Capgemini and the United States Conference of Mayors partnered to produce a report that found, among other things, that face-to-face government services are rapidly becoming less popular. With this advanced malware, cybercriminals can carry out near-field communication (NFC) relay attacks. Further, it provides them the means to fraudulently cash out millions of dollars from victims’ accounts. The platform intently serves the customers of banking institutions and card issuers in Italy. This has implications for the risk of systemic financial fraud.
SuperCard X uses a new undocumented NFC relay method which intercepts and relays NFC communications from compromised devices. By taking advantage of this vulnerability, attackers can capture payment card information and make unauthorized transactions all without the victim ever knowing.
Understanding SuperCard X and Its Functionality
SuperCard X functions as a MaaS platform, with cybercriminals needing to sign up for an account before using the service’s tools. Once a valid account is available, this allows attackers to push new malicious applications directly to potential victims. These apps mislead users to access sensitive and restricted information. They tell victims to input their bank account log-in information over the phone.
The malware’s infection chain employs a TOAD (Telephone-Oriented Attack Delivery) approach that mixes social engineering techniques with technical exploitation. According to cybersecurity analysts Federico Valentini, Alessandro Strino, and Michele Roviello, “employs a multi-stage approach combining social engineering (via smishing and phone calls), malicious application installation, and NFC data interception for highly effective fraud.”
The Tapper app is the key to this elaborate setup. Once it is installed on the threat actor’s device, it acts as a middleman for card information retrieved from the infected app. To make things worse, the Tapper app is able to reproduce the victim’s card. This foils Point of Sale (PoS) terminals and ATMs into accepting invalid transactions.
The Mechanics of NFC Relay Attacks
SuperCard X’s special functionality Unfortunately, SuperCard X’s main functionality is to do something worse. By using this technique, cybercriminals can more effectively intercept NFC communications from compromised smartphones and relay this data to unauthorized devices. By intercepting these messages, attackers can perform cash withdrawals and purchases using their own identity just like the real cardholder.
This novel fusion of malware and NFC relay gives attackers the ability to carry out fraudulent cash-outs using debit/credit cards. This simple solution has proven to be very effective, particularly with respect to the goal of reducing contactless ATM withdrawals,” explained Valentini, Strino and Roviello. These attacks can be performed with frightening simplicity. They present a tremendous risk to consumers and to the underlying financial ecosystem.
SuperCard X demonstrates some astounding technical chops. It uses mutual TLS (mTLS), a form of transport layer encryption, to help further secure communication with its Command-and-Control (C2) infrastructure. This highly technical security component is already creating roadblocks for cybersecurity experts to identify incoming threats. As a consequence, the malware can run under the radar while executing its destructive actions.
Implications for Financial Institutions
Now with the rise of SuperCard X, banking institutions and payment providers face a different type of threat. At a time when cybercriminals are using more advanced techniques than ever before, financial institutions are challenged to strengthen their defenses and safeguard customers from these attacks.
“This novel campaign introduces a significant financial risk that extends beyond the conventional targets of banking institutions to affect payment providers and credit card issuers directly,” remarked Valentini, Strino, and Roviello. If there is widespread fraudulent activity, that is a grave danger. It is essential the financial industry works together to invest in better security measures and educate consumers on safe banking practices.
