Virtual Carding 🕵️ The Art of Digital Reconnaissance: A Carder's Guide (Part 2) 🕵️

[uhtric]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

the goat

 

[lielox]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

ty

 

[ashenemy]

.

 

[zsamito1]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Encontrar la pasarela de pago es fundamental para encontrar las tarjetas y los métodos correctos. Aquí te contamos cómo desenmascarar a estos bastardos:

Comience siempre con una tarjeta de prueba. Algunas tarjetas de prueba populares son:

• Raya : 4242 4242 4242 4242
• Braintree : 4111 1111 1111 1111
• Anunciante : 5555 4444 3333 1111

Cuando envíe la tarjeta de prueba, esté atento al tráfico de la red. Verá solicitudes al dominio de la pasarela de pago. Busque:

• Raya : https://api.stripe.com/v1/payment_intents
• Braintree : https://api.braintreegateway.com/merchants/
• Adyen : https://checkoutshopper-live.adyen.com/checkoutshopper/
• Fuente cibernética : https://secureacceptance.cybersource.com
• Authorize.Net : https://api.authorize.net/xml/v1/request.api
• Pago mundial : https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Así es como podría verse una solicitud de Braintree :

[código]
PUBLICACIÓN https://api.braintreegateway.com/co...client/v1/métodos_de_pago/tarjetas_de_crédito
{
"tarjeta_de_crédito": {
"número": "4111111111111111",
"mes_de_vencimiento": "12",
"año_de_vencimiento": "2025",
"cvv": "123"
},
"compartir": verdadero
}
[/código]

Y así es como se ve una solicitud de Stripe :

[código]
PUBLICACIÓN https://api.stripe.com/v1/payment_intents
{
"cantidad": 2000,
"moneda": "usd",
"payment_method_types[]": "tarjeta",
"método de pago": "pm_card_visa"
}
[/código]

Algunos sitios procesan primero los pagos en su propio dominio. Si no ve llamadas directas a una pasarela de pago conocida, busque solicitudes a los puntos finales de API de los sitios , como "/api/process-payment" o "/checkout/finalize".

En estos casos, deberá investigar más a fondo. Busque señales reveladoras en los parámetros de la solicitud:

• "stripe_token" o "stripe_source" sugieren Stripe
• "braintree_nonce" apunta a Braintree
• "adyen_encrypted_data" indica Adyen
• "cybersource_token" implica CyberSource
• "authorize_transaction_key" sugiere Authorize.Net
• "worldpay_order_code" sugiere WorldPay

Recuerde que algunos sitios utilizan múltiples pasarelas de pago o realizan el pago a través de servicios intermediarios. Esté atento a servicios como:
Texto oculto: no se puede citar.


Encontrar la pasarela de pago adecuada es solo el primer paso. Cada pasarela tiene sus propias peculiaridades y vulnerabilidades potenciales. Ahora que sabe a cuáles se enfrenta, puede ajustar su enfoque y aumentar sus posibilidades de éxito.

Reflexiones finales​

Desde la configuración de Burp Suite hasta la detección de sistemas antifraude y el desenmascaramiento de pasarelas de pago, ahora tienes las herramientas para atacar a tus objetivos como un profesional.

Recuerde que cuanto más sepa sobre las defensas de un sitio, mejor podrá adaptar su ataque. No se limite a lanzar cartas contra una pared con la esperanza de que algo se quede pegado. Utilice estas técnicas para diseñar una estrategia que maximice sus posibilidades de éxito.
Pero aún no hemos terminado. En nuestra próxima guía, nos adentraremos en el reconocimiento móvil. Te mostraremos cómo aplicar estos mismos principios a las aplicaciones móviles, un nuevo campo de juego para el reconocimiento de tarjetas.

Y nos pondremos manos a la obra con la herramienta Tamper de Burps . Aprenderá a modificar solicitudes sobre la marcha, a reducir su puntuación de fraude editando los valores enviados a los sistemas antifraude y a eludir a los perros de la inteligencia artificial .

