LearningCurve
Carder
- Messages
- 32
- Reaction score
- 2
- Points
- 8
The operator first clones a legitimate website—for example, a well-known delivery service like Evri. They replicate the exact branding, layout, and user flow to build trust.They secure a lookalike domain—for instance, evri-tracking-update.co.uk—and host it on a bulletproof server that resists takedown attempts.
They ensure the site has an SSL certificate for HTTPS encryption to make it appear legitimate.
The operator acquires UK phone number lists (via data leaks or brokers) and uses an SMS gateway or SIM bank to send mass messages, often 10,000+ at a time.The message mimics a service alert:
“Evri: Your parcel delivery failed. Reschedule here: [fake link]”
The sender ID is spoofed to display as “Evri” or a similar trusted name.
Once a victim clicks the link, they land on the cloned site and are prompted to:- Enter personal information: Name, address, phone, email.
- Input payment details: Card number, expiry, CVV.
- Occasionally, enter a small re-delivery fee ($1–$2) to lower suspicion.
- In advanced setups, even OTP/2FA codes are requested.
The operator then monetizes the harvested data in several ways:- Direct Sale: Fullz and card data are sold to fraud networks—typically $5–$50 per card, $20–$100 per fullz.
- Card Testing and Draining: Operators use the cards themselves for low-friction purchases (food delivery, subscriptions) or high-ticket items (electronics, gift cards).
- Subscription Drip: They set up small, recurring charges on cards to create passive income streams.
- Advanced Fraud: Using the fullz to open bank accounts, apply for loans, or access crypto wallets.
Pro operators scale by:
- Rotating domains every 3–7 days as takedowns occur.
- Cycling new SMS lists and sender IDs to avoid detection.
- Running multiple brands in parallel (e.g., Evri, Royal Mail, DHL).
- In larger setups, splitting roles: one operator builds sites, another handles SMS, another manages cashouts.
Operators maintain strict operational security to avoid detection:- Use residential proxies to match victim locations.
- Deploy isolated devices or virtual machines for each campaign.
- Avoid reusing personal details, devices, or IPs.
- Accept payments in cryptocurrency for obfuscation.
- Maintain strict domain hygiene—discard and rebuild regularly.
A typical campaign (10K SMS) might yield:- ~300 clicks (3% CTR)
- ~150 usable fullz/card profiles
- ~5–10 high-value card hits
Estimated bag per campaign: $8K–$33K
Scaled over multiple campaigns, a pro operator could theoretically generate $70K–$300K+ per month—until shutdown or detection occurs.
Last edited by a moderator: