The Art of Carding: A Detailed Look Into Scammer Strategy To Steal Your Money - Part 2/3

In the previous blog post we learned about what carding is and about online carding  In this blog, we will continue to learn more about it and I will start this blog describing the precautions a scammer take in the process. 

SOCKS is an Internet protocol that exchanges network packets between a client and a server through a proxy server.

"They say it's very important to cover the traces to not get caught by law enforcement."
A Hacker usually uses a combination of SOCKS, Proxy, and VPN to spoof their locations. That way, it is far less traceable and it takes far longer to find out who was behind certain attacks.

In the same way, most of the scammers use the same old technique to hide their traces as well.

"If you were a scammer, you really don't want to get caught, do you?"

Now you're probably wondering what SOCKS is and why scammer uses them.
Now with ANY fraud at all you have to take precautions so you don't make it easy for anyone to catch you in your wrong-doings. Scammers don't use TOR for carding/scamming because most nodes are blacklisted by websites and because of TOR cycles through various different proxies; and even if they configure it to go straight through an exit node of their choice, it's still not worth it. They have an option to use JAP but they have to make sure they use some constant sock proxies from the same city, town or area that the card is from; also go wardriving and use a VPN (Scammers don't trust anyone off IRC with these, a scammer always use a highly trusted one and one which won't comply with Law Enforcement).

Scammer prefer getting SOCKS from anyproxy.net (people are selling accounts for the site in IRC all the time), that's the best place but even scammers end up losing the account eventually (unknowingly they were sharing it with some unknown dude who became selfish).

So scammer use SOCKS because he wants to stay untraceable. (*They use FRESH proxies every time they card.*)
Now that they are ready, they need a cardable site.

Finding a "cardable" site and what cardable means
Basically a cardable site holds these characteristics and what a scammer will be looking for to determine an easily "cardable" website:
-  The scammer look for is if they have a visa verification code or MasterCard secure code (Most of the time IRC/ Darkweb vendor will include them in CVV2 details textfile).
-  If they ship internationally (for obvious reasons, scammers can just stick to local websites and order to their local drop)
-  If they leave packages at the door when no one's in, or around the back in a safe area (I know of one site in the UK that has all these qualities including this one, it is perfect for carding clothes)
-  Scammers also check if any other security checks they need to do (Like if "cardable" site need to call scammer up to verify or want a utility bill, passport or a scan of the actual Credit Card)

It is hard to find websites online now that have most of these qualities, therefore scammers have to use COBs and photoshop to get along the way, which is what I'll go into now.

Carding "non-cardable websites" with fake CC scans and other fake documents
Okay so say scammer come across a site that will deliver to another house not registered on the card, but they want verification either through phone or scans of a utility bill, credit card or passport.

If non-cardable website anti-fraud (transaction verification) team speak over the phone with the scammer (a scammer always have all the details in their mind about the item he/she is carding). In a situation like this, the scammer shares some bullshit story saying he/she had it sent to a different address such as a family member's birthday and he/she need it there as quick as possible as it's a last-minute thing or some story like that. If a scammer carding multiple sites at the same time it's easy to get the story mixed up, they make sure who it is calling him/her 1st. (*Got my point?*)

For CC (Credit Card) scans and how to check the attachments at the end of this file, scammers can explain so much better than I could.


While scanning a dummy CC and to make it even more believable they put some paper in the scanner (dark shade if they must), scan it and they use photoshop and then put the photoshopped CC scan of the front onto it and then do the same with the back, then send the scans to them via e-mail or post. Same goes for utility bills (can be got through trashing personal bills, and then edited in Photoshop).

They do not use the same designs when making CC scans, otherwise, it will become too obvious.
Seguridad”, by Jorge Franganillo, is licensed under CC BY 2.0
Carding while on the job
Getting CC, CVV, CVV2 through use of mobiles
Believe it or not, giving your information out to anyone anywhere is not a wise choice, you can not trust anyone in this day and age. Yes, there are carders working on the inside in places where there are a lot of people around flashing off their plastic cash and using them freely without a care in the world. The most common of places for a carder to work at are brand label clothing stores such as Limey's, Charlie Brown's and all the other trendy shops.

Ever noticed when yourself or someone else has paid at the desk with a debit card or credit card that they bring out a keypad from under the desk, then put your card into it and have the buyer input the pin? Think again when they take your credit card and go under the desk with it to get the keypad, they are doing more than just that; just because they're not taking the card and running off with it does not mean they're not stealing your information. I have encountered a case where a man used to work in a clothing store, he used to have a piece of play-doh stuck under the desk and he used to press the card onto the piece of play-doh, unfortunately he began doing it too much and because he'd gotten away with it so many times he became careless and got caught out by a co-worker and from what I know he is still doing time. The moral is, be careful with the play-doh method. The unfortunate thing is you can only get the full info of 2 cards at the max, and you don't know exactly if you're pressing over the info of another card already put on to the play-doh. Also, you can't get the CVC through this method, I was just giving a classic example from the olden days.

But there is a new wonderful invention called cameras, video recording, and mobile phones and they are even all working on the same thing. It's best to test it out 1st and have a camera on your phone that is at least over 2 megapixel and allows long enough video recording times. The phone is set to video record with flashlight if needed, and taped underneath the desk for you to record both sides of the card for all the information you need, as well as being quick you can get a lot more than 2 on, depending on how long each recording lasts, you may need to start more than one recording.