Hasta la próxima, mantén tu seguridad operacional a raya y tus habilidades a punto. Mantente alerta.

Clase terminada. Doctrina fuera.

a

 

[tilapia66]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

thanks

 

[allahsiken]

d0ctrine, thx

 

[Unstaffed.Thus]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

ahhh ahhhh sincerely

 

[devtempmail17]

similar to the CEH sylabus

 

[mahaaat]

Thanks d0c

 

[MGcrazen]

This very good one <3

 

[Toxicjesus]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

 

[chengmvip]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

6666666666

 

[santos123]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

El verdadero poder surge al modificar las solicitudes. Cambiar parámetros, modificar encabezados e incluso inyectar tu propio código: todo es posible. Esto te permite probar las defensas del sitio sin necesidad de realizar pedidos. Puedes detectar debilidades , ver cómo reacciona el sitio a datos inusuales y ajustar tu estrategia antes de arriesgar nada.

Configuración de su bisturí digital: Burp Suite​

Antes de adentrarnos en el tema, necesitas preparar tus herramientas. Burp Suite es como la navaja suiza del hacking de aplicaciones web, y para nosotros, los aficionados a las tarjetas, es fundamental . Aquí te explicamos cómo configurar esta maravilla:

• Descargar e instalar: Visita el sitio web de PortSwiggers y descarga la Community Edition . Es gratuita y tiene la potencia suficiente para lo que necesitamos. Una vez descargada, instálala.
• Configura tu navegador: Usamos Firefox para esta guía porque es más fácil con los certificados. Abre Firefox , ve a Configuración > Configuración de red y configura tu proxy en manual. Usa esta configuración:
  Proxy HTTP : 127.0.0.1 Puerto: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Instalar el Certificado Burps : Esto es crucial. Sin él, recibirás más advertencias de seguridad que un denunciante del gobierno.
  • Abra Burp y vaya a http://burp
  • Haga clic en "Certificado CA" en la parte superior derecha.
  View attachment 6053- En Firefox , vaya a Configuración > Privacidad y seguridad > Certificados > Ver certificados
  View attachment 6054. Importe el certificado descargado y confíe en él para los sitios web.
  View attachment 6055
• Cómo agregar un proxy SOCKS (opcional): si usa un proxy residencial, aquí le mostramos cómo encadenarlo:
  • En Burp , vaya a Opciones de usuario > Proxy SOCKS
  • Habilitar el proxy SOCKS
  • Introduzca sus datos de proxy

Ahora Burp usará MITM para tu tráfico y lo enrutará todo a través de tu proxy SOCKS . ¡Genial, ¿verdad?!

Consejo profesional: Para la primera exploración, suelo usar una VPN configurada en el mismo país que la tarjeta que planeo usar. Es más limpio y menos probable que genere alertas. Cuando llega el momento de acceder al sitio, es cuando cambio a una configuración antidetección completa.

Reconocimiento Móvil: Sí, también puedes hacer esto en móviles. Es un poco más complejo y no lo cubriremos hoy. Solo ten en cuenta que es posible y puede ser útil para sitios con comprobaciones específicas para móviles.

Ahora que ya tienes todo listo, vamos a meternos de lleno en el asunto. Es hora de empezar a hurgar en esos objetivos jugosos.

Detección de análisis antifraude con IA​

Ahora que tienes Burp Suite listo y listo, es hora de usarlo. Antes de empezar, asegúrate de que la opción Interceptar esté desactivada en la pestaña Proxy. Si está activada, Burp detendrá todas las solicitudes que esperen tu entrada, y no estamos aquí para jugar a las 20 preguntas con paquetes HTTP .

Con la Intercepción desactivada, Burp registrará silenciosamente todo el tráfico en la pestaña Historial HTTP . Aquí es donde ocurre la magia. Mientras navegas por tu sitio objetivo, verás una avalancha de solicitudes acumulándose aquí. No te preocupes, te enseñaremos a comprender este vómito digital.

