Cybersecurity researchers say scammers have found a sophisticated way to drain bank accounts directly from ATMs – without needing a debit card in hand.
Experts at the cybersecurity software firm ESET say they’ve discovered a dangerous and unprecedented type of malware they’re calling NGate.
To begin the attack, scammers deploy a phishing technique to embed the malicious software in victims’ mobile devices.
“Victims downloaded and installed the malware after being deceived into thinking they were communicating with their bank and that their device was compromised. In reality, the victims had unknowingly compromised their own Android devices by previously downloading and installing an app from a link in a deceptive SMS message about a potential tax return…
After being installed and opened, NGate displays a fake website that asks for the user’s banking information, which is then sent to the attacker’s server.”
Some of the information the NGate banking malware asks for includes the victim’s date of birth, their banking client ID and the PIN code for their banking card.
Once installed and opened, the NGate malware prompts victims to turn on their mobile device’s near-field communication (NFC) feature.
“Then, victims are instructed to place their payment card at the back of their smartphone until the malicious app recognizes the card.
What’s happening behind the scenes is that the NFC data from the victim’s bank card is being sent through a server to the attacker’s Android device. Essentially, this allows the attacker to mimic the victim’s bank card on their own device. This means the attacker can now use this copied card data on their Android device to make payments and withdraw money from ATMs that use NFC…
This is the first time we have seen Android malware with this capability being used in the wild.
If the attackers fail to carry out ATM transactions, their fallback plan is to transfer funds from the bank accounts of their victims to other accounts.
So far, researchers say the scammers have appeared to target banks in the Czech Republic.
“During our investigation, we identified six different NGate apps specifically targeting clients of three banks in Czechia between November 2023 and March 2024.
In a substantial breakthrough, the Czech police apprehended a 22-year-old, who had been stealing money from ATMs in Prague. Upon arrest, the suspect had 160,000 Czech korunas in his possession, an amount equivalent to over 6,000 euros (approximately US$6,500). The nationality of the arrested individual has not been disclosed. According to the Czech police, the money recovered from the suspect was stolen from just the last three victims, so it is likely that the total amount stolen by the threat actor behind this scheme is considerably higher.”
Generated Image: Midjourney