 'Financial Technology (FinTech)',
'location': 'Mountain View, California, USA',
'name': 'Google LLC (Google Pay)',
'size': 'Large (Global)',
'type': 'Technology Company'},
{'customers_affected': 'Targeted in Automated Card '
'Addition Attacks',
'industry': 'Banking',
'location': 'Singapore',
'name': 'DBS Bank',
'size': 'Large (Regional)',
'type': 'Financial Institution'},
{'industry': 'Retail (Luxury Goods)',
'location': 'Global (Mule Operations)',
'name': 'Retailers (Unspecified)',
'size': 'Varies',
'type': 'Business'},
{'customers_affected': '656 (Reported in Singapore)',
'location': 'Global',
'name': 'Consumers (Mobile Wallet Users)',
'type': 'Individuals'}],
'attack_vector': ['Phishing (Credential Harvesting)',
'Mobile Malware',
'NFC Relay (via NFCGate)',
'Automated Card Addition to Mobile Wallets',
'Burner Phone Supply Chain',
'Money Mule Networks'],
'customer_advisories': ["DBS Bank: 'Beware of Ghost-Tapping Scams' (Dec 2024)",
"Apple Support: 'Protect Your Apple Pay from "
"Unauthorized Use'",
"Singapore Police Force: 'Contactless Payment Fraud "
"Alert'"],
'data_breach': {'data_encryption': 'Bypassed (Tokenization Exploited)',
'data_exfiltration': 'Yes (via Phishing/Malware to Criminal '
'Servers)',
'number_of_records_exposed': '656 (Singapore, Q4 2024)',
'personally_identifiable_information': ['Names (Linked to '
'Cards)',
'Email Addresses',
'Phone Numbers',
'Physical Addresses '
'(for Mule '
'Coordination)'],
'sensitivity_of_data': 'High (Financial + PII)',
'type_of_data_compromised': ['Payment Card Numbers',
'Mobile Wallet Tokens',
'CVV/CVC Codes (via Phishing)',
'Banking Credentials '
'(Username/Password)',
'Transaction Histories']},
'date_detected': '2024-10-01',
'date_publicly_disclosed': '2024-12-31',
'description': 'A sophisticated cybercriminal technique called '
"'ghost-tapping' emerged as a significant threat to "
'contactless payment systems, exploiting stolen payment card '
'details linked to mobile wallet services like Apple Pay and '
'Google Pay. The attack leverages NFC relay tactics to '
'facilitate retail fraud, transforming digital theft into '
'physical goods via an elaborate network of mules and '
'automated systems. The campaign spans multiple countries, '
'primarily orchestrated by Chinese-speaking threat actors, and '
'involves a convergence of phishing, NFC relay technology, and '
'a criminal supply chain for burner phones and stolen '
'credentials. Between October–December 2024, 656 compromised '
'mobile wallet cases were reported in Singapore, with 502 '
'specifically targeting Apple Pay, resulting in losses '
'exceeding $1.2 million SGD.',
'impact': {'brand_reputation_impact': ['Erosion of Trust in Apple Pay/Google '
'Pay Security',
'Negative Media Coverage for Affected '
'Banks (e.g., DBS)',
'Consumer Skepticism Toward '
'Contactless Payments'],
'customer_complaints': '656 reported cases (Singapore, Q4 2024)',
'data_compromised': ['Payment Card Credentials (656 cases in '
'Singapore)',
'Mobile Wallet Tokens (Apple Pay: 502 cases)',
'Personally Identifiable Information (via '
'Phishing/Malware)'],
'financial_loss': '$1.2 million SGD (Singapore alone, Q4 2024)',
'identity_theft_risk': 'High (via Phishing/Malware)',
'legal_liabilities': ['Potential Lawsuits from Affected Customers',
'Regulatory Fines for Compliance Violations '
'(e.g., PCI DSS)'],
'operational_impact': ['Increased Fraud Detection Costs for Banks',
'Disruption to Contactless Payment Trust',
'Retailer Chargeback Burden',