Ahora, hablemos de los sigilosos que realmente buscan: sistemas antifraude con inteligencia artificial . Estos sabuesos digitales están por todas partes en los sitios de comercio electrónico modernos, rastreando cualquier indicio de actividad sospechosa.

Los sitios de comercio electrónico modernos están repletos de sistemas antifraude basados en IA . Estos malditos sistemas funcionan inyectando JavaScript en la página y monitorizando todo, desde los movimientos del ratón hasta los patrones de escritura.

Al revisar el historial HTTP de Burps , esté atento a estos archivos JavaScript que se cargan en la página. Son la tarjeta de presentación de diferentes sistemas antifraude:

• Ciencia de Sift : " https://cdn.sift.com/s.js "
• Signifyd : " https://cdn-scripts.signifyd.com/signifyd.js "
• Arriesgado : " https://beacon.riskified.com?shop=example.com "
• Forter : La URL exacta puede variar, pero a menudo se parece a " https://scripts.forter.com/forter.js " o " https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js ".
• SEON : " https://cdn.seondf.com/js/v6/agent.js "
• Cuenta : " https://b.kount.net/collect/sdk "
• Revellín : " https://cdn.ravelin.net/core/ravelin.js "
• ClearSale : " https://integration.clearsale.com.br/fp/check.js "
• Perno : " https://connect.bolt.com/connect.js "
• Certificar : " https://h.online-metrix.net/fp/tags.js "
• PerimeterX : " https://client.perimeterx.net/PX_CLIENT_ID/main.min.js "
• Feedzai : " https://cdn.feedzai.com/v1/feedzai-fingerprint.js "
• Seguridad de forma : " https://ds.shapesecurity.com/ds/client.js "

Encontrar esos archivos JS es como buscar una aguja en un pajar, especialmente en sitios con millones de scripts. Es mejor estar atento a las solicitudes POST . Ahí es donde surge la magia.

Recuerda que esta lista no es exhaustiva. La tecnología antifraude evoluciona más rápido que las tendencias de la moda. Mantente siempre alerta a archivos JS y solicitudes de red sospechosos, especialmente a aquellos que se cargan desde dominios de terceros. Si ves algo que parezca antifraude pero no esté en esta lista, investiga más a fondo.

Estos scripts recopilan una gran cantidad de datos sobre tu sesión. Rastrean:

• Huellas dactilares del dispositivo
• Movimientos y clics del ratón
• Velocidad y patrones de escritura
• Tiempo dedicado a la página
• Complementos y configuraciones del navegador

Explora tu sitio objetivo y revisa la pestaña "Historial HTTP" de Burps . Verás solicitudes POST a endpoints como "/api/risk/assess" o "/fraud/check" con todos estos datos. Así funciona el sistema antifraude.

A continuación se muestran un conjunto de URL para solicitudes POST que monitorean el riesgo de sus sesiones:

• Ciencia Sift : " https://api.sift.com/v205/events "
• Signifyd : " https://api.signifyd.com/v2/cases "
• Arriesgado : " https://beacon.riskified.com/api/v2/beacon/collect "
• Forter : " https://api.forter-secure.com/v2/decisions "
• SEON : " https://api.seon.io/ "
• Cuenta : " https://risk.kount.net/order.json "
• Revellín : " https://live.ravelin.com/v2/sdk/event "
• ClearSale : " https://integration.clearsale.com.br/api/v2/order/create "
• Bolt : " https://api.bolt.com/v1/merchant/transactions "
• Certificar : " https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess "
• PerimeterX : " https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector "
• Feedzai : " https://api.feedzai.com/v2/labels "

Por ejemplo, si estás tratando con Sift Science , Burp capturará una solicitud que se parecerá a esto:

