New payment-card scam involves a phone call, some malware and a personal tap

Financial institutions should be on alert for a scam that combines social engineering, previously undocumented malware and mobile phones’ near-field communication (NFC) capabilities to compromise payment cards, researchers said Friday.

The fraudsters target Android devices with “a series of well-orchestrated steps” that allow them to steal money from individual victims, according to Cleafy, the cybersecurity firm that tracked the scheme in its home country of Italy.

The malware, which Cleafy is calling SuperCard X, overlaps with malicious code first reported by researchers at Slovakia-based ESET in 2024. Dubbed NGate, that malware was used to steal money from customers of three Czech banks. The abuse of NFC technology — when a device recognizes a nearby item like a payment card — is new, Cleafy says.

The Italian job works like this: The hackers reel in a potential victim with a scary text message that impersonates a bank fraud alert. If the recipient calls the associated phone number, they’re directed to take more steps to “secure” their account. The hackers ask for PINs and try to get victims to remove any spending limits on the card. 

The SuperCard X malware comes next, Cleafy says, as the attackers typically text a link “often disguised as a security tool or a verification utility.” 

“As the final stage of the manipulation, the [threat actors] instruct the victim to bring their physical debit or credit card into proximity to their infected mobile device,” Cleafy says. “The SuperCard X malware then silently captures the card details transmitted via NFC.”

The NFC process “allows the attacker to access the stolen funds instantly and potentially outside traditional fraud channels that typically involve bank transfers,” the report says.

SuperCard X appears to be malware-as-a-service (MaaS) offered by “Chinese-speaking” hackers, Cleafy says, meaning that the people who created the code aren’t necessarily those who are using it in Italy.  

“The nature of MaaS enables multiple affiliates to operate locally within their own regions or areas of specific interest,” the report says. “Consequently, we cannot exclude the possibility of similar or related campaigns being active in other regions globally.”

Cleafy also notes that in similar payment-card scam operations, specific banks often are the targets, but in the SuperCard X campaign, any card is potentially up for grabs. “[T]he operational context of this attack is mainly agnostic of the financial institution involved since the ultimate target of the fraudsters is the customers’ debit or credit cards, regardless of the issuing bank,” the researchers say.

Cybersecurity companies and law enforcement agencies have been warning about the rise of fraud involving NFC technology. U.S. authorities arrested two Chinese nationals earlier this year in a “tap to pay” scam.