'Regulatory Scrutiny on Mobile Wallet '
'Providers'],
'payment_information_risk': 'Critical (Tokenized Card Data Relayed '
'in Real-Time)',
'revenue_loss': ['Direct Fraudulent Purchases (Luxury Goods)',
'Potential Decline in Mobile Wallet Adoption'],
'systems_affected': ['Apple Pay',
'Google Pay',
'DBS Bank Card Systems',
'Retail POS Terminals (NFC-Enabled)',
'Mobile Wallet Authentication Servers']},
'initial_access_broker': {'backdoors_established': ['Persistent Access via '
'Burner Phones',
'NFC Relay Infrastructure '
'for Real-Time '
'Exploitation'],
'data_sold_on_dark_web': ['Compromised Card + '
'Wallet Tokens ($50–$200 '
'per record)',
'Burner Phones Preloaded '
'with 10 Cards ($500 '
'USDT)'],
'entry_point': ['Phishing Emails/SMS (Credential '
'Harvesting)',
'Mobile Malware (e.g., Fake Banking '
'Apps)',
'Dark Web Data Dumps (Previously '
'Breached Cards)'],
'high_value_targets': ['Apple Pay Users (502 Cases '
'in Singapore)',
'DBS Bank Customers '
'(Automated Attacks)',
'Luxury Retailers (for Mule '
'Purchases)'],
'reconnaissance_period': 'Ongoing (Since at Least '
'Q3 2024)'},
'investigation_status': 'Ongoing (Singapore Authorities + Private Sector)',
'lessons_learned': ['NFC Relay Attacks Exploit Legitimate Protocols, '
'Requiring Behavioral Detection',
'Automated Phishing/Malware Campaigns Can Scale Rapidly '
'with Minimal Detection',
'Burner Phone Supply Chains Enable Persistent Fraud '
'Operations',
'Cross-Border Criminal Collaboration Complicates Law '
'Enforcement',
'Mobile Wallet Authentication Needs Adaptive, '
'Context-Aware Controls'],
'motivation': ['Financial Gain',
'Exploitation of Payment System Weaknesses',
'Scalable Fraud Operations',
'Resale of Stolen Goods (Luxury Items)'],
'post_incident_analysis': {'corrective_actions': ['Apple/Google: Mandatory '
'Biometric Reauthentication '
'for Wallet Changes',
'Banks: Real-Time NFC '
'Transaction Monitoring',
'Retailers: Mule Behavior '
'Analytics at POS',
'Regulators: Stricter KYC '
'for Burner Phone '
'Purchases'],
'root_causes': ['Over-Reliance on Static '
'Authentication for Wallet '
'Onboarding',
'Lack of NFC Transaction Context '
'Awareness (e.g., Geolocation)',
'Delayed Detection of Automated '
'Credential Stuffing',
'Fragmented Law Enforcement '
'Response to Cross-Border Fraud']},
'recommendations': [{'actions': ['Implement Device Fingerprinting for Wallet '
'Onboarding',
'Enforce Geofencing for High-Risk '
'Transactions',
'Deploy AI-Based Anomaly Detection for NFC '
'Relay Patterns',
'Collaborate with Banks on Real-Time Fraud '
'Alerts'],
'for': 'Mobile Wallet Providers (Apple/Google)'},
{'actions': ['Shorten MFA Approval Windows to <2 Minutes',
'Block Bulk Card Addition Attempts from '
'Single IPs/Devices',
'Monitor Dark Web for Compromised '
'Credentials',
'Educate Customers on Phishing Risks'],
'for': 'Banks (e.g., DBS)'},
{'actions': ['Train Staff to Identify Mule Behavior '
'(e.g., Bulk Luxury Purchases)',
'Implement POS Transaction Velocity Checks',
'Report Suspicious NFC Transactions to '
'Payment Networks'],
'for': 'Retailers'},
{'actions': ['Target Burner Phone Supply Chains (e.g., '
'@webu8)',
'Disrupt Telegram-Based Criminal '
'Marketplaces',
'Enhance Cross-Border Information Sharing'],
'for': 'Law Enforcement'},
{'actions': ['Enable Transaction Alerts for Mobile '
'Wallets',
'Avoid Storing Cards in Multiple Wallets',
'Regularly Check for Unauthorized Devices in '
'Wallet Apps'],
'for': 'Consumers'}],
'references': [{'date_accessed': '2024-12-31',
