Virtual Carding 🕵️ The Art of Digital Reconnaissance: A Carder's Guide (Part 2) 🕵️

[wwwon1000]

good

 

[efuaids]

big up

 

[barbecue]

ddddd

 

[fakenew333]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Việc tìm ra cổng thanh toán là chìa khóa để tìm đúng loại thẻ và phương thức thanh toán. Sau đây là cách để vạch trần những kẻ lừa đảo này:

Luôn bắt đầu bằng một thẻ thử nghiệm. Một số thẻ thử nghiệm phổ biến là:

• Sọc : 4242 4242 4242 4242
• Braintree : 4111 1111 1111 1111
• Adyen : 5555 4444 3333 1111

Khi bạn gửi thẻ kiểm tra, hãy chú ý đến lưu lượng mạng. Bạn sẽ thấy các yêu cầu đến miền cổng thanh toán. Hãy tìm:

• Sọc : https://api.stripe.com/v1/payment_intents
• Braintree : https://api.braintreegateway.com/merchants/
• Adyen : https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource : https://secureacceptance.cybersource.com
• Authorize.Net : https://api.authorize.net/xml/v1/request.api
• WorldPay : https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Sau đây là hình ảnh yêu cầu của Braintree :

[mã số]
POST https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards
{
"thẻ_tín_dụng": {
"số": "41111111111111111",
"tháng_hết_hạn": "12",
"năm_hết_hạn": "2025",
"cvv": "123"
},
"chia sẻ": đúng
}
[/mã số]

Và đây là hình ảnh của yêu cầu Stripe :

[mã số]
POST https://api.stripe.com/v1/payment_intents
{
"số tiền": 2000,
"tiền tệ": "usd",
"payment_method_types[]": "thẻ",
"phương thức thanh toán": "pm_card_visa"
}
[/mã số]

Một số trang web xử lý thanh toán trên tên miền riêng của họ trước. Nếu bạn không thấy lệnh gọi trực tiếp đến cổng thanh toán đã biết, hãy tìm các yêu cầu đến điểm cuối API của trang web như "/api/process-payment" hoặc "/checkout/finalize".

Trong những trường hợp này, bạn cần tìm hiểu sâu hơn. Hãy tìm những dấu hiệu rõ ràng trong các tham số yêu cầu:

• "stripe_token" hoặc "stripe_source" gợi ý Stripe
• "braintree_nonce" trỏ đến Braintree
• "adyen_encrypted_data" biểu thị Adyen
• "cybersource_token" ngụ ý CyberSource
• "authorize_transaction_key" gợi ý tại Authorize.Net
• "worldpay_order_code" gợi ý WorldPay

Lưu ý, một số trang web sử dụng nhiều cổng thanh toán hoặc chuyển qua các dịch vụ trung gian. Hãy chú ý đến các dịch vụ như:
* Văn bản ẩn: không thể trích dẫn. *


Tìm cổng thanh toán chỉ là bước đầu tiên. Mỗi cổng đều có những điểm yếu và lỗ hổng tiềm ẩn riêng. Giờ đây, bạn đã biết mình đang phải đối mặt với những cổng nào, hãy tinh chỉnh phương pháp tiếp cận và tăng cơ hội thành công.

Suy nghĩ kết thúc​

Từ việc thiết lập Burp Suite đến phát hiện hệ thống chống gian lận và vạch trần các cổng thanh toán, giờ đây bạn đã có các công cụ để phá vỡ mục tiêu của mình một cách chuyên nghiệp.

Hãy nhớ rằng bạn càng hiểu rõ về hệ thống phòng thủ của một địa điểm thì bạn càng có thể điều chỉnh đòn tấn công của mình tốt hơn. Đừng chỉ ném bài vào tường và hy vọng có thứ gì đó dính vào. Hãy sử dụng những kỹ thuật này để xây dựng một chiến lược tối đa hóa cơ hội thành công của bạn.
Nhưng chúng ta vẫn chưa xong đâu. Trong hướng dẫn tiếp theo, chúng tôi sẽ đi sâu vào việc trinh sát di động. Chúng tôi sẽ chỉ cho bạn cách áp dụng những nguyên tắc này vào các ứng dụng di động, một sân chơi hoàn toàn mới cho việc đánh bạc.

Và chúng ta sẽ cùng nhau bắt tay vào thực hiện với công cụ Burps Tamper. Bạn sẽ học cách sửa đổi yêu cầu ngay lập tức, giảm điểm gian lận bằng cách chỉnh sửa các giá trị được gửi đến hệ thống chống gian lận và vượt qua những con "chó" AI đó .

Hẹn gặp lại lần sau, hãy giữ vững OPSEC và rèn luyện kỹ năng của mình. Hãy luôn bình tĩnh.

Lớp học kết thúc. d0ctrine ra ngoài.

thbro

 

[yu5231]

thnaks

 

[newtools]

ty bro

 

[kikoriko2023]

This is amazing