Credit card fraud
Credit Card Fraud – In august of 2016 we published our article about credit card fraud. The article talked about the most basic forms of credit card fraud. It didn’t really go in-dept and failed to show the full picture when talking about credit card fraud. We at ThisThinLine want to learn from our mistakes so today, after almost a full year of learning about credit card fraud, also called carding we present the new and complete guide. Prepare for a long read but this article contains almost everything there is to know.
Remember, Credit card fraud is about making mistakes and learning from them. Credit card companies try to eliminate the risk of fraud and invest a lot of money and time in to preventing this. There is no perfect way, you will have to adapt to the changes that happen in the scene and develop your own method. Stay up to date with all the latest security features implemented by these companies. I suggest visiting and signing up to several markets on the darknet. The list of markets is published and update by a website called deepdotweb.com. Try to watch out because law enforcement is active on those forums as well and they’re there for a reason.
I know there will be dozens of people claiming you should do things different and they might be right. If you think you have something valuable to add to this article, make sure to comment below.
A list of terms used in this article and their meaning and or function.
LE: Law Enforcement aka police aka the people who put you behind bars
TOR: Open Network (Browser) that connects through virtual tunnels instead of a direct connection. I suggest you to read about TOR . It will take you 15 minutes max and you will benefit a lot from it. https://www.torproject.org/about/
ISP: Internet Service Provider
OPSEC: Operation security
OS: Operating System
VPN: Virtual Private Network https://www.en.wikipedia.org/wiki/Virtual_private_network
RDP: Remote Desktop protocol https://en.wikipedia.org/wiki/Remote_Desktop_Protocol
VM: Virtual Machine https://en.wikipedia.org/wiki/Virtual_machine
SOCKS5: Internet protocol & proxy server http://etherealmind.com/fast-introduction-to-socks-proxy/
VBV/AVS/MSC: Verified by Visa, Address Verification System, MasterCard Secure Code. Verification methods that credit card providers use to verify your transaction details before the payment can be processed.
Security, also called OPSEC (Operations Security) is one of the vital steps to not getting caught when doing credit card fraud. Just because you’re using TOR doesn’t mean it’s safe to do whatever the hell you want. Your ISP monitors and logs everything that you do over the TOR network and when LE demands those logs from your ISP they will give it to them (It wont matter that the logs are encrypted with TOR because your government is already interested in you just because you use TOR). You’re making it very easy for LE this way because you only have one layer of protection.
It’s better to hide your TOR usage from your ISP then it is from your VPN. Your local ISP is more likely to give up information about you then your foreign based VPN provider is. Use this to your advantage. That being said, never trust your VPN provider as well. Ask Cody Kretsinger (LulzSec) if he thinks hidemyass was a good vpn.
Don’t go carding from your windows pc. Windows is the worst platform to do illegal stuff from. Windows is full of exploits, bugs, etc that can be used against you. I won’t go in to more detail on why you shouldn’t use windows.
Now let’s talk about what you should use.
Qubes is an operating system that as the name suggests uses “cubes” in the form of virtual machines. The benefit of this is that you separate the different things you do on your computer. This way if one cube gets compromised with for example malware it wont effect the others. You can have one “qube” for your banking and a different one for visiting potentially dangerous websites.
I suggest you take your time to read the Qubes documentation and hardware requirements as this will save you a lot of time. https://www.qubes-os.org/
Whonix is a desktop operating system designed for advanced security and privacy and comes pre-installed in Qubes. In the case of Qubes, whonix is run as a separate virtual machine. Online anonymity is realized via fail-safe, automatic, use of the Tor network. A heavily reconfigured Debian base is run inside multiple virtual machines, providing a substantial layer of protection from malware and IP address leaks.
The same goes for Whonix. Take your time to read the Qubes-Whonix documentation to learn what you’re dealing with. It might seem challenging at first but you will get the hang of it.
Choosing your way to connect to the internet is also an important step. You should not use your internet at home nor should you use a public wi-fi hotspot. I am suggesting you use of these two things:
- Hack your neighbours wi-fi and use that (Switch between wi-fi every now and then) This method is really useful if you live in a large apartment complex (makes it hard to pin point your location).