[código=json]
{
"evento": {
"$tipo": "$crear_orden",
"$user_id": "usuario123",
"$session_id": "abc123xyz",
"$order_id": "PEDIDO-123456",
"$cantidad": 10000,
"$código_de_moneda": "USD",
"$dirección_de_facturación": {
"$name": "Juan Pérez",
"$address_1": "Calle Principal 123",
"$ciudad": "San Francisco",
"$región": "CA",
"$país": "EE. UU.",
"$código postal": "94111"
},
"$métodos_de_pago": [
{
"$payment_type": "$tarjeta_de_crédito",
"$payment_gateway": "$stripe",
"$card_bin": "424242",
"$card_last4": "4242"
}
],
"$dirección_de_envío": {
"$nombre": "Jane Doe",
"$address_1": "Calle Oak 456",
"$ciudad": "San Francisco",
"$región": "CA",
"$país": "EE. UU.",
"$código postal": "94110"
}
}
}
[/código]

Estos datos se utilizan para crear un perfil de riesgo para su sesión. Las puntuaciones de riesgo altas implican una verificación adicional o rechazos directos.

En algunos sistemas como Forter, las solicitudes no se muestran hasta que se inicia el pago. En este caso, puede consultar las solicitudes al sitio principal y buscar cookies como ForterToken, etc.
View attachment 6057


Booking.com muestra tokens de riesgo:

Identificación de pasarelas de pago​

Encontrar la pasarela de pago es clave para encontrar las tarjetas y los métodos correctos. Aquí te explicamos cómo desenmascarar a estos estafadores:

Empieza siempre con una tarjeta de prueba. Algunas tarjetas de prueba populares son:

• Raya : 4242 4242 4242 4242
• Braintree : 4111 1111 1111 1111
• Adyen : 5555 4444 3333 1111

Al enviar la tarjeta de prueba, esté atento al tráfico de red. Verá solicitudes al dominio de la pasarela de pago. Busque:

• Raya : https://api.stripe.com/v1/payment_intents
• Braintree : https://api.braintreegateway.com/merchants/
• Adyen : https://checkoutshopper-live.adyen.com/checkoutshopper/
• Fuente cibernética : https://secureacceptance.cybersource.com
• Authorize.Net : https://api.authorize.net/xml/v1/request.api
• WorldPay : https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Así es como podría verse una solicitud de Braintree :

[código]
PUBLICACIÓN https://api.braintreegateway.com/co...liente/v1/métodos_de_pago/tarjetas_de_crédito
{
"tarjeta_de_crédito": {
"número": "4111111111111111",
"mes_de_vencimiento": "12",
"año_de_vencimiento": "2025",
"cvv": "123"
},
"compartir": verdadero
}
[/código]

Y así es como se ve una solicitud de Stripe :

[código]
PUBLICACIÓN https://api.stripe.com/v1/payment_intents
{
"cantidad": 2000,
"moneda": "usd",
"tipos_de_método_de_pago[]": "tarjeta",
"método de pago": "pm_card_visa"
}
[/código]

Algunos sitios procesan primero los pagos en su propio dominio. Si no ve llamadas directas a una pasarela de pago conocida, busque solicitudes a los puntos finales de la API del sitio , como "/api/process-payment" o "/checkout/finalize".

En estos casos, deberá investigar más a fondo. Busque señales reveladoras en los parámetros de la solicitud:

• "stripe_token" o "stripe_source" sugieren Stripe
• "braintree_nonce" apunta a Braintree
• "adyen_encrypted_data" indica Adyen
• "cybersource_token" implica CyberSource
• "authorize_transaction_key" hace referencia a Authorize.Net
• "worldpay_order_code" sugiere WorldPay

Recuerde que algunos sitios utilizan múltiples pasarelas de pago o realizan pagos a través de servicios intermediarios. Esté atento a servicios como:
Texto oculto: no se puede citar.


Encontrar la pasarela de pago es solo el primer paso. Cada pasarela tiene sus propias peculiaridades y posibles vulnerabilidades. Ahora que ya sabes a cuáles te enfrentas, puedes perfeccionar tu estrategia y aumentar tus posibilidades de éxito.

Reflexiones finales​

Desde la configuración de Burp Suite hasta la detección de sistemas antifraude y el desenmascaramiento de pasarelas de pago, ahora tienes las herramientas para atacar a tus objetivos como un profesional.

Recuerda que cuanto más conozcas las defensas de un sitio, mejor podrás adaptar tu ataque. No te limites a lanzar cartas contra la pared con la esperanza de que algo se pegue. Usa estas técnicas para crear una estrategia que maximice tus posibilidades de éxito.
Pero aún no hemos terminado. En nuestra próxima guía, profundizaremos en el reconocimiento móvil. Te mostraremos cómo aplicar estos mismos principios a las aplicaciones móviles, un nuevo campo de juego para el carding.

Y nos pondremos manos a la obra con la herramienta Burps Tamper. Aprenderás a modificar solicitudes sobre la marcha, a reducir tu puntuación de fraude editando los valores enviados a los sistemas antifraude y a eludir a los perros de la IA .

Hasta la próxima, mantén tu seguridad operacional a raya y tus habilidades a punto. Mantente fresco.

Clase terminada. Doctrina fueraestoy esperando la sigueinte yah

 

[Lupan]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

Nice bro

 

[flysky9288]

try last update and i shocked of it quality

 

[luci123]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

 

[clony]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

goat

 

[astralfox]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

kkkkkkkkkkkkkkkkkkk

 

[rapoobla]

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. Theyre the calling cards of different antifraud systems:

• Sift Science: "https://cdn.sift.com/s.js"
• Signifyd: "https://cdn-scripts.signifyd.com/signifyd.js"
• Riskified: "https://beacon.riskified.com?shop=example.com"
• Forter: The exact URL can vary, but it often looks like "https://scripts.forter.com/forter.js" or "https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js"
• SEON: "https://cdn.seondf.com/js/v6/agent.js"
• Kount: "https://b.kount.net/collect/sdk"
• Ravelin: "https://cdn.ravelin.net/core/ravelin.js"
• ClearSale: "https://integration.clearsale.com.br/fp/check.js"
• Bolt: "https://connect.bolt.com/connect.js"
• Accertify: "https://h.online-metrix.net/fp/tags.js"
• PerimeterX: "https://client.perimeterx.net/PX_CLIENT_ID/main.min.js"
• Feedzai: "https://cdn.feedzai.com/v1/feedzai-fingerprint.js"
• Shape Security: "https://ds.shapesecurity.com/ds/client.js"

Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. Thats where the magic happens.

Remember this list isnt exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isnt on this list, dig deeper.

These scripts collect a fuckton of data about your session. Theyre tracking:

• Device fingerprints
• Mouse movements and clicks
• Typing speed and patterns
• Time spent on page
• Browser plugins and settings

Browse through your target site, keep an eye on Burps HTTP History tab. Youll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. Thats the antifraud system at work.

Here are a bunch of URLs for POST requests that monitor your sessions risk:

• Sift Science: "https://api.sift.com/v205/events"
• Signifyd: "https://api.signifyd.com/v2/cases"
• Riskified: "https://beacon.riskified.com/api/v2/beacon/collect"
• Forter: "https://api.forter-secure.com/v2/decisions"
• SEON: "https://api.seon.io/"
• Kount: "https://risk.kount.net/order.json"
• Ravelin: "https://live.ravelin.com/v2/sdk/event"
• ClearSale: "https://integration.clearsale.com.br/api/v2/order/create"
• Bolt: "https://api.bolt.com/v1/merchant/transactions"
• Accertify: "https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess"
• PerimeterX: "https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector"
• Feedzai: "https://api.feedzai.com/v2/labels"

For example, if youre dealing with Sift Science, Burp will capture a request that looks something like this:

{
  "event": {
    "$type": "$create_order",
    "$user_id": "user123",
    "$session_id": "abc123xyz",
    "$order_id": "ORDER-123456",
    "$amount": 10000,
    "$currency_code": "USD",
    "$billing_address": {
      "$name": "John Doe",
      "$address_1": "123 Main St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94111"
    },
    "$payment_methods": [
      {
        "$payment_type": "$credit_card",
        "$payment_gateway": "$stripe",
        "$card_bin": "424242",
        "$card_last4": "4242"
      }
    ],
    "$shipping_address": {
      "$name": "Jane Doe",
      "$address_1": "456 Oak St",
      "$city": "San Francisco",
      "$region": "CA",
      "$country": "US",
      "$zipcode": "94110"
    }
  }
}

This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections.

