Cyber Blog

Cybersecurity experts have uncovered a new and sophisticated method that scammers are using to empty bank accounts directly from ATMs without the need for a physical debit card.

Researchers from cybersecurity firm ESET have identified a dangerous new malware, named NGate, that poses a significant threat to bank customers.

The attack begins with a phishing tactic, where the malicious software is installed on victims’ mobile devices.

“Victims were tricked into downloading the malware after believing they were communicating with their bank due to a message claiming their device was compromised,” explained ESET researchers. “In reality, they had unknowingly installed the malware through an app downloaded from a deceptive SMS link, often disguised as a message about a potential tax refund.”

Once installed, the NGate malware displays a fake website that prompts users to enter their banking details, which are then sent to the attacker’s server. The malware typically requests sensitive information, such as the victim’s date of birth, bank client ID, and PIN code.

The malware then prompts the victim to activate the near-field communication (NFC) feature on their mobile device.

“Next, victims are instructed to hold their payment card against the back of their smartphone until the malicious app reads the card data,” said the researchers.

Unbeknownst to the victims, the NFC data from their bank card is transmitted to the attacker’s Android device via a server, effectively allowing the attacker to clone the bank card on their own device. With this cloned card data, the attacker can then make payments or withdraw funds from ATMs that support NFC transactions.

“This is the first time we’ve seen Android malware with such capabilities actively being used,” ESET warned.

If the attackers fail to withdraw money from ATMs, they have a backup strategy: transferring funds directly from the victims’ bank accounts to other accounts under their control.