Lord777
Professional
- Messages
- 2,579
- Reaction score
- 1,513
- Points
- 113
In fact, there are several carding schemes. The first one, which is well known to many, is that scammers acquire a database with user data. Such databases are sold on the darknet. Data is usually "merged" by employees – current or former-of the companies where customers provide their personal data. In addition, databases are attacked by hackers, and people's personal data becomes available to carders. Further, the fraudster acts according to the following scheme:
1. A call to a potential victim (most often, of course, not the carder himself calls, but his "subordinate", who introduced himself as an employee of the bank's security service).
2. A message about a "suspicious" transaction for a large amount, that is awaiting confirmation from the cardholder (plastic holder). A concerned person, of course, will answer that they did not perform or plan any such operations.
3. Next, the fraudster reports that the "client" has been attacked by fraudsters (in this case, this is the true truth). And to protect your funds, it asks you to dictate a four-digit code that will be received via text message. That's it, the money is debited.
The code is generated by the payment aggregator used by the online store. Here we come to the second popular carding scheme on the Internet.
I think you've seen online ads selling products from the United States and Europe at fairly low prices. Using popular Internet services to place ads for the sale of goods, criminals sell things purchased with cardholders ' money in foreign online stores.
There are several variations of the scheme. The first one, which you already know, is described above. Another scheme assumes that there is no two-factor authentication (i.e. an SMS message with a one-time code required for debiting funds). In such cases, you only need to know the card details, including the three-digit code on the back, to make a payment.
This code can be obtained in several ways:
1. directly from the owner of the plastic by misleading;
2. as a result of hacking the user's computer or smartphone;
3. Unfortunately, there are also cases when the code was read from the servers of payment aggregators or bona fide stores that were attacked by hackers.
For some online stores and payment systems, this data may be sufficient. Finding a store that accepts payments using a CVV code is not an easy task, but such stores do exist. Their search on the web is one of the main activities of the carder.
I would also recommend following the following rule. If the seller asks you to transfer money through some little-known payment service, the name of which does not mean anything to you-refrain from buying. In most cases, two-factor authentication and other security methods are used.
Cookies are files that are sent to your device when you visit a particular website. You've probably seen a pop-up message that reads something like this: "This site uses cookies, please confirm access for your security, etc." This label often interferes with viewing content, and in most cases we just click "Accept" to make the annoying banner disappear. What are these files, and what information do they collect about you?
In most cases, cookies are absolutely safe. Their main function is to identify you as a unique user. It is known that many sites earn money from advertising. In this case, the site owner's revenue depends on the number of pageviews.
In addition, when you register on a website, such as an online store, you create an account. Often, card details are also linked to the user's account, so that you don't have to enter them again every time you make a payment.
How can they be dangerous? The most harmless thing is that your data can be used for intrusive advertising. Sometimes website owners sell cookies to advertisers along with information about you. In addition, there is also contextual advertising, when cookies are used to track the history of your requests. Methods of obtaining data in these cases are not always legal, but this is a separate topic.
It also happens that cookies are intercepted by a hacker in order to create a copy of them and act on your behalf, including carding using your account.
VBV и MCSC are two-factor authentication methods without using a phone number. In this case, the plastic cardholder creates a password for making payments and sets it to the card via an ATM or the bank's website. These methods are not very popular in Russia and the CIS countries, but they are widely used in the West. These codes are more vulnerable than SMS authentication, because they are used repeatedly.
The carding scheme works like this:goods are paid for with someone else's credit card, and delivery is made to the address of the drop (figurehead). The procedure for entering data for making a payment is called "driving in".
For example, a person purchased an iPhone of the latest model and received a gift certificate from the Apple store that is valid for 3 months. The certificate usually implies compensation for some small part of the purchase. It is unlikely that in such a short period of time a person will again decide to buy something expensive. And many people simply forget about such gifts, which carders successfully use.
The fraudster receives information about the bonuses and gift certificates available on the account from fulki. You can spend your funds at your own discretion. Gifts – from the English gift-gift) - so called certificates in the slang of fraudsters in the field of carding-can be resold on the darknet for 20-30% of the face value.
