Carding Debunking a Huge Myth: “Carding is dead”
- Thread starter Abraham_Lincoln
- Start date
ei9o2kohuj
Carding Novice
- Joined
- 16.04.25
- Messages
- 7
- Reaction score
- 0
- Points
- 1
ok thanks bro
谢谢我记得在 2020 年,很多卡片持有者在周日下午喝了 6 杯啤酒后,在一个阅读量达 10 亿的帖子中获得了免费的 cvv 赠品,他们说:
刷卡已死!2019年的时候更容易……现在有了otp和新的vbv系统,就废了,只能干脆坐在沙发上胡言乱语,用赠送的cvv刷卡。一次刷卡失败,他就能解释为什么刷卡已死。
周日下午的黑客会抱怨:是的,现在他们甚至没有将卡片存储在 SQL 数据库中,黑客攻击的意义何在?
这种糟糕的心态一直是初学者最大的绊脚石。成功的最好方法是不断学习,不断尝试,找到自己独特的刷卡或砍卡方式。
2021 年,同样的人说着同样的话,2022 年也是同样的故事,2023 年也是同样的故事,2024 年也是同样的故事。”
现在已经是 2025 年了,一些懒惰的人仍然在寻找理由不再尝试,吸取过去失败的更多经验。
一年有 365 天,一天有 24 小时。
如果您拥有足够的正确知识,则准备、执行梳理操作并从中获利只需 1 个小时。
当这些人抱怨的时候,有些人已经拿到了 iPhone 并卖给他们,所以每年夏天,人们都会连续几个月检查酒店和顶层公寓,而周日下午的卡片发放者还在抱怨。
与其他任何工作一样,梳理工作并不容易,虽然有一定的难度,但相对较大的经济回报是可以弥补的。
对于那些能读懂字里行间含义的人来说,这里有一个最近发生的故事:
2025 年 1 月 14 日至 24 日期间,一家顶级 Watch 网站电子商店遭到黑客攻击,其中包含恶意脚本,窃取了信用卡和客户信息。
任何在这段时间内购物的顾客的个人信息和信用卡数据都可能被黑客窃取。
该事件由 JSCrambler 发现,并于 1 月 28 日通知了该网站。恶意脚本在 24 小时内从网站上删除。
JSCrambler 表示,此次攻击利用了 Magento 的漏洞,并攻击了其他 17 个网站。由于研究人员正在与受影响的网站合作清除感染,因此其他公司的名称暂不公开。
Skimmer Payload 源代码:
*** 隐藏文本:无法引用。***
操作细节
从技术角度来看,此次攻击使用了植入在网站上的简单的第一阶段 skimmer,并从防弹托管服务提供商(ru-jsciot)动态获取第二阶段 skimmer。
第二阶段使用自定义编码和基于 XOR 的字符串隐藏进行混淆以逃避检测。
一旦受害者将商品添加到虚拟购物车,盗刷器就会加载一个虚假的结账表格,而不是像大多数盗刷器那样将受害者引导至实际的结账页面。
伪造结账表格(3 个步骤)
该表单的设计与该网站的整体网站主题不符,点击“立即购买”后不会触发,这表明攻击不够复杂。
该恶意表单旨在窃取客户的敏感数据,包括账单地址、电子邮件地址、电话号码、信用卡持有人姓名、信用卡号、信用卡到期日期和信用卡 CVV 码。
输入所有详细信息后,受害者会看到一个虚假错误,然后被重定向到网站的合法结帐页面以照常完成订单。
被盗数据经过 AES-256-CBC 加密并泄露到攻击者的服务器,在所有观察到的案例中,该服务器都是 X IP 地址。
泄露数据的(解密)样本
JSCrambler 评论说,卡西欧已经实施了内容安全策略 (CSP) 保护,这应该可以限制网站上的恶意脚本执行,但配置过于松散。
“该网站已实施内容安全策略 (CSP),但设置为仅报告模式 (Content-Security-Policy-Report-Only),并且未配置为报告任何违规行为(无 report-uri 或 report-to 指令)。”
“因此,CSP 违规行为仅记录在浏览器控制台中,而不是主动阻止攻击。”
vanhoutenalbert
Active Carder
- Joined
- 14.04.25
- Messages
- 41
- Reaction score
- 0
- Points
- 6
:CƯỜI::CƯỜI::CƯỜI::CƯỜI::CƯỜI:
Wow...nice jobI remember back in 2020 a lot of carders of the Sunday afternoon after 6 beers, and then grabbing a free cvv giveaway on a thread with 1 billion reads was saying:
Carding is dead ! It was easier back in 2019… Now with the otp and new vbv system it’s blah blah blah and just sitting on the couch yappin and cappin after trying to card with a giveaway cvv. 1 hit failure and he gets to explain why carding is dead.
A hacker of the sunday afternoon would complain: Yeah now they don’t even store the cards in the sql db, what is the point of hacking?
This poor mental attitude has always been the biggest Brake for beginners. The best way to succeed is by learning then trial and error and finding your unique way of carding or hacking.
In 2021, same thing was being said by the same people, 2022 same story, 2023 same story 2024 “
Now we are in 2025 and some lazy people are still finding reasons to not try again with more experience from past failures.
In a year we have 365 days and there are 24 hours in a day.
It takes 1 hour to prepare, execute and profit from a carding operation if you have the right amount of right knowledge.
while these people was complaining, some people got iPhones delivered and sold for them so people carded hotels and penthouses for months each of the summers while the Sunday afternoon carders was still complaining.
Like any other line of work, carding is not easy and comes with a fair amount of difficulty compensated by the relatively big financial rewards.
For those who can read between the lines here is a recent story for you:
A top Watch site e-shop was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
Any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.
The incident was discovered by JSCrambler, who notified the site on January 28. The malicious script was removed from the site within 24 hours.
JSCrambler says the attack leveraged Magento vulnerabilities and also targeted 17 other websites. The other company's names are being withheld as the researchers work with the affected sites to remove the infections.
Skimmer Payload Source Code :
*** Hidden text: cannot be quoted. ***
Operation details
From a technical perspective, the attack uses a simple first-stage skimmer planted on the website, which dynamically fetches the second-stage skimmer from a bulletproof hosting provider (ru-jsciot).
The second stage is obfuscated using custom encoding and XOR-based string concealing to evade detection.
Once the victim added items to their virtual cart, the skimmer loaded a fake checkout form instead of directing them to the actual checkout page, as most skimmers do.
Fake checkout form (3 steps)
The form wasn't designed to match The site's overall website theme, and it won't trigger if "buy now" is clicked, indicating a lack of sophistication in the attack.
The malicious form is designed to steal the customer's sensitive data, including billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.
After entering all details, the victim is presented with a bogus error and then redirected to the site’s legitimate checkout page to complete their order as usual.
The stolen data is AES-256-CBC encrypted and exfiltrated to the attacker's server, which, in all of the observed cases, was a X IP address.
(Decrypted) sample of the exfiltrated data
JSCrambler comments that Casio had Content Security Policy (CSP) protections in place, which should restrict malicious script execution on the website, but it was configured too loosely.
"The site had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),"
"As a result, CSP violations were only logged in the browser console rather than actively preventing the attack."
thamksI remember back in 2020 a lot of carders of the Sunday afternoon after 6 beers, and then grabbing a free cvv giveaway on a thread with 1 billion reads was saying:
Carding is dead ! It was easier back in 2019… Now with the otp and new vbv system it’s blah blah blah and just sitting on the couch yappin and cappin after trying to card with a giveaway cvv. 1 hit failure and he gets to explain why carding is dead.
A hacker of the sunday afternoon would complain: Yeah now they don’t even store the cards in the sql db, what is the point of hacking?
This poor mental attitude has always been the biggest Brake for beginners. The best way to succeed is by learning then trial and error and finding your unique way of carding or hacking.
In 2021, same thing was being said by the same people, 2022 same story, 2023 same story 2024 “
Now we are in 2025 and some lazy people are still finding reasons to not try again with more experience from past failures.
In a year we have 365 days and there are 24 hours in a day.
It takes 1 hour to prepare, execute and profit from a carding operation if you have the right amount of right knowledge.
while these people was complaining, some people got iPhones delivered and sold for them so people carded hotels and penthouses for months each of the summers while the Sunday afternoon carders was still complaining.
Like any other line of work, carding is not easy and comes with a fair amount of difficulty compensated by the relatively big financial rewards.
For those who can read between the lines here is a recent story for you:
A top Watch site e-shop was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
Any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.
The incident was discovered by JSCrambler, who notified the site on January 28. The malicious script was removed from the site within 24 hours.
JSCrambler says the attack leveraged Magento vulnerabilities and also targeted 17 other websites. The other company's names are being withheld as the researchers work with the affected sites to remove the infections.
Skimmer Payload Source Code :
*** Hidden text: cannot be quoted. ***
Operation details
From a technical perspective, the attack uses a simple first-stage skimmer planted on the website, which dynamically fetches the second-stage skimmer from a bulletproof hosting provider (ru-jsciot).
The second stage is obfuscated using custom encoding and XOR-based string concealing to evade detection.
Once the victim added items to their virtual cart, the skimmer loaded a fake checkout form instead of directing them to the actual checkout page, as most skimmers do.
Fake checkout form (3 steps)
The form wasn't designed to match The site's overall website theme, and it won't trigger if "buy now" is clicked, indicating a lack of sophistication in the attack.
The malicious form is designed to steal the customer's sensitive data, including billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.
After entering all details, the victim is presented with a bogus error and then redirected to the site’s legitimate checkout page to complete their order as usual.
The stolen data is AES-256-CBC encrypted and exfiltrated to the attacker's server, which, in all of the observed cases, was a X IP address.
(Decrypted) sample of the exfiltrated data
JSCrambler comments that Casio had Content Security Policy (CSP) protections in place, which should restrict malicious script execution on the website, but it was configured too loosely.
"The site had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),"
"As a result, CSP violations were only logged in the browser console rather than actively preventing the attack."
900أتذكر في عام 2020 أن الكثير من جامعي البطاقات كانوا يقضون فترة ما بعد ظهر يوم الأحد بعد تناول ستة أكواب من البيرة، ثم قاموا بالحصول على رمز التحقق من البطاقة (CVV) مجانًا في موضوع حظي بمليار قراءة، وكانوا يقولون:
انتهى عصر الاحتيال ببطاقات الائتمان! كان الأمر أسهل في عام ٢٠١٩... الآن مع نظام التحقق بكلمة المرور لمرة واحدة ونظام التحقق الجديد، أصبح الأمر مجرد كلام فارغ، ويجلسون على الأريكة يثرثرون ويكذبون بعد محاولتهم الاحتيال ببطاقة ائتمان باستخدام رمز التحقق المجاني. فشل محاولة واحدة فقط، ويشرحون لماذا انتهى عصر الاحتيال ببطاقات الائتمان.
سيقول أحد المخترقين في فترة ما بعد ظهر يوم الأحد: أجل، الآن لا يقومون حتى بتخزين البطاقات في قاعدة بيانات SQL، ما هي فائدة الاختراق؟
لطالما شكل هذا التفكير السلبي أكبر عائق أمام المبتدئين. أفضل طريقة للنجاح هي التعلم ثم التجربة والخطأ، واكتشاف أسلوبك الخاص في استخدام البطاقات أو الاختراق.
في عام 2021، كان نفس الكلام يُقال من قِبل نفس الأشخاص، وفي عام 2022 نفس القصة، وفي عام 2023 نفس القصة، وفي عام 2024 "
والآن نحن في عام 2025، ولا يزال بعض الكسالى يجدون أسباباً لعدم المحاولة مرة أخرى بعد اكتساب المزيد من الخبرة من الإخفاقات السابقة.
في السنة لدينا 365 يومًا، وفي اليوم 24 ساعة.
يستغرق الأمر ساعة واحدة لإعداد وتنفيذ عملية الاحتيال الإلكتروني وتحقيق الربح منها إذا كنت تمتلك القدر المناسب من المعرفة الصحيحة.
بينما كان هؤلاء الأشخاص يشتكون، قام بعض الأشخاص بتوصيل أجهزة آيفون وبيعها نيابة عنهم، لذلك قام الناس بجمع بطاقات الهوية من الفنادق والشقق الفاخرة لأشهر كل صيف بينما كان جامعو بطاقات الهوية بعد ظهر يوم الأحد لا يزالون يشتكون.
مثل أي مجال عمل آخر، فإن الاحتيال ببطاقات الائتمان ليس بالأمر السهل ويأتي مصحوباً بقدر كبير من الصعوبة التي يتم تعويضها بالمكافآت المالية الكبيرة نسبياً.
لمن يستطيع قراءة ما بين السطور، إليكم قصة حديثة:
تعرض متجر إلكتروني شهير للساعات للاختراق، حيث تم تضمين برامج خبيثة سرقت معلومات بطاقات الائتمان ومعلومات العملاء بين 14 و 24 يناير 2025.
قد يكون أي عميل قام بعمليات شراء بين تلك التواريخ قد تعرض لسرقة بياناته الشخصية وبيانات بطاقات الائتمان الخاصة به من قبل المتسللين.
تم اكتشاف الحادث بواسطة JSCrambler، الذي أبلغ الموقع في 28 يناير. وتمت إزالة البرنامج النصي الخبيث من الموقع في غضون 24 ساعة.
أفادت شركة JSCrambler بأن الهجوم استغل ثغرات أمنية في منصة Magento، واستهدف أيضاً 17 موقعاً إلكترونياً آخر. وقد تم حجب أسماء الشركات الأخرى ريثما يعمل الباحثون مع المواقع المتضررة لإزالة البرامج الضارة.
شفرة المصدر لحمولة جهاز كشف الزحف:
*** نص مخفي: لا يمكن اقتباسه. ***
تفاصيل العملية
من الناحية التقنية، يستخدم الهجوم برنامج تجسس بسيط من المرحلة الأولى مزروع على الموقع الإلكتروني، والذي يقوم بجلب برنامج التجسس من المرحلة الثانية بشكل ديناميكي من مزود استضافة مضاد للرصاص (ru-jsciot).
يتم إخفاء المرحلة الثانية باستخدام ترميز مخصص وإخفاء السلسلة القائم على XOR لتجنب الكشف.
بمجرد أن يضيف الضحية عناصر إلى سلة التسوق الافتراضية الخاصة به، يقوم برنامج الاحتيال بتحميل نموذج دفع مزيف بدلاً من توجيههم إلى صفحة الدفع الفعلية، كما تفعل معظم برامج الاحتيال.
نموذج دفع وهمي (3 خطوات)
لم يتم تصميم النموذج ليتناسب مع المظهر العام للموقع الإلكتروني، ولن يتم تشغيله إذا تم النقر على "اشتر الآن"، مما يشير إلى عدم وجود تطور في الهجوم.
تم تصميم النموذج الخبيث لسرقة البيانات الحساسة للعميل، بما في ذلك عنوان الفواتير، وعنوان البريد الإلكتروني، ورقم الهاتف، واسم حامل بطاقة الائتمان، ورقم بطاقة الائتمان، وتاريخ انتهاء صلاحية بطاقة الائتمان، ورمز التحقق من البطاقة (CVV).
بعد إدخال جميع التفاصيل، يتم عرض خطأ وهمي على الضحية ثم يتم إعادة توجيهها إلى صفحة الدفع الشرعية للموقع لإكمال طلبها كالمعتاد.
يتم تشفير البيانات المسروقة باستخدام AES-256-CBC وإخراجها إلى خادم المهاجم، والذي كان في جميع الحالات التي تمت ملاحظتها عنوان IP من النوع X.