For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc.
View attachment 6057


Booking.com Showing Riskified Token:

Identifying Payment Gateways​

Finding the payment gateway is key to finding the right cards and methods. Heres how to expose these bastards:

Always start with a test card. Some popular test cards are:

• Stripe: 4242 4242 4242 4242
• Braintree: 4111 1111 1111 1111
• Adyen: 5555 4444 3333 1111

When you submit the test card, keep an eye on the network traffic. Youll see requests to the payment gateways domain. Look for:

• Stripe: https://api.stripe.com/v1/payment_intents
• Braintree: https://api.braintreegateway.com/merchants/
• Adyen: https://checkoutshopper-live.adyen.com/checkoutshopper/
• CyberSource: https://secureacceptance.cybersource.com
• Authorize.Net: https://api.authorize.net/xml/v1/request.api
• WorldPay: https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Heres what a Braintree request might look like:

POST [url=https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards]https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards[/url]
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}

And heres what a Stripe request looks like:

POST [url=https://api.stripe.com/v1/payment_intents]https://api.stripe.com/v1/payment_intents[/url]
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}

Some sites process payments on their own domain first. If you dont see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize".

In these cases youll need to dig deeper. Look for telltale signs in the request parameters:

• "stripe_token" or "stripe_source" suggests Stripe
• "braintree_nonce" points to Braintree
• "adyen_encrypted_data" indicates Adyen
• "cybersource_token" implies CyberSource
• "authorize_transaction_key" hints at Authorize.Net
• "worldpay_order_code" suggests WorldPay

Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:
* Hidden text: cannot be quoted. *


Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones youre up against, you can fine-tune your approach and increase your chances of success.

Closing Thoughts​

From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro.

Remember the more you know about a sites defenses the better you can tailor your attack. Dont just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success.
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding.

And well get our hands dirty with Burps Tamper tool. Youll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs.

Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.

Class dismissed. d0ctrine out.

nice

 

[facai8800]

8

🕵️The Art of Digital Reconnaissance: A Carder's Guide (Part 2)🕵️
Welcome back ambitious bastards. If Pt 1 was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros.

This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These arent just fancy names - theyre the real deal for dissecting your targets defenses.


View attachment 6048

Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end youll see websites in a whole new light.

Warning: this isnt for noobs. If youre still trying to figure out how to use a VPN you might want to build up your skills first. But if youre ready to level up, this guide is your ticket to really understanding the websites youre trying to hit.

So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead.

What are MITM Tools?​

Burp Suite and Caido arent just fancy toys - theyre the scalpels youll use to dissect your targets.

At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, youre the nosy bastard.

Heres the basic flow:

View attachment 6049​

• You type a URL into your browser
• Your browser sends the request to Burp/Caido
• Burp/Caido forwards the request to the website
• The website sends its response back to Burp/Caido
• Burp/Caido passes the response to your browser

But heres where it gets interesting for us carders. These tools dont just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet.

Say youre scoping out a big e-commerce site. With Burp or Caido, you can:

• See exactly what data is being sent when you add items to your cart
• Identify what APIs are being called during checkout
• Spot any hidden fields or tokens used for fraud prevention
• Detect what kind of payment gateway theyre using

This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be.

For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - youve just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that havent been burned on Stripe-powered sites.

The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card.

