Cash-out tactics of fraudsters are of particular interest for financial institutions for obvious reasons – the ability to detect anomaly in the flow of the customer assets that is matching the known cash-out tactic allows to protect unsuspecting customer’s assets as well as detect money laundering schemes as a part of anti-fraud compliance.

Knowing that, fraudsters are always on the lookout for the new ways to cash-out the stolen funds, both to avoid detection based on the transactions monitoring as well as to ensure the stability and scalability of the cash-out process, staying anonymous while easily finding new mules.

During our recent investigations, ThreatFabric analysts came across a new cash-out tactic being actively used by the threat actors as well as promoted on underground forums. This report is dedicated to explaining this new tactic we called “Ghost Tap” used by threat actors to cash-out money having stolen credit card details linked to mobile payment services like Google Pay or Apple Pay and involving relaying of NFC traffic.