Skimming whilst on the job

For skimming, scammer needs a mini portable MSR500M reader that can be fitted on his/her waistline belt or of course once again under the desk, if a scammer is a cashier. Scammer also need an MSR206 writer if they plan on writing the tracks to an embossed CR-80 piece of plastic later (they can make these themselves but embossers are expensive and it's an expensive procedure, so they do that yourself and buy them from IRC (scammers always be careful, people like to rip with plastics, or they might get bad quality if they don't watch out).
MSR500M Reader
If scammers plan to just sell the dumps on IRC/ Darknet then that's fine, but they still need the PIN as well, so if a scammer a waiter, they can get a cheeky peek at them putting their pin into the chip and pin device while hold of it slightly (scammers have customers put the pin in while victim sat down and scammer standing up). It's much easier to skim in a restaurant rather than clothing retail, as scammers don't have to think it out and set it up as much. They can keep the MSR500M in their front pocket of the uniform they wearing and pretend to be giving the card a clean on the sleeve (lies and say the device won't read it), while really you're giving it a swipe into your reader. This way the person doesn't even get suspicious because they don't take their card out of sight with them. I guess they could do that technique with clothing retail too when you get their card in your dirty little hands, but peeking for the PIN is harder or they have to have a friend shoulder surf for it (or if victim's on the next register have them use a sony cyber shot c902 camera phone and pretend to have them talking on the phone while really they're recording the person next to them putting in their PIN, cyber-shots are really inconspicuous looking with their cameras and VERY clear [5mpixel]).

Trashing
Trashing for receipts and credit reports (pretty outdated although still works)
Ever heard the expression "Another man's trash is another man's gold"? That's exactly what this is. You'd be surprised how many people haven't heard of a paper shredder or bonfire. They just dump their financial records containing SSN's/NI, full name, address, bank, credit card number, CVV, CVV2 etc. All on forms people couldn't be bothered to dispose of properly because they thought they were JUST old records. Again carders wok on the inside again for when they want to do trashing, a lot of janitors wear rags but you'd be surprised how secretly rich most of them are (along with the other shit they steal from work as well). But also from this if there is not enough info for you on the forms then there is definitely the phone number of the mark on the form that they've scrapped; almost always, and if not then there is enough info on there to look them up in the phone directory. Then, of course, you use social engineering skills over the phone to get the extra info that you need. If you know of a store that is not carbonless, then go trashing in the bins at the back of the store for the receipts with the credit card details on it.

Phishing over the phone
Phishing over the phone for details
Ever had telemarketers asked for your credit card info over the phone? (this is if you haven't already hung up by just hearing a scammer on the phone) chances are they're a carder. Believe it or not, there are people actually stupid enough to fall for these obvious scams. Even more, people fall for this if they believe that the caller is from the credit card company itself or part of the secret service or credit fraud investigations; the FBI, CIA, and police have nothing at all to do with credit card fraud believe it or not. If you sound professional or part of an important group such as investigations then people are more likely to comply with you if they believe that their card has been used for credit fraud purposes and have to give their credit card info and billing address for verification. The best time to call up the mark is when they are at work as it'll take them by surprise and they'll be wanting to get it sorted asap so that they can get back to work. Also if it's "serious" then the secret service don't wait for you to finish work before they question you. Play along well to the part you're pretending to be. Some social engineering skills are required and you must gain the experience of lying to people yourself. Before calling up the person find out as much information about them as you can.

If you've stolen a CC (Credit Card)  from someone personally you can call them up pretending to be their bank and tell them there has been some suspicious charges made to the credit card from places such as South Africa, Nigeria, Turkey, Russia; places like that, get them to confirm their details (Get as much as you want out of them, ask them common security questions such as their mother's maiden name, address, etc).

You can also get their PIN out of them if you want as well by either straight out asking them to confirm it, or be crafty and after you've told them to verify their PIN you're putting them through to a different department; then play some cheesy music down the phone for a few mins, have a female voice recording (use AV voice changer) asking them to input their PIN on their dial-pad (this won't be as suspicious); get these recorded so they can be decoded with DTMF decoding hardware/software later (although it's expensive). Guessing DTMF tones is pretty easy too, but you need to know what each tone sounds like, it's preferred to use decoding software to ensure you have it correct.
If you try hard enough you can get full info about anyone over the phone (I suggest using a spoof card for this).


I have made this blog post longer than what I have planned, I want you to know the impact a scammer can make. There is a lot more to it, In the upcoming blog, I will be explaining about the techniques like Keylogging for CVV2s, Carding over the phone, IRC, How a scammer finds carding channels, Vendors and how scammers approach them and Phishing for Change of Billing.

I am sure at the end of the upcoming blog you will be learning a lot about scammers and how they always think and come up with strategies to rip your bank balance. So a lot to know and a lot to discuss. Follow the blog to receive all the latest updates.

Comments

Popular

5 Steps To Protecting Your Digital Home

Document Security System To Prevent Confidential Leakage

Safe Mobile Payments And Banking Tips Hackers Hope You Don't Know