Setting Up Your Digital Scalpel: Burp Suite​

Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Heres how to set this beauty up:

• Download and Install: Head to PortSwiggers website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.
• Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings:
  HTTP Proxy: 127.0.0.1 Port: 8080View attachment 6050
  View attachment 6051
  View attachment 6052
• Install BurpsCertificate: This is crucial. Without it, youll get more security warnings than a government whistleblower.
  • Open Burp and go to http://burp
  • Click "CA Certificate" in the top right
  View attachment 6053- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates
  View attachment 6054- Import the downloaded certificate and trust it for websites
  View attachment 6055
• Adding a SOCKS Proxy(Optional): If youre using a residential proxy heres how to chain it:
  • In Burp, go to User options > SOCKS Proxy
  • Enable SOCKS proxy
  • Enter your proxy details

Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right?

Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card Im planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, thats when I switch to a full antidetect setup.

Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks.

Now that youre locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets.

Detecting AI Antifraud Analytics​

Now that youve got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets.

With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, youll see a flood of requests pile up here. Dont worry, well teach you how to make sense of this digital vomit.

Now, lets talk about the sneaky fuckers youre really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity.

Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns.

当您浏览Burps HTTP 历史记录时，请留意页面上加载的这些JavaScript文件。它们是不同反欺诈系统的名片：

• 筛选科学：“ https://cdn.sift.com/s.js ”
• Signifyd：“ https://cdn-scripts.signifyd.com/signifyd.js ”
• 风险化：“ https://beacon.riskified.com?shop=example.com ”
• Forter：确切的 URL 可能会有所不同，但通常看起来像“ https://scripts.forter.com/forter.js ”或“ https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js ”
• SEO：“ https://cdn.seondf.com/js/v6/agent.js ”
• 科恩特：“ https://b.kount.net/collect/sdk ”
• 拉维林：“ https://cdn.ravelin.net/core/ravelin.js ”
• ClearSale：“ https://integration.clearsale.com.br/fp/check.js ”
• Bolt：“ https://connect.bolt.com/connect.js ”
• 认证：“ https://h.online-metrix.net/fp/tags.js ”
• PerimeterX：“ https://client.perimeterx.net/PX_CLIENT_ID/main.min.js ”
• Feedzai：“ https://cdn.feedzai.com/v1/feedzai-fingerprint.js ”
• 形状安全：“ https://ds.shapesecurity.com/ds/client.js ”

查找这些JS文件就像大海捞针，尤其是在包含上百万个脚本的网站上。更好的办法是留意POST请求。这就是奇迹发生的地方。

请记住，此列表并非详尽无遗。反欺诈技术的发展速度比时尚潮流更快。始终警惕可疑的JS文件和网络请求，尤其是从第三方域加载的请求。如果您发现某些内容看似反欺诈但不在此列表中，请深入挖掘。

这些脚本收集了有关您的会话的大量数据。它们正在跟踪：

• 设备指纹
• 鼠标移动和点击
• 打字速度和模式
• 页面停留时间
• 浏览器插件和设置

浏览目标网站，留意Burps HTTP 历史记录选项卡。您将看到对“/api/risk/assess”或“/fraud/check”等端点的POST请求，其中包含所有这些数据。这就是反欺诈系统在工作。

以下是一些用于监控会话风险的POST请求的URL ：

• 筛选科学：“ https://api.sift.com/v205/events ”
• Signifyd：“ https://api.signifyd.com/v2/cases ”
• 风险化：“ https://beacon.riskified.com/api/v2/beacon/collect ”
• 福尔特：“ https://api.forter-secure.com/v2/decisions ”
• SEON：“ https://api.seon.io/ ”
• 科特：“ https://risk.kount.net/order.json ”
• 拉维林：“ https://live.ravelin.com/v2/sdk/event ”
• ClearSale：“ https://integration.clearsale.com.br/api/v2/order/create ”
• Bolt：“ https://api.bolt.com/v1/merchant/transactions ”
• Accertify：“ https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess ”
• PerimeterX：“ https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector ”
• Feedzai：“ https://api.feedzai.com/v2/labels ”

