What is carding and how to protect yourself from hacking when buying on the Internet

[Mutt]

TABLE OF CONTENTS

• What is carding?
• What do carders do with data?
• How do carders work?
• What does clothing carding mean?
• How to avoid becoming a victim of carding?

The size of the carding market in 2021 grew by 116% compared to the previous year: criminals are finding new ways to gain access to other people's money. What is this type of fraud and how not to become a victim of it?

What is carding?
Carding is a type of fraud in which hackers perform an operation using a payment card without the participation of its owner.

One way to gain access to the card is to hack the online store where users make online purchases. In this case, nothing depends on the victim - she can comply with all security measures, and the information about the bank card will still be in the hands of the attackers, and they will be able to withdraw money from her. One such hacker group infected 571 sites between 2017 and 2021. The fraudsters were detained in 2021.

Carding came along with the start of e-commerce in the 1990s. Back then, online stores did not expect scammers and rejoiced at every purchase made in their new niche. This was used by the carders. They created maps of non-existent people using special generators and paid for purchases with them. Online stores were eagerly accepting them. The deception was discovered only at the end of the month, when stores asked banks for transfers to pay for goods. Then it became clear that in these cases non-existent cards were used, and the store did not receive money.

When making an online purchase, the transaction is carried out using special gateways of banks in a secure mode if the site operates over the HTTPS protocol. Nevertheless, in 2020, according to the estimates of the research company Aite Group, only US banks suffered losses from carding in the amount of about $ 11 billion.

What is carding?
According to the mechanics of hacking, carding is of two types:
1. an attack with physical access to a card or ATM;
2. remote attack.
In the first case, a skimming device is used or bank employees are involved. Skimming is the theft of card data using a miniature device attached to an ATM.

According to the European Association for Secure Transactions (EAST), the number of attacks with physical access to cards in Europe is decreasing. This is explained by a change in the culture of using cards and ATMs. Most often, attacks with physical access to a card or ATM involved employees of companies with access to the terminal. Now they bring it to the client instead of taking the card.

The security of ATMs has improved with physical and electronic protections to detect skimmers. All of this has contributed to a decrease in the incidence of fraud with physical access to an ATM or card.

However, scammers are also improving technology. EAST reports that the number of ATM malware and logic attacks on ATMs has increased dramatically.

The most dangerous attacks are of the BlackBox class - a miniature computer connects to an ATM via a wire and forces it to give out all available money. The number of attacks of this type is growing. EAST experts counted 35 such attacks in the first half of 2019. In the first half of 2020, there were already 129 of them. Losses from this type of attacks increased from less than € 1,000 ($ 1,200) in the first half of 2019 to more than € 1 million ($ 1.2 million) in 2020.

The problem is that ATM vendors consider the cost of this type of hack to be less significant than the cost of modifying the software. As a result, modern ATMs are practically not protected from the BlackBox threat.

In the event of a remote attack, you can get the card data in any way you want. It is enough to have a card number, end date of service and a three-digit CVV code. They can be stolen in any way - finding lost plastic, imprinting them on a picture, phishing (the user goes to a fake website and indicates them himself, thinking that he is buying a product or service).

However, according to the ultimate goal, remote attacks on bank accounts can be divided into two types:
1. Hacking a site with the ability to pay for goods or services;
2. Hacking a user.
In the first case, web skimming is applied. Attacks of this type are carried out using the Magecart software (the first attacks with this mechanic were aimed at online stores using Magento software). In 2018, 380,000 card details were stolen from British Airways using this type of attack. Card data from her website was successfully collected over a period of three weeks.

Web skimming is gaining popularity. Many attackers turned to him amid the pandemic, when the number of online purchases soared.

Web skimming is used to hack websites, usually using malicious JavaScript. Magento-based stores are still a prime target for hackers, but this type of attack is dangerous for any website where an attacker can gain access to JavaScript code.

Banking Trojans are used to attack the card user. They infect users' computers and smartphones, and then infiltrate a web browser to steal passwords, credit card numbers and any other confidential information that is entered on any of the targeted websites.