- What i prefer is using a Mi-Fi. A mobile router that creates a wi-fi signal by using an SIM card. Just get yourself a bunch of SIM cards, load them up with 1GB worth of internet and after the internet on that particular SIM card runs out switch to the next one (This method works really well in rural areas).
SOCKS5 & RDP:
If you’ve read the links i provided about these subjects you know what they do so i won’t explain that. The main goal of using these things is to fool companies in to believing you are the real credit card holder. Both SOCKS5 and RDP’s can be bought for a specific location. You are trying to find and purchase one that has an address that is as close as possible to the address of the real card holder.
These second thing SOCKS and RDP’s are good for is security. they add an extra layer of protection during your activities without costing a lot or take up to much of your time.
Purchasing Your Equipment:
I’ve seen many people make this mistake so just to clarify. When buying a laptop, pay cash. Don’t create an account on eBay or Craigslist just to get in contact with the person selling the thing you need. Only contact them if they have mobile number posted in their ad. get yourself one of these free sim cards and a cheap burner phone, call the person, drive 5 hours to pick the laptop up and get rid of the sim card and preferably the phone as well.
Same goes for Bitcoins. You will be needing these coins to purchase credit cards and other equipment. your go to website? Localbitcoins. Localbitcoins allows you to purchase bitcoins for cash near you. Just search for someone that allows you to buy bitcoins for cash without verifying your localbitcoins account. Believe me these people know what bitcoins are being used for. Bitcoins are not cheap. Take your time to read some reviews and see how long the seller has been around for.
Sometimes the bitcoin value swings so much no one is selling them on localbitcoins. I’ve had this happen to me quiet a few times. My second favorite option is using a prepaid credit card. Just get some homeless person to buy you one of those cards, and hand him a few bucks. Again, use prepaid sim cards and burner phones to activate the credit card (if needed). You can only use those prepaid credit cards to purchase things such as a VPN. Do not try to use a prepaid credit card to purchase bitcoins. Websites that sell bitcoins usually don’t allow people to buy them with credit cards without several forms of verification. Thank your fellow carders for that one, They screwed these websites out of so many bitcoins. Some websites still alow it but it’s like finding a needle in a haystack.
Third option, and I haven’t tried it out myself so don’t take my word for it is using a bitcoin ATM that accepts cash payment. I have no experience with this but a few people I know say they work well.
A VPN is made to hide your real IP address. It basically makes sure all the data you send and receive is encrypted so no one can eavesdrop on what you’re doing. Choosing a VPN that is right for you can be difficult however. What you’re looking for in a VPN when doing credit card fraud or fraud in general is that it doesn’t keep any logs of your online activities and the regions in which the servers are stationed. Most VPN providers claim a lot but when LE asks them for information about you they won’t have any problem handing them all they’ve got.
When using a VPN with Qubes you always want to choose a VPN that offers a OpenVPN protocol. VPN’s with this protocol are a lot easier to set up and it will save you some time. Based on my experience you are best of with either one of these two VPN providers.
If you decide to go for another VPN provider make sure you read their entire policy on how they handle your data. Always read reviews from darknet markets about your VPN provider of choice !
When it comes to setting your VPN up in Qubes you should use the: Set up a ProxyVM as a VPN gateway using iptables and CLI scripts method. What this method does is it forces your virtual machines to drop the connection as soon as the connection from you to your VPN disconnects for whatever reason. This will happen from time to time.
If you have trouble following the documentation on Qubes you can always use this video for further guidance.
When you’ve set your vpn up what you want to do is the following:
– Setup your appvm’s to run the VPNvm as their netVM
– Change the netVM of your VPNvm to sys-net instead of sys-firewall. (sys-firewall is not able to translate the encrypted traffic that is coming through and will not be able to do anything with it)
– Set your VPNvm to start-up on boot.
Through this method your internet connection will only be up once your VPNvm is up and running. If for some reason the VPNvm is not able to connect to the VPN server it will not allow you to connect to the internet.