2. As for getting data about account holders from the network, this usually happens using a bot that distributes malicious software that reads personal data of account holders. In this case, the victim will only find out about the theft when they receive a notification about debiting funds, if such a setting is set on their mobile phone or email.
3. There is also a scam (from the English scam-scam) in carding, which is not carding in the literal sense of the word. Scam consists in deceiving beginners who want to try their hand at carding. In slang, they are called "hamsters". After registering on the carder forum, a novice finds an ad for the sale of equipment at a price of 50% of the real value, credit cards or accounts in payment systems, etc. Most of these ads are "divorce". Therefore, when a novice comes to carding, they are more than 90% likely to run into a fraudster. And the gadget for which the money is paid, most likely, the "hamster" will never see. As well as money, of course.
Let's assume that law enforcement agencies have found out about the drop. What information will he give them? "I found an ad on the stock exchange, I needed to deliver a parcel. I took her and got my 500 rubles. I didn't contact the customer again." And this is often true. Even if they provide the number and email address that they were contacted with, the number is probably no longer used, and the mail is registered to the IP address of another country. Money was deposited as payment for the task via an ATM. How to find the culprit in this case?
Therefore, the best thing we can do is take security measures.
1. A call to a potential victim (most often, of course, not the carder himself calls, but his "subordinate", who introduced himself as an employee of the bank's security service).
2. A message about a "suspicious" transaction for a large amount, that is awaiting confirmation from the cardholder (plastic holder). A concerned person, of course, will answer that they did not perform or plan any such operations.
3. Next, the fraudster reports that the "client" has been attacked by fraudsters (in this case, this is the true truth). And to protect your funds, it asks you to dictate a four-digit code that will be received via text message. That's it, the money is debited.
The code is generated by the payment aggregator used by the online store. Here we come to the second popular carding scheme on the Internet.
I think you've seen online ads selling products from the United States and Europe at fairly low prices. Using popular Internet services to place ads for the sale of goods, criminals sell things purchased with cardholders ' money in foreign online stores.
There are several variations of the scheme. The first one, which you already know, is described above. Another scheme assumes that there is no two-factor authentication (i.e. an SMS message with a one-time code required for debiting funds). In such cases, you only need to know the card details, including the three-digit code on the back, to make a payment.
This code can be obtained in several ways:
1. directly from the owner of the plastic by misleading;
2. as a result of hacking the user's computer or smartphone;
3. Unfortunately, there are also cases when the code was read from the servers of payment aggregators or bona fide stores that were attacked by hackers.
Credit cards:
In this case, we mean any plastic cards – not necessarily credit cards. The term "credit card" comes from the West, where credit card payments have existed for several decades. With the advent of non-cash payments in Russia, debit cards were issued, and the term "credit card"remained.For some online stores and payment systems, this data may be sufficient. Finding a store that accepts payments using a CVV code is not an easy task, but such stores do exist. Their search on the web is one of the main activities of the carder.
I would also recommend following the following rule. If the seller asks you to transfer money through some little-known payment service, the name of which does not mean anything to you-refrain from buying. In most cases, two-factor authentication and other security methods are used.
Two-factor authentication, VBV, MCSC
So, two-factor authentication is the same SMS message with an automatically generated numeric code that comes to your phone to confirm the payment. In theory, the code should only be known to you. Unfortunately, it is not always necessary to tell the code to a fraudster in person in order to find out the code. The information can be read by malicious software embedded on your device, or by spoofing cookies.Cookies are files that are sent to your device when you visit a particular website. You've probably seen a pop-up message that reads something like this: "This site uses cookies, please confirm access for your security, etc." This label often interferes with viewing content, and in most cases we just click "Accept" to make the annoying banner disappear. What are these files, and what information do they collect about you?
In most cases, cookies are absolutely safe. Their main function is to identify you as a unique user. It is known that many sites earn money from advertising. In this case, the site owner's revenue depends on the number of pageviews.
In addition, when you register on a website, such as an online store, you create an account. Often, card details are also linked to the user's account, so that you don't have to enter them again every time you make a payment.