What do carders do with data?
According to the ultimate goal, carding is divided into two types:
1. sale on the darknet;
2. cashing out savings.
The stolen information allows the creation of a “digital twin” of the victim. This allows the criminal to withdraw money while maintaining anonymity. These cards are sold on forums on the darknet or specialized sites for carders.

You can purchase data in bulk or request a specific card. In the second case, the price will be lower. The cost of the card depends on how much money is stored on it - the more, the more expensive.

How do carders work?
According to the Hi-Tech Crime Trends 2020/2021 report, the volume of the carding market in 2020 grew by 116% compared to the previous year - from $ 880 million to $ 1.9 billion. High growth rates are typical for both text data (number, expiration date term, holder's name, address, CVV) and for dumps (contents of magnetic stripe cards). The amount of text data offered for sale increased by 133% - from 12.5 to 28.3 million cards, and dumps by 126% - from 31.2 to 70.4 million. The maximum price for a text is $ 150, for a dump - $ 500.

The largest case of carding was reported in 2007. Hacker Albert Gonzalez has obtained information on more than 135 million credit and debit cards from customers of American technology and payment processing provider Heartland Payment Systems, retail stores 7-Eleven and Hannaford Brothers, as well as from two unidentified companies.

After receiving the data, he put it up for sale on Shadowcrew's own carders exchange. Other attackers could buy them back for further fraudulent activities. Gonzalez received 20 years in prison.

Another well-known attack was against the WorldPay payment system of the Royal Bank of Scotland in 2008. A group of hackers led by Russian Viktor Pleschuk has withdrawn more than $ 9 million from 2,000 ATMs in 280 cities around the world. The attack took place in less than 12 hours. The identity of the attackers was established only a year later.

In 2012, information on 40 million cards was stolen as a result of hacking of the manufacturer of software for processing files Adobe Systems. According to the head of security, the information included customer names, encrypted payment card numbers, expiration dates, and order information.

What does clothing carding mean?
Clothes carding is a way to cash out money from hacked bank accounts. Carder buys goods, gift certificates, subscriptions and services using someone else's bank details. To do this, fraudsters only need a card number, date and a three-digit code (CVC). In some cases, the owner's name, address, and telephone number may be required. The more information is known about the victim, the easier it is for the attacker to work.

After the goods have arrived at the specified address, the fraudsters either send it to buyers who pay, on average, 30% of its full value, or send it through forwarding points (official websites that have nothing to do with fraudulent activity) to the addresses to which they usually have access. They resell such goods on marketplaces (Amazon, Ebay, Avito, Yula) or in trade groups of social networks.

How to avoid becoming a victim of carding?

• Use antivirus software. To steal your credit card number with malware, the victim needs to be forced to download it. The virus may be in a ZIP archive. Computer antiviruses in most cases automatically detect the Trojan and block its installation;
• Update the device software in a timely manner. Updates increase the level of its protection against hacking;
• Recognize phishing. Do not follow links or download attachments from unknown sources;
• Turn on notifications from mobile banks. They allow you to identify fraudulent payments. You will receive a message every time your card has been used to make an online purchase. The faster you spot a hack, the better your chances of saving money.

Author: Denis Markov

 

[Father]

Carding is a type of fraud in which an operation is performed using a payment card or its details, not initiated or confirmed by its holder.

Garment carding is aimed at purchasing goods, gift certificates, subscriptions and services using someone else's bank details. To do this, fraudsters only need a card number, date and a three-digit code (CVC). For efficiency and country specificity, the owner's name, address and telephone number may be required. More often than not, card information is sold with all of this data. The more information the cardholder has about the cardholder, the more opportunities to withdraw funds.

Where do carders get this information from?
Information about cards and their owners is sold on special resources. They can be either open-registered or paid. Some require an invitation from a community member (Invite). Prices vary, for information ("material" - as carders call data about the card and its owner), you can buy one unit for $ 1.5 at a discount. American cards cost $ 20.

How do carders work?
First of all, set up a computer for work. Most often they use remote access servers (Dedicated servers). They choose a Dedicated State of the country, on whose cards they are going to work. Connect a sock (SOCKS) - an ip address under the address of the card holder, set the desired time on the computer, language. A new mailbox is prepared for work (usually gmail or yahoo). Gmail asks for a phone number when registering, they can also be found on open resources.