You want Qubes to boot your VM’s up in the following order:
1. dom0 and sys-net up and running (Qubes will do this by itself)
2. your VPNvm will start-up and display a message in the right hand corner saying (Connecting)
3. After a while a new message will pop up saying: LINK IS UP.
4. Start up your sys-whonix and perform a whonix-check. The whonix-check will check if the connection through TOR is up and running as it should and checks for updates. If there’s a problem the whonix-check will show it and tell you what might be wrong and how you can fix it.
5. Start up your anon-whonix (From which you will run the TOR browsers) and perform another whonix-check.
6. You’re now ready to use the tor browser safely.
Credit Card Fraud Process
Step 1: Buying the credit cards:
With the closure of Alphabay and Hansamarket things have gotten really interesting. Don’t worry. These deep web markets tend not to live that long and for each one that closes new ones will pop up. As i stated before, use www.deepdotweb.com to determine the online markets at that moment and use the onion links provided by deepdotweb to make sure you are visiting the real website (This will prevent you from losing your bitcoins).
Now there were a few sellers on alphabay who sold quality credit cards (Out of a 100 that sold shit cards). One of them was GGMcloud. I don’t know to what markets these seller moved or if they even continued to sell but take your time to find sellers who sell quality cards. You can do this by reading their sales pages or by trying it out for yourself.
What to look for:
When buying credit cards you want to buy cards labeled as fullz. Fullz are cards used for online credit card fraud. Dumps on the other hand is a collection of raw information from the magnetic strip of a card and can be used to do in store carding not for online purchases.
A good fullz will contain the following details:
– Credit card information (Number, The company providing the card, CVV/CVV2 code)
– Victim information (Address, SSN, DOB, Phone number, Mothers Maiden Name)
– Internet information (Browser (Version), IP address, Operating system, User agent)
– Description of extra security measures active on the card (VBV, SMS code, MSC, AVS)
Expect to pay between $20 and $50 for a decent fullz.
Using the Checker:
Vendors that sell credit cards often offer some sort of checking service. this service allows you to check if the card is still active or not. Most of the time the use of this checker is limited to 5 minutes after purchase to prevent fraud. If you check the card and it shows up as invalid or blocked you will receive a refund. My honest advice is to not check the card before using it. Checking the card often results in it getting blocked. Read the next chapter about BIN numbers as well before ordering your credit card.
BIN numbers also known as Bank Identification Number are the first six digits of a credit card number that identify the issuer of the credit card. More experienced carders use BIN numbers to identify the cards and determine if he has been successful with that type of card in the past or not. Try to keep a list for yourself to see which BIN numbers have been successful for you.
Preferably you want to buy a card that is from your region and country. The closer you get the easier it becomes. Yes, it is possible to make successful orders with cards from outside if your country but wait till you have some more experience.
Also, try to get a card without any of the extra security measures. This will also make the process a lot easier. It is doable but again, try it when you have a little more experience and some more cash to spend.
Step 2: Buying a RDP or SOCKS5 proxy:
I’m not going to spend a lot of time on this topic. As I said above, this is to make it seem you are making the online order as close as possible to the actual location of the real credit card holder. As a bonus it’s an extra layer of security for you during the order.
RDP’s and SOCKS5 are also being sold on the clearnet. Don’t purchase them from these website however. A lot of them have already been used for illegal activities or carding and have a big red flag on them. Use the darknet markets to find sellers of clean products. Expect to pay around $10 for an RDP or SOCKS5. In my opinion there is no reason to use both, either an RDP or an SOCKS5 is sufficient.
You can use website such as check2ip to see if the IP of the RDP or SOCKS5 is blacklisted.
Step 3: Drop address:
This part can really, really screw you up. I consider this as the most dangerous part of the entire thing. “Where am i going to send the packages to”. NO!, TO YOUR OWN HOUSE IS NOT THE RIGHT ANSWER. and yes, more people than you think do this.
Vendors on the dark net offer so-called “drop” services. You can send the package to an address they provide you and will re-ship the package to you once they received it for a small fee. I would personally never do this. You are giving your home address to a fellow dark net user and believe me some if not most people on there have no problem doxing (Revealing your personal info) your ass.
