What is Phishing and How is it Used to Steal Card Data? (Phishing Methods, Attack Examples, Protection from Phishing Sites)

[Student]

Phishing is one of the key tools used in carding, which is an illegal activity aimed at stealing and using bank card data for financial fraud. In the context of carding, phishing is used to obtain confidential information (card numbers, CVV codes, expiration dates, passwords, SMS codes and other data), which is then used for unauthorized transactions, purchasing goods, withdrawing money or selling on the black market. For educational purposes, I will discuss in detail the mechanisms of phishing, its role in carding, attack examples, implementation methods and protection methods in order to raise awareness and help prevent such crimes.

What is phishing in the context of carding?​

Phishing is a social engineering technique in which attackers trick victims into revealing sensitive data or performing actions that lead to compromise. In carding, phishing is used to collect bank card data, which is then used to:

• Direct purchases from online stores.
• Withdrawing money through fictitious accounts or cryptocurrencies.
• Selling data on darknet markets (for example, in the form of “dumps” – sets of card data).
• Creation of counterfeit cards for cash withdrawal from ATMs.

Carders (cybercriminals who engage in carding) often combine phishing with other techniques such as skimming, database hacking, or the use of malware (such as keyloggers) to maximize data collection.

How is phishing used in carding?​

Phishing in carding is aimed at obtaining the following data:

1. Basic card data:
   • Card number (PAN).
   • Validity period.
   • CVV/CVC code.
2. Additional data for authentication:
   • Online banking passwords.
   • Confirmation codes from SMS (to bypass 3D-Secure).
   • Answers to secret questions.
3. Personal information:
   • Full name, address, phone number, email, which can be used for social engineering or bypassing checks.

After receiving the data, carders can:

• Make purchases in online stores, especially where 3D-Secure (SMS confirmation) is not required.
• Register cards in payment systems (for example, PayPal, Apple Pay) to withdraw funds.
• Use the data to create physical counterfeit cards (using cloning devices).
• Sell data on darknet forums like Genesis Market or Joker's Stash (before it was shut down).

Phishing methods in carding​

Carders use a variety of phishing techniques to make their attacks as convincing as possible. Here is a detailed overview of the main methods:

1. Phishing sites:
   • Description: Fraudsters create websites that visually and functionally copy legitimate resources (banks, payment systems, online stores). Often, domains are registered with minor differences from the original (for example, bankk.com instead of rbank.com).
   • How it works: The user enters card details on a fake page, and the information is sent to the scammers' server.
   • Technical aspects:
     • Frameworks for cloning sites are used (for example, Evilginx).
     • SSL certificates are used (even phishing sites can have HTTPS, which creates a false sense of security).
     • Redirects or fake payment forms are used for disguise.
   • Example: The user receives an email with a link to a "payment confirmation page" for a refund. After entering the card details, they are forwarded to the carders.
2. Emails (email phishing):
   • Description: Fraudsters send letters that imitate official messages from banks, payment systems (Visa, MasterCard) or stores.
   • Techniques:
     • Spoofing: The address appears to be legitimate (e.g. support@visa.com ).
     • Use of urgent appeals: “Your account is blocked”, “Confirm your data within 24 hours”.
     • Attachments containing malware (e.g. data-stealing Trojans).
   • Example: A letter from bank asking to confirm card details due to a "technical failure". The link leads to a phishing site.
3. SMS phishing (smishing):
   • Description: Sending SMS messages with phishing links or requests to call a fake number.
   • Techniques:
     • Substitution of the sender's number so that it looks official.
     • Short links (via services like bit.ly) to hide the real URL.
   • Example: SMS: "Your card is blocked. Follow the link to unblock." The link leads to a phishing form.
4. Voice phishing (vishing):
   • Description: Fraudsters call the victim, posing as employees of a bank, payment system or law enforcement agency.
   • Techniques:
     • Using VoIP to spoof a number (caller ID spoofing).
     • Social engineering scenarios: creating panic ("your account is under attack"), time pressure.
     • Request codes from SMS to "cancel transaction" or "verify".
   • Example: A call from the “bank security service” asking to provide the CVV code or the code from the SMS to “protect the account”.
5. Phishing via messengers:
   • Description: Sending messages via WhatsApp, Telegram, Viber with phishing links or fake offers.
   • Techniques:
     • Hacking the accounts of friends or relatives to send messages.
     • Fake contests or promotions (“You won an iPhone, pay for shipping”).
   • Example: Message in Telegram: “Pay $10 for delivery of the prize” with a link to a phishing site.
6. Wi-Fi Phishing:
   • Description: Create fake Wi-Fi networks in public places (cafes, airports) to intercept data.
   • Techniques:
     • Using Pineapple type devices to create fake access points.
     • Redirecting users to phishing pages when trying to connect.
   • Example: User connects to "Free_Cafe_WiFi" Wi-Fi and sees a phishing page to enter card details.
7. Phishing through advertising and SEO:
   • Description: Carders place ads in search engines (Google Ads) or social networks that lead to phishing sites.
   • Techniques:
     • Optimization of phishing sites for high positions in search engines (SEO poisoning).
     • Buying ads with keywords related to banks or stores.
   • Example: A user searches for “Bank Online login” and ends up on a phishing site through an advertisement.
8. Malware combined with phishing:
   • Description: Phishing emails or sites deliver malware (keyloggers, Trojans) that steal card data.
   • Techniques:
     • Trojans like Zeus or Dridex record keystrokes or intercept form data.
     • Implementation of scripts on websites for automatic data collection (form-grabbing).
   • Example: A user downloads a “bank update” from an email, and a Trojan begins stealing data when logging into an online bank.

Examples of real phishing attacks in carding​

1. Bank Online Campaign:
   • Fraudsters sent out letters and SMS messages with messages about “account blocking” due to “suspicious activity.”
   • The link led to a phishing site that copied the Bank Online interface.
   • Users entered their login, password and card details, which were then used to transfer money to fictitious accounts.
   • Features: Sites were often registered on .top, .xyz domains or with typos.
2. Fake online stores:
   • Carders created websites that imitated popular platforms (Ozon, Wildberries), with unrealistically low prices.
   • Users entered card details for payment, but the goods were not delivered, and the data was sold on the darknet.
   • Features: Uses real logos, testimonials and designs for authenticity.
3. PayPal Phishing:
   • Victims received emails from PayPal asking them to confirm a payment or update their details.
   • The link led to a phishing site where card and PayPal account data were collected.
   • Features: Fraudsters used the data to link cards to their PayPal accounts and withdraw funds.
4. Mass Phishing via Google Ads:
   • In 2023, carders bought ads on Google, promoting phishing sites under the guise of banking portals.
   • Users searching for “bank login” were directed to fake sites via the first links in the search results.
   • Features: The campaign was aimed at mass data collection using automated scripts.

Technical aspects of phishing in carding​

1. Phishing site infrastructure:
   • Hosting: Often uses cheap servers in countries with low levels of cyber surveillance (such as Eastern Europe or Asia).
   • Domain: Domains are registered with typos (typosquatting) or similar to the original.
   • SSL: Even phishing sites often have free SSL certificates (such as those from Let's Encrypt) to appear secure.
2. Data collection:
   • Data entered on phishing sites is sent to the fraudsters' server via POST requests.
   • Carders can use Telegram bots to instantly receive data in real time.
3. Scaling attacks:
   • Botnets are used for mass mailing of letters or SMS.
   • Phishing campaigns are automated using tools such as BlackEye or SocialFish.
4. Bypass 3D-Secure:
   • Carders request a code from an SMS from the victim, posing as a “security service”.
   • Sometimes Trojans are used to intercept SMS messages on the victim's device.
5. Monetization:
   • Card data is checked for validity using “checkers” (services that test cards on small transactions).
   • Valid cards are used for purchases or sold on the darknet for $5–$50 per card, depending on balance and region.