'source': 'Recorded Future',
'url': 'https://www.recordedfuture.com'},
{'date_accessed': '2024-12-30',
'source': 'Singapore Police Force (SPF) Advisory',
'url': 'https://www.police.gov.sg'},
{'date_accessed': '2024-12-29',
'source': 'NFCGate GitHub Repository (Legitimate Tool Abused)',
'url': 'https://github.com/NFCGate/NFCGate'},
{'date_accessed': '2024-12-28',
'source': 'DBS Bank Security Bulletin',
'url': 'https://www.dbs.com'}],
'regulatory_compliance': {'legal_actions': ['Ongoing Investigations '
'(Singapore)',
'Potential Charges for Money '
'Mules'],
'regulations_violated': ['Payment Card Industry '
'Data Security Standard '
'(PCI DSS)',
'Singapore Personal Data '
'Protection Act (PDPA)',
'Potential GDPR (for EU '
'Citizens Affected)'],
'regulatory_notifications': ['Monetary Authority of '
'Singapore (MAS)',
'Singapore Police '
'Force (SPF)']},
'response': {'communication_strategy': ['Public Advisories (Singapore '
'Authorities)',
'Customer Alerts (Apple/Google/DBS)',
'Media Statements on Mitigation '
'Efforts'],
'containment_measures': ['Enhanced MFA for Mobile Wallet '
'Onboarding',
'Transaction Velocity Limits',
'Geofencing for Suspicious NFC '
'Transactions'],
'enhanced_monitoring': ['NFC Transaction Anomaly Detection',
'Dark Web Monitoring for Stolen '
'Credentials',
'Telegram Channel Surveillance (e.g., '
'@webu8)'],
'incident_response_plan_activated': 'Likely (by DBS Bank, Apple, '
'Google)',
'law_enforcement_notified': ['Singapore Police Force (656 Cases '
'Reported)',
'Potential INTERPOL Coordination '
'(Cross-Border Crime)'],
'recovery_measures': ['Fraudulent Transaction Reversals',
'Compensation for Affected Users',
'Collaboration with Retailers to Flag Mule '
'Activity'],
'remediation_measures': ['Patch NFC Protocol Vulnerabilities',
'Customer Notification & Card '
'Reissuance',
'Phishing Awareness Campaigns'],
'third_party_assistance': ['Recorded Future (Threat '
'Intelligence)',
'Singapore Authorities '
'(Investigation)',
'Cybersecurity Firms (Forensic '
'Analysis)']},
'stakeholder_advisories': ['Singapore Monetary Authority (MAS) – Fraud Risk '
'Warning',
'Apple Security Update (iOS 17.3+ NFC Protections)',
'Google Pay Fraud Prevention Guide'],
'threat_actor': [{'affiliation': 'Chinese-Speaking Cybercriminal Syndicate',
'language': 'Chinese',
'location': ['Cambodia', 'China'],
'name': '@webu8 (Telegram Handle)',
'role': 'Supplier of Burner Phones, Ghost-Tapping Services, '
'and Stolen Credentials',
'tools_used': ['NFCGate (Repurposed Android App)',
'Automated Card Addition Scripts',
'Telegram for Criminal Coordination']},
{'affiliation': 'Southeast Asian Cybercrime Networks',
'language': 'Chinese',
'location': ['Cambodia',
'China',
'Singapore (Targeted)',
'Global (Victims)'],
'name': 'Unnamed Criminal Syndicates',
'role': ['Phishing Operators',
'Money Mules',
'Logistics Coordinators',
'Dark Web Data Brokers'],
'tools_used': ['Custom NFC Relay Servers',
'Automated Phishing Kits',
'Mobile Malware (Credential Theft)']}],
'title': 'Ghost-Tapping Cyber Fraud Campaign Targeting Mobile Wallet Payment '
'Systems (Apple Pay, Google Pay)',
'type': ['Financial Fraud',
'Payment System Exploitation',
'NFC Relay Attack',
'Phishing-Enabled Fraud',
'Organized Cybercrime'],
'vulnerability_exploited': ['Weak Authentication in Mobile Wallet Onboarding',
'NFC Protocol Abuse (Legitimate Traffic Relay)',
'Bypass of Time-Limited MFA Windows',
'Lack of Geofencing for Transaction Validation',
'Exploitable Gaps in Contactless Payment '
'Tokenization']}