With the recent hacking of the TalkTalk customers database in the UK, it left me feeling somewhat inspired to see just how easy it is for “wannabe” criminals to get access to the information and start their own fraudulent activities using this information.
Everyone these days has heard of Tor and the Deep-Web, most likely since the seizure of SilkRoad, which was an underground marketplace where you could buy anything from; weed, credit card info, weapons, all the way to contract hitmen.
Since the closure of the site by the FBI and the subsequent arrest of Ross Ulbricht who is now serving a life sentence, this has done little to stop new marketplaces appearing all over the deep-web trying to get a slice of what is a sizeably profitable pie, at the time of his arrest it was reported that Ross Ulbricht was holding onto $28.5 million worth of the crypto-currency Bitcoin, which is the currency of choice for any aspiring criminal today due to it anonymity.
The take-down of Silk Road seems to have done the opposite in tackling online underground illegalities, as ironically it has turned out to be the greatest piece of marketing ever, as more and more marketplaces are opening up, meaning that finding a gram of 90% uncut cocaine from Colombia or a glock pistol has never been easier, the most popular marketplaces on the Deep-Web now are; AlphaBay, Nucleus and DreamMarket, a quick browse of these sites is really eye-opening a to what is freely available to buy on the Deep-Web
So just how easy is it to get your hands on a fresh, LIVE credit card these days? Well, quite easy actually, the difficult bit is being able to use that information to actually make a purchase online or in-store which is an ever increasingly popular choice due to the increasingly sophisticated online fraud detection system being put in place by the banks and payment gateways.
My plan was never to actually use a card should I find one, but to simply find out how the process worked and discover just how easy it is to take over someones online identity and “make some money”.
The best way of protecting yourself is by, “layering up your protection”, an example of this would be;
Going to an internet cafe and installing software that will allow you to connect to the computer remotely, you can then also covertly install your VPN (virtual private network) onto that computer ready for use. Once this is done, you would need to install another VPN on your own computer and connect that computer via RDP (Remote Desktop Protocol) to the bait computer, and off you go.
Depending on the VPN service you use, and providing they don’t record “logs” of the history of connection, you are basically completely anonymous and impossible to track, Sounds confusing? It needs to be…
So you are set-up and ready to go, now all you need is to find some LIVE credit card details and the information about the “victim”, that will ensure you pass through the online verification system. This is actually the easiest part, which I will explain shortly.
My search in the Deep Web, took less that 5 minutes before I came across a forum that was discussing various new “carding” tutorials, as it is called underground. Everything from; Hacked Paypal Accounts to a Western Union service that would send you “double your money” was available, for a price. The problem with these forums, is that as you are dealing in criminal activity, ultimately you are also dealing with criminals, who do not think twice about taking your money and vanishing back into the DeepWeb, opening up a new name and repeating the same with the next mug desperate for some “easy money”.
There is no such thing as trust in these forums, and it only takes a quick google search of “carding rippers”, to show pages of pages of poor potential criminals, ranting about how they have sent $500 in Bitcoins to someone they have never met, and have not received the login to the hacked PayPal account that was holding onto “their” $5000. You really cannot make it up…
After some searching to find a legitimate website selling valid cards, I was directed to a clear-net website that can be found easily on google called www.rescator.cm which has received some “good reviews” from carders online. The majority of credit card fraud websites you will find online these days are based in Russia, the birthplace of major credit card fraud. The reason why Russian is now top of the list is the fact that the Russia government do not consider credit card fraud (providing the fraud takes place outside of Russia) to be that much of a crime, and as it is so widespread, effectively the carding gangs are immune from prosecution, despite the proceeds of the crime taking millions of pounds every year.
*Disclaimer – This information is for educational purposes only, we do not recommend you get involved in credit card fraud, as well basically, it’s illegal…
Just like all websites, payment for the card details on Rescactor.cm is made via BitCoin, and just like an online shop, you can search the database of cards through a number of filters, such as; BIN (first 6 digits of the card), location, social security number, phone number, Amex etc, making it very easy to find a specific card that suits your needs.
As I was not in need of anything specific, I decided I would pick a card at random within the UK and purchased my first “card”…
Most of the information of the card and the cardholder was revealed after purchasing, which included the phone number registered to the account, but most importantly was missing the D.O.B which is generally the only piece of information you need to source outside of the site, in order to pass most of the Verified by Visa” checks that most websites now use for online purchases, so now it was up to me to find this out before i’m ready to use the card…
Having the name of the “victim” and home address, the first port of call was Facebook and within 5 minutes of searching the site using Facebooks own filters to narrow down the results, I managed to find the cardholder, and amazingly in the persons own Facebook bio, it revealed their D.O.B which was the final piece of the puzzle. It was really that simple.
If you cannot find out on Facebook, then you have the address and the name of the person and all you have to do is contact the address’s local council’s electoral role library where the information is freely available for free.
Once you have all these details there is still a bit more to do before you can start shopping on Amazon as all public VPN’s, tend to be shared and therefore most of the I.P’s that they use are blacklisted by the payment processors and will automatically block the card if irregularities are found, so you now need to finish your “layer” of protection using something called a “SOCKS5” proxy, which although will offer no additional security, it will change your IP address, fooling the websites into thinking that you are actually logging on from “Mr Smith’s” computer at home.
There are many private SOCKS 5 proxies online, each with their own location and ISP’s, so what you need to do is find a proxy that is located in the area of your victim (remember you have their address). For example, if the victim lives in Putney, London – you simply find a proxy in Putney and your good to go. It really is very simple once you understand how to protect yourself and work anonymously. Worryingly, sites like Rescator.cm receive fresh CC info every week, usually from hacked POS systems in retailers making there an endless supply of credit cards for criminal to use at will.
As mentioned, we do not condone or recommend you get involved in any form of illegal activity, as you will end up getting caught and for the sake of a new TV is it really worth it? The point really of this is to emphasise the fact that you really need to be careful of your privacy and personal information online and offline…