What else do carders need to work?
You need a physical address (drop) to which the fraudster will order goods from resources. The closer the address is to the address of the cardholder, the better. Then the choice of resources for the order increases. There are sites that are sent all over the world and it may not matter where you order the goods. Each store is customized individually. One store will not send to a drop close to the address of the caldholder, but will send it to another country, the other will only work if the indexes match. Fraudsters try to find work sites and never share them with others. This is their earnings. The more fraudulent orders pass through the store, the faster the resource owners will revise their security policy.

Stores are searched by the engine the store is running on. Shopify, Magento, WooCommerce, osCommerce, BigCommerce, Adyen. There are a lot of them. Some engines have an anti-fraud system (protection against fraudulent actions) configured for strong protection, while others do not. With experience, carders can see the engine the store is running on by looking at several pages.

What do carders order in 2021?
The times when carders polls ordered expensive equipment are over. Now it is extremely difficult to find a site with expensive laptops, phones and other equipment that will lead to a fraudulent order. But experienced carders still find and promote the store for valid (in great demand) expensive goods. They communicate with live chat support, call store numbers and chat live, invent a story and convince the store of its veracity. They register a few days before placing an order and warm up the site. That is, they walk around it, choose products, read descriptions. Everything that an ordinary customer does on the website of an online store.

Most often, carders work with illiquid (not popular) goods. Highly specialized sites and new brands are a field for scammers. It's much easier to order camping gear for the same amount than an expensive laptop. It's easier to get clothes of an expensive and high-quality, but young brand, than ordering goods at a discount on major sales platforms.

What do the scammers do next with the goods?
After the goods have arrived at the drop's address, the scammers either send it to the buyers who pay, on average, 30% of the item's value, or send it through forwarding points (official websites that have nothing to do with fraudulent activity) to the addresses to which, usually have access. They sell such goods on trading platforms (Amazon, Ebay, Avito, Yula), in trade groups of social networks, and sell to friends.

Other areas of work of scammers
Carders love to buy gift certificates and sell them on forums to ordinary people or special dealers. The option is not as profitable as described above, but simple.

They buy, in principle, everything that can be bought with stolen data. Subscriptions to paid resources that ban the account when the cardholder notices the loss of funds.

Recently, a new direction was born - paying for flights and booking hotel rooms. They are also sold on forums to ordinary people. The process of canceling a fraudulent transfer takes time. You can manage to stay in an expensive hotel at someone else's expense. Fraudsters know which cards to use to maximize the withdrawal process.

As with any fraudulent way of making money, there is a risk that the fraudster will be caught sooner or later. But, unfortunately, with the development of means of protection against fraudulent transfers and ways to identify carders to call for criminal liability, in contrast, new ways of protection and disguise are being created.

Self-interest generates ideas. Ideas give rise to new schemes of shadow earnings. Carding is not dead. Billions of dollars are laundered in this way every year. But sooner or later, technological progress will replace this type of illegal earnings. Carding will become too risky, and profits are questionable, that a scammer will have nothing to do but look for new ways to steal money.

 

[killme1992]

I'm new to carding world. Already faced some scammer & fake site lost some money. I'm looking for a master who can really help me from his heart. I want to work a long time with me. Hope you understand my situation. If you want to help me as a master it would be a great achievement in my life. knock me on my telegram @killme2019

 

[Hacker]

Hi, you've probably heard about such a miracle as carding.
In short, this is when money is fucked from your card, I use its data.

Anyone can become a victim of carding - it is enough for a fraudster to find out the card number and CVV-code, after which it will take only a few seconds before the victim's bank account is empty.

There are several popular ways to perform such an operation - from offline reading to creating a fake online store.

WHAT IS CARDING?
Carding is the generic name for cybercrimes involving bank card transactions.
Despite the fact that this scam area began in the 1990s, it is still relevant today and brings cybercriminals millions of dollars every year.

Carding is divided into several types:

• Clothes - ordering goods in online stores using someone else's bank card;
• Online - transfer of funds to the accounts of fraudsters by means of phishing attacks;
• Offline - duplicating a card for subsequent cash withdrawals or using special tools to steal funds using contactless payments.