Just keep it simple, No PO boxes on fake ID’s or anything like that. What i believe works best are houses that are up for sale. The people delivering the boxes have enough to do and are really careless. Remove the “for sale” sign, place a bin in the back, Write a note on the door saying: “I am at work right now, You can leave the parcel in the bin at the back. Thanks in advance”. Take your time to check if police or LE are keeping an eye on the packages and claim them when ready.
Get creative when it comes to receiving the packages. But don’t over complicate it. Make an ad on Craigslist or Ebay for some electronic and once someone wants to buy it and send you the money you order it directly to their house.
Step 4: Lets Begin:
This is how i think websites determine if the order they received is legitimate or not. I believe their payment processor uses some sort of point system to determine if they allow the transaction, if it needs manual confirmation or if it gets declined. What we’re going to do is trying to get a low point score and this is how we are going to do it.
1. You’re going to create an Yahoo email account in the name of the original credit card holder. If the owner’s name is Micheal Cane and he’s born in 1978 you’re going to create an email like MichealCane1978@yahoo.com.
2. If you took the time to read the Qubes documentation you should know how to change your mac address. If not, this is the time to set it up.
3. Download CCleaner and use it to remove all of the online data that’s stored on the computer such as cookies and temporary data.
4. Now you are either going to connect to your RDP or your SOCKS5 proxy. (Remember! As close as possible to the location of the real credit card holder) Connecting to an RDP is not that hard, just Google it. Connecting to your SOCKS5 can be done through your browser –> Options –> Advanced –> Network –> Manual proxy configuration –> Enter port and IP –> Connected.
5. Check to see if the SOCKS5 IP or RDP IP is blacklisted with check2ip.
6. Spoofing the user agent (Browser version, etc). Use the information you received when purchasing the fullz to determine what browser, screen resolution, etc the real credit card holder is using. Download a simple Firefox plugin that allows you to spoof this information and switch it to the info provided in the fullz.
7. Go to the website you are planning to scam. I prefer to use a little less known websites. (I don’t want to make the mistake of the owners of the credit card already having an account on that particular website) Most of the times these websites are a bit more vulnerable for credit card fraud. As soon as I landed on the website I start to browse a bit to build op some cookies.
8. Once I find what I am looking for (Don’t try to buy stuff worth $1500, you’ll just run the risk of red flagging the card. Keep it simple. $500 is more than enough), I create my account using the original card holders details, except for the email address that you made in step one.
9. Go through the payment page (Method, Which Card) and fill in all the details. Remember, Use the real credit card holders address as billing address. Use your drop address as shipping address. Do not copy and paste the credit card information from the person you bought it but rather fill it in manually. Some if not most websites have some sort of method that detects you copy and pasting.
10. Click process and pray to god you didn’t do anything wrong and the payment goes through. If it did, congratulations.
11. Once the package arrives the courier might ask to see your ID. You have two options; 1. Become really good at social engineer, which I wrote a guide about here. 2. Make a simple fake one.
As I stated at the beginning of this article. The credit card fraud game keeps changing. This might work this month but fail the next. Keep tweaking and learning and you’ll do fine. What i mean with variation is using a mobile phone to order goods instead of your computer or ordering products with the credit card over the phone. If you just keep doing the same thing over and over again you’ll find yourself failing really fast.
I DO NOT CLAIM THIS IS THE BEST CARDING METHOD OUT THERE WHAT SO EVER. This article is here so you guys can discuss different methods. This is how I think about it and to some people I am right and others will say I am dumb and ignorant.
for the people who think I am an asshole. Look at it this way. You as a credit card owner can read this article and learn how to prevent yourself from becoming a victim of credit card fraud. They can use this information but so can you to protect yourself from credit card fraud.
The only reason credit card fraud still happens is because people are too lazy to take their time and learn how protect their information.
Note: Do not do credit card fraud, you are very bad. it’s illegal and you risk serious jail time. I don’t encourage you to do it and never will.
Want to learn a little more about in-store credit card fraud ? Watch the video below.