例如，如果你正在处理Sift Science，Burp将捕获如下请求：

[代码=json]
{
“事件”： {
“$type”：“$create_order”，
"$user_id": "用户123",
"$session_id": "abc123xyz",
"$order_id": "订单-123456",
“$金额”：10000，
"$currency_code": "美元",
“$billing_address”：{
“$name”：“John Doe”，
"$address_1": "123 主街",
"$city": "旧金山",
"$region": "CA",
"$country": "美国",
“$邮编”：“94111”
}，
"$payment_methods": [
{
"$payment_type": "$credit_card",
"$payment_gateway": "$条纹",
"$card_bin": "424242",
“$card_last4”：“4242”
}
]，
"$shipping_address": {
“$name”：“Jane Doe”，
"$address_1": "456 橡树街",
"$city": "旧金山",
"$region": "CA",
"$country": "美国",
“$邮政编码”：“94110”
}
}
}
[/代码]

此数据用于为您的会话建立风险概况。高风险分数会触发额外验证或直接拒绝。

对于某些系统（如 Forter），请求只有在您发起付款时才会显示。对于这种情况，您可以查看对主站点的请求并查找 ForterToken 等 cookie。
View attachment 6057


Booking.com 显示 Riskified Token：

识别支付网关​

找到支付网关是找到正确卡和方法的关键。以下是揭露这些混蛋的方法：

始终从测试卡开始。一些常用的测试卡包括：

• 条纹：4242 4242 4242 4242
• 布伦特里：4111 1111 1111 1111
• 电话：5555 4444 3333 1111

提交测试卡时，请留意网络流量。您将看到对支付网关域的请求。查找：

• 条纹：https://api.stripe.com/v1/payment_intents
• 布伦特里：https://api.braintreegateway.com/merchants/
• 阿迪恩：https://checkoutshopper-live.adyen.com/checkoutshopper/
• 网络资源：https://secureacceptance.cybersource.com
• Authorize.Net：https://api.authorize.net/xml/v1/request.api
• 世界支付：https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp

Braintree请求可能如下所示：

[代码]
发布 https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards
{
“信用卡”：{
"数字": "41111111111111111",
"到期月份"："12",
"expiration_year": "2025",
“CVV”：“123”
}，
“分享”：真实
}
[/代码]

Stripe请求如下所示：

[代码]
发布 https://api.stripe.com/v1/payment_intents
{
“金额”：2000，
“货币”：“美元”，
"payment_method_types[]": "卡",
“付款方式”：“pm_card_visa”
}
[/代码]

有些网站首先在自己的域上处理付款。如果您没有看到对已知支付网关的直接调用，请查找对网站自己的API端点（如“/api/process-payment”或“/checkout/finalize”）的请求。

在这些情况下，你需要深入挖掘。在请求参数中寻找一些迹象：

• “stripe_token”或“stripe_source”建议使用Stripe
• “braintree_nonce” 指向Braintree
• “adyen_encrypted_data”表示Adyen
• “cybersource_token” 表示CyberSource
• “authorize_transaction_key” 暗示Authorize.Net
• “worldpay_order_code” 建议使用WorldPay

请记住，有些网站使用多个支付网关或通过中介服务进行支付。请留意以下服务：
* 隐藏文字：无法引用。*


找到支付网关只是第一步。每个网关都有自己的特点和潜在的弱点。现在您知道要面对哪些网关，您可以微调您的方法并增加成功的机会。

结束语​

从设置Burp Suite到发现反欺诈系统和揭露支付网关，您现在拥有像专业人士一样破解目标的工具。

请记住，您对站点防御了解得越多，您就越能制定出更好的攻击方案。不要只是把卡片扔到墙上，然后希望卡片能粘住。使用这些技巧来制定策略，最大限度地提高您的成功几率。
但我们还没完。在下一篇指南中，我们将深入探讨移动侦察。我们将向您展示如何将这些相同的原则应用于移动应用程序，这是一个全新的卡片采集游乐场。

我们将使用Burps Tamper 工具进行操作。您将学习如何即时修改请求，通过编辑发送到反欺诈系统的值来降低欺诈分数，并躲过那些人工智能狗的追捕。

下次再见，请保持OPSEC严密，技能精湛。保持冷静。

下课。教义消失。