Protection against phishing in the context of carding​

To prevent phishing attacks and protect against carding, it is important to combine technical measures, awareness and vigilance. Here are detailed recommendations:

1. Check URLs and domains:
   • Always check the website address. For example, the real bank website is bankname.com, not bankkname.com or bank-online.top.
   • Avoid clicking on links from emails or SMS. Enter the bank address manually in your browser.
   • Use services like VirusTotal to check suspicious URLs.
2. Be careful with emails and messages:
   • Check the sender's address. For example, support@rbank.com is phishing, and support@sbank.com is the official address.
   • Do not open attachments or click on links in suspicious emails.
   • Set up spam filters in your email client.
3. Using two-factor authentication (2FA):
   • Enable 2FA for bank accounts, payment systems, and email. This makes it more difficult to access, even if the password is stolen.
   • Use authenticator apps (Google Authenticator, Authy) instead of SMS, as SMS can be intercepted.
4. Antivirus and software updates:
   • Install a reliable antivirus (Kaspersky, Bitdefender, ESET) with anti-phishing functionality.
   • Regularly update your browser, operating system, and applications to patch vulnerabilities.
5. Public Wi-Fi Security:
   • Use a VPN (NordVPN, ProtonVPN) when connecting to public networks.
   • Avoid entering card details on unfamiliar Wi-Fi networks.
6. Virtual cards and limits:
   • Create virtual cards for online purchases with a limited balance.
   • Set transaction limits in the bank's mobile app.
7. Transaction Monitoring:
   • Enable SMS or push notifications for transactions.
   • Check your card statements regularly. If there are any suspicious transactions, immediately block the card via the mobile app or hotline.
8. Training and Vigilance:
   • Learn about phishing scams and share the knowledge with your family, especially older adults who are often targeted.
   • Do not disclose card details, CVV codes or SMS codes to anyone, even if the caller claims to be a bank employee.
9. Actions in case of compromise:
   • If you entered data on a phishing site, immediately block the card through the bank.
   • Contact your bank to dispute the transactions and request a reissue of the card.
   • File a complaint with law enforcement and report the phishing site through services like Google Safe Browsing.
10. Technological tools:
    • Use browsers with built-in phishing protection (Chrome, Firefox, Edge).
    • Install extensions like uBlock Origin or HTTPS Everywhere to block suspicious sites.
    • Check HTTPS certificates: if the certificate was issued recently or from an unknown issuer, it may be phishing.

Additional aspects for educational purposes​

1. Psychology of phishing:
   • Carders use fear, urgency and trust. For example, messages about “blocking an account” or “refunding funds” make the victim act impulsively.
   • Social engineering often involves studying the victim's profile (e.g. through social media) to personalize attacks.
2. The evolution of phishing:
   • Modern phishing attacks are becoming more sophisticated thanks to AI. For example, generative models can create convincing emails or voice messages (deepfake).
   • Carders use automated platforms to carry out mass attacks, increasing their reach.
3. Darknet and the data market:
   • Stolen card data is sold on the darknet on forums or through Telegram channels.
   • The price depends on the type of card (for example, credit cards are more expensive than debit cards) and the region (cards from the US or EU are valued higher).
4. Legal consequences:
   • Carding and phishing are criminal offenses.
   • Victims can file a police report, but recovering funds is often difficult if transactions have already taken place.

Conclusion​

Phishing in the context of carding is a highly effective method that uses social engineering and technical tricks to steal bank card data. Carders are constantly improving their approaches, making attacks more sophisticated and widespread. For protection, it is important to combine technical measures (antiviruses, 2FA, virtual cards) with awareness and critical thinking. Never trust suspicious emails, calls or websites, check the sources and regularly monitor your accounts.

If you have specific questions, for example, about real cases, protection tools or legal aspects, write and I will analyze them in more detail!