HOW DO VICTIMS GET DATA?
There are several popular ways to get the card number and CVV-code of its owner:

A few years ago, similar devices were a real "gold mine" for carders.

The person as usual goes to the ATM, inserts the card, enters the PIN-code, withdraws funds and leaves with cash in his pocket. However, he has already become a victim of bank data theft, as he hammered confidential information into the panel overlaid on top of the real buttons and inserted the card into the skimmer.

A skimmer is a homemade magnetic tape reader used by fraudsters.

Fortunately, in recent years, financial structures are increasingly checking outlets for the presence of such devices and informing their customers about the possible risks when withdrawing cash.

A fake site designed for a popular online store.
The essence of the schemeis that the user goes to a fraudulent site, selects the product they like with a huge discount, and goes to the payment form. It is this moment that is key, since the victim is redirected to a fake payment system and enters personal data in the appropriate fields.

Special devices for offline theft.

Here is the Infusion X6 - a seemingly modest phone stand or part of a bracelet, which in reality can read data from 21 cards in just 1 second.

A couple of years ago, such carding devices were sold exclusively in DarkNET, but today they are freely available, and online stores are not blocked by law enforcement agencies.

The essence of the work is simple - the carder passes through the crowd on a busy street or in public transport, and the Infusion X6 reads the necessary data from cards that are equipped with contactless payment capability.

In addition, if desired, the carder can block the device from the intervention of third parties - this is very useful if the fraudster has been identified by an attentive fellow traveler or the police.

TOTAL
Despite the scale of the activity of carders, there are several simple ways to protect yourself from identity theft of the card:

• Do not tell anyone the PIN and CVV code, no matter how trite it may sound;
• Check the ATM for third-party devices and cover the panel with your hand when entering data - an attacker can install a small camera on the ATM and simply see the entered code;
• Get a special wallet or business card holder cover that will protect you from offline carding;
• Pay for services and purchases exclusively on trusted sites - for dubious online stores and illegal bookmakers, you can create a separate account with zero overdraft;

Distribute this material among friends and acquaintances so that they do not become victims of carders on the network and in real life.

 

[Lord777]

You have probably come across a bunch of advertisements on the Internet for the sale of new things or equipment from the USA, Europe, and so on. But they hardly guessed that a significant part of them are published by carders.
We will tell you what this dark business is and how carders work.
Warning: this article is for informational purposes only. Theft and fraud are prosecuted.

So what is carding all the same?
By and large, carding is stealing money from a card to your card, account, account in a payment system, as well as buying goods using someone else's credit card. Most often, carders use cash withdrawals, purchase of branded clothing or electronics.

Previously, many carders worked with the American eBay through PayPal, to which someone else's card was linked. Now eBay in the USA and PayPal have tightened the rules, but carders have not gone anywhere - they switched to work with other countries, for example, Germany, France, Italy, etc.

Carders have their own gurus, Telegram channels and training courses, where they teach how to correctly turn black schemes. And it also brings in income, sometimes more than directly from carding. In general, the industry is trending.

How do carders work?
First of all, they need a card number and authentication data (password from a bank account, VDV for cards with 3D Secure, CVV2 / CVC2, etc.). Often, carders buy a database and check the relevance of the information in it, or brute force passwords or other methods.

You can buy these cards on the darknet for $ 5-10. In addition, carders pay for VPN with a choice of server (preferably with an accuracy to the state or at least to the country) and other means of anonymization.

Another option is to organize a phishing campaign. The bank page with the account login form is copied or a fake application is created, and a link to it is spread using spam.

A user who is worried that his card may be blocked; the bank asks to confirm the operation; the transfer was received from someone unknown - goes to a fake website or launches a fake application. The carder takes the entered data and transfers all the money to himself. Or waiting for big receipts to get the most out of it.

Judging by the discussions on the darknet, the carder spends 5-10 thousand rubles at the start. This is a payment for VPN, ipsocks tunnels, hacked accounts and access to computers, services of "dialers" who communicate with sellers or the bank's support service in the required language, scanned documents for intermediaries. And also "stuffing cones" - not from the first map, everything goes smoothly.

