Contactless, Not Riskless: China-Based Threat Actors Exploit Philippine Payment Systems

Published Date: July 11, 2025

Category: ShadowOpsIntel

The Philippines has embraced contactless payments and mobile wallets, increasing financial inclusion and convenience. However, this digitization has also exposed the financial system to widespread cyber fraud, particularly via NFC (Near Field Communication) technologies. The country has become a primary target for Chinese cybercriminals, who are leveraging advanced tools and underground infrastructures to exploit vulnerabilities in mobile payment systems.

Severity Level: High

Threat Details

Threat Type: NFC-enabled fraud, smishing, carding, and laundering via fake POS terminals.
Primary Actors: Chinese-speaking cybercriminal syndicates, including Smishing Triad.
Infrastructure:
- Telegram bots like Panda Shop, Lita’s Shop, Hulk Vault
- Fake merchants and POS terminals with malicious firmware and eSIMs
- Tools like Z-NFC, X-NFC, Track2NFC, and SuperCard X for card emulation
Fraud Techniques:
- Smishing kits used to phish Filipino users and harvest payment credentials.
- Host Card Emulation (HCE) on smartphones to clone cards and perform unauthorized NFC transactions.
- Use of Telegram bots and Dark Web forums for the sale, validation, and monetization of stolen card data.
Primary Target: Philippines (especially Metro Manila), due to its high contactless payment adoption.
Other Impacted Regions: Southeast Asia, Asia-Pacific, and Western Countries
Affected Sectors: Financial Services, Retail & Hospitality, Telecom, E-commerce & Online Services, Law Enforcement & Banking Regulators

Attack Flow

Phishing/Smishing: Victims receive fake SMS messages leading to phishing pages mimicking banks or e-wallets.
Card Harvesting: Compromised card data is captured and stored.
Card Emulation: Using tools like Track2NFC, attackers simulate contactless transactions via cloned cards on mobile devices.
Transaction Execution: Fraudulent POS terminals simulate legitimate retail activity to launder money.
Money Laundering: Local money mules are recruited to cash out or redistribute funds.
Dark Web Monetization: Compromised data is sold through Telegram bots and carding shops.

Recommendations

Enforce strict geolocation and transaction monitoring for POS terminals.
Educate users on NFC wallet security and fraudulent pairing.
Promote two-factor authentication and alert settings for transactions.
Conduct anti-fraud awareness sessions for merchants and front-line support teams.
Mandate enhanced KYC for onboarding merchants and terminal owners.
Enhance dark web monitoring capabilities to track emerging threats, cloned card data, and merchant abuse related to local institutions.

MITRE ATT&CK

Tactic	Technique	ID	Details
Initial Access	Spear phishing via Service	T1192	Use of impersonated telecom messages to lure victims into installing malicious apps
Execution	Mobile Malware Execution	T1406	Custom mobile malware with NFC and SMS sniffing capabilities
Persistence	Modify System Partition	T1409	Persistence via installation of root-level mobile app
Credential Access	Input Capture (Keystrokes, Screens)	T1417	Captures keystrokes and screen content via malware
Collection	Automated Collection	T1119	Automatic harvesting of SMS, contacts, NFC data
Command & Control	Encrypted Channel	T1041	Uses HTTPS or spoofed C2 domains for exfiltration
Exfiltration	Exfiltration Over Alternative Protocol	T1048	Data exfiltration over NFC or hidden HTTPS channels

Source:

https://www.resecurity.com/blog/article/chinese-threat-nfc-enabled-fraud-in-the-philippines-financial-sector

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.