عينة (بعد فك تشفيرها) من البيانات المسربة
يعلق JSCrambler بأن شركة Casio كانت لديها حماية سياسة أمان المحتوى (CSP) مطبقة، والتي من المفترض أن تقيد تنفيذ البرامج النصية الضارة على الموقع الإلكتروني، ولكن تم تكوينها بشكل فضفاض للغاية.
"كان الموقع يحتوي على سياسة أمان المحتوى (CSP)، ولكن تم ضبطها على وضع الإبلاغ فقط (Content-Security-Policy-Report-Only) ولم يتم تكوينها للإبلاغ عن أي انتهاكات (لا توجد توجيهات report-uri أو report-to)".
"ونتيجة لذلك، تم تسجيل انتهاكات CSP فقط في وحدة تحكم المتصفح بدلاً من منع الهجوم بشكل فعال."
XavvyLives4ever
Carding Novice
- Joined
- 11.04.26
- Messages
- 4
- Reaction score
- 0
- Points
- 1
ty
I remember back in 2020 a lot of carders of the Sunday afternoon after 6 beers, and then grabbing a free cvv giveaway on a thread with 1 billion reads was saying:
Carding is dead ! It was easier back in 2019… Now with the otp and new vbv system it’s blah blah blah and just sitting on the couch yappin and cappin after trying to card with a giveaway cvv. 1 hit failure and he gets to explain why carding is dead.
A hacker of the sunday afternoon would complain: Yeah now they don’t even store the cards in the sql db, what is the point of hacking?
This poor mental attitude has always been the biggest Brake for beginners. The best way to succeed is by learning then trial and error and finding your unique way of carding or hacking.
In 2021, same thing was being said by the same people, 2022 same story, 2023 same story 2024 “
Now we are in 2025 and some lazy people are still finding reasons to not try again with more experience from past failures.
In a year we have 365 days and there are 24 hours in a day.
It takes 1 hour to prepare, execute and profit from a carding operation if you have the right amount of right knowledge.
while these people was complaining, some people got iPhones delivered and sold for them so people carded hotels and penthouses for months each of the summers while the Sunday afternoon carders was still complaining.
Like any other line of work, carding is not easy and comes with a fair amount of difficulty compensated by the relatively big financial rewards.
For those who can read between the lines here is a recent story for you:
A top Watch site e-shop was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
Any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.
The incident was discovered by JSCrambler, who notified the site on January 28. The malicious script was removed from the site within 24 hours.
JSCrambler says the attack leveraged Magento vulnerabilities and also targeted 17 other websites. The other company's names are being withheld as the researchers work with the affected sites to remove the infections.
Skimmer Payload Source Code :
*** Hidden text: cannot be quoted. ***
Operation details
From a technical perspective, the attack uses a simple first-stage skimmer planted on the website, which dynamically fetches the second-stage skimmer from a bulletproof hosting provider (ru-jsciot).
The second stage is obfuscated using custom encoding and XOR-based string concealing to evade detection.
Once the victim added items to their virtual cart, the skimmer loaded a fake checkout form instead of directing them to the actual checkout page, as most skimmers do.
Fake checkout form (3 steps)
The form wasn't designed to match The site's overall website theme, and it won't trigger if "buy now" is clicked, indicating a lack of sophistication in the attack.
The malicious form is designed to steal the customer's sensitive data, including billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.
After entering all details, the victim is presented with a bogus error and then redirected to the site’s legitimate checkout page to complete their order as usual.
The stolen data is AES-256-CBC encrypted and exfiltrated to the attacker's server, which, in all of the observed cases, was a X IP address.
(Decrypted) sample of the exfiltrated data
JSCrambler comments that Casio had Content Security Policy (CSP) protections in place, which should restrict malicious script execution on the website, but it was configured too loosely.
"The site had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),"
"As a result, CSP violations were only logged in the browser console rather than actively preventing the attack."
