[Aluf] All About Credit Card Online Theft.. Revealed!!

1. Good evening friend,
2.  
3. Howdy? Hope everything is going on well there.
4.  
5. So, tonight I want to share special stuff of mine, that is credit card collections!! These are my credit card old collections which I dumped/injected (stole) from database shopping site, from 2013 – 2015. Some of them were given by my friend, and few of them distributed over underground community (but not public). I never collect/save credit card data which has been distributed publicly on the net, as thousands of people out there might has used it.
6.  
7. I’ve used these cards for carding, online shopping from various (cardable) webshops. I got TV, digital camera, books, VGA, medicine, cellular phone, etc. I was feeling greatly helped by using these cards, lolz!! Yes, at least I can use the stuff for myself or selling them and earn money from the sale, or I just give it to my relatives for gift.
8.  
9. How did I get the credit card data from the database?
10.  
11. Simple, as usual, web scanning with SQL injection technique. SQL injection attack has been widely used and known by many bad guys out there. Most of people are just familiar with GET method, but only few people use POST method. The key is here, when you get stuck on GET method, use other method like POST. It’s sometimes working and the injection point wasn’t realized before by most IT persons, even, we can inject the session, POST header data, etc. With SQLMap, we can easily set the injection to POST method. SQLMap tool is a powerful injection tool I think, we can also set the tamper used for the injection.
12.  
13. One thing I love from SQLMap is the tamper securesphere.py and between.py. Those 2 tampers work great when the injection type is based on TIME (