What is driving?
This is the process of entering card data into the form on the website of the store or payment system. In order not to risk, carders use hacked computers of ordinary users to drive in. Then they are cleaned of logs or iron is disposed of.

Another option is to work from an Android smartphone emulator or virtual machine. After driving in, it is enough to remove the software to cover up the tracks.

How to order goods from someone else's card
American and European stores often do not send goods to customers in Russia, Ukraine, Kazakhstan and other countries of the former USSR if they were ordered from a PayPal linked to a card, which belongs to a citizen of the United States, Canada or European countries ... Large and stores payment systems have anti-fraud systems that block suspicious transactions.

But this does not stop the scammers.

They order a gift card (e-gift) from the victim's card, and then receive the code of this gift card from the victim's hacked mail. The order is made directly from your account, but using the gift card code.

In addition, carders create self-registers. A hacked bank account is bought, PayPal is registered for it, your phone number, address and mail are indicated. You can often take out a loan for such an account, and not only spend the available positive balance.

Recently, however, this option is practically not used, because PayPal in most cases rejects registration and linking a bank account.

Another option is to use an intermediary.

Of course, in theory, the intermediary can turn the parcel back if the store calls him and indicates that carding is taking place. But you can inadvertently make a mistake in the phone number of the intermediary. This increases the chance for the parcel to pass.

Large began stores to fight carders, but smaller stores are less active in opposing fraudsters. Virtually all stores offering gift cards or certificates are under attack. Ordering things and equipment directly from someone else's account is more likely to be wrapped up.

Carders don't just order things
You can not only order physical goods from cards, but also withdraw money. There are casinos, online games and other virtual money transfer options.

Finally, there are cryptocurrency exchanges that allow you to buy coins relatively anonymously, then sell them and withdraw money to your card. Cryptocurrency transactions are non-refundable, so the system cannot automatically return the money to the cardholder.

A cashier in a supermarket can also be a carder
Cashiers in supermarkets and shop assistants usually do not have high salaries. But if they do carding, they get 5-10 times more money.

When you pay with a card, the cashier or the seller can invisibly look and remember the data. For some sites, when ordering goods, the card number and CVV2, which is written on the back, are enough. But the carder can go further and put its own "reader" to read all the card data.

So if suddenly, a few hours or days after visiting a store, money suddenly disappears from your card, who do you think about? Certainly not the cashier or the seller ...

What do the police think?

Usually, a full investigation begins only if the carder has stolen a significant amount of funds - more than $ 1,000. Usually the FBI then sends a request to the police. And the request contains IP addresses, names, sending addresses and other information about the potential culprit.

For this, carders use drops. These are people who are at the lowest level in the chain and do the dirtiest work: they cash out money, provide their data to receive parcels, send parcels to carders, etc.

Carders give drops a minimum of information and practically do not contact them. So even if the drop is tracked down, he will have an alibi at the time of hacking a bank account or withdrawing money from a card. And he won't be able to tell anything about the carder. As a result, the crime will remain unsolved.

Why carders avoid punishment
Practice shows that if a carder works through VPN, proxies and other services, and also observes Internet safety rules, it is almost impossible to prove his guilt. But everyone is wrong ...

However, even if the police raid the carder's home, the employees still have to prove the fact of a computer crime. And if there are no traces, then there is no trial.

They are most often caught on correspondence in instant messengers, the presence of data from other people's cards and accounts, assemblies of malicious software, etc. But if you use portable software, anonymization tools, self-destructing messages and crypto-protected messengers, it will be difficult to prove something.

Money transfers alone are not sufficient evidence. Testimony too. If the carder can pretend to be a drop or an intermediary, then he will quickly retrain from the accused to the witness.

So what's now?

Some people think that carding is easy money and impunity. But in reality, stores and payment systems are increasingly opposing them. And nobody canceled criminal punishment.

Think before you follow links. Set limits on payments on the Internet, do not forget about antivirus on your Android smartphone and Windows computer.

You can also use one card for everyday purchases, and the second for storing larger amounts of money, and, if necessary, transfer money from the second to the first. In case of any suspicion of illegal debiting of funds, call the bank to block the card and initiate an investigation.