How can they be dangerous? The most harmless thing is that your data can be used for intrusive advertising. Sometimes website owners sell cookies to advertisers along with information about you. In addition, there is also contextual advertising, when cookies are used to track the history of your requests. Methods of obtaining data in these cases are not always legal, but this is a separate topic.
It also happens that cookies are intercepted by a hacker in order to create a copy of them and act on your behalf, including carding using your account.
VBV и MCSC are two-factor authentication methods without using a phone number. In this case, the plastic cardholder creates a password for making payments and sets it to the card via an ATM or the bank's website. These methods are not very popular in Russia and the CIS countries, but they are widely used in the West. These codes are more vulnerable than SMS authentication, because they are used repeatedly.
Carding methods
Stuff carding:
So, stuff (clothing) carding is the purchase of goods without the consent of the cardholder. This method becomes quite complex, since most online stores work with verified banks that use two-factor authentication. But it should be noted that duffel carding is not very widespread in Russia – most criminals hunt for the money of foreigners who use multiple protection systems - VBV or MCSC.The carding scheme works like this:goods are paid for with someone else's credit card, and delivery is made to the address of the drop (figurehead). The procedure for entering data for making a payment is called "driving in".
The main difficulty is that it is not easy to find an online store that is ready to deliver the parcel to the address specified by the payer. Most companies prefer not to risk their reputation and arrange delivery to the buyer's registration address. However, there are those who work with the so-called " spikes "(from the English ship address – delivery address). In this case, the drop address is used.
Gift certificates:
This is one of the types of clothing carding. The cardholder may not notice for a long time that bonuses disappear from their account. Agree, not everyone follows the bonuses that are awarded for large purchases. Also, not everyone has the opportunity to dispose of these bonuses in a limited time frame.For example, a person purchased an iPhone of the latest model and received a gift certificate from the Apple store that is valid for 3 months. The certificate usually implies compensation for some small part of the purchase. It is unlikely that in such a short period of time a person will again decide to buy something expensive. And many people simply forget about such gifts, which carders successfully use.
The fraudster receives information about the bonuses and gift certificates available on the account from fulki. You can spend your funds at your own discretion. Gifts – from the English gift-gift) - so called certificates in the slang of fraudsters in the field of carding-can be resold on the darknet for 20-30% of the face value.
How does the process of stealing funds work?:
1. Получение данных непосредственно от владельца (phone fraud), when a criminal calls a person, intimidates them about suspicious card transactions and receives a password from an SMS. With this, too, everything is more or less clear.2. As for getting data about account holders from the network, this usually happens using a bot that distributes malicious software that reads personal data of account holders. In this case, the victim will only find out about the theft when they receive a notification about debiting funds, if such a setting is set on their mobile phone or email.
3. There is also a scam (from the English scam-scam) in carding, which is not carding in the literal sense of the word. Scam consists in deceiving beginners who want to try their hand at carding. In slang, they are called "hamsters". After registering on the carder forum, a novice finds an ad for the sale of equipment at a price of 50% of the real value, credit cards or accounts in payment systems, etc. Most of these ads are "divorce". Therefore, when a novice comes to carding, they are more than 90% likely to run into a fraudster. And the gadget for which the money is paid, most likely, the "hamster" will never see. As well as money, of course.
Why carders avoid punishment:
In general, online fraud is an area in which it is quite difficult to prove anything. First, the case is initiated only if a large amount is stolen (in the West-from $ 1,000). In Russia, to open a criminal case, the amount must be at least 5,000 rubles. However, this is difficult to implement in practice, and here's why.Let's assume that law enforcement agencies have found out about the drop. What information will he give them? "I found an ad on the stock exchange, I needed to deliver a parcel. I took her and got my 500 rubles. I didn't contact the customer again." And this is often true. Even if they provide the number and email address that they were contacted with, the number is probably no longer used, and the mail is registered to the IP address of another country. Money was deposited as payment for the task via an ATM. How to find the culprit in this case?
In addition, the carder may introduce himself as a drop, and in this case he is no longer the accused, but a witness.
Therefore, the best thing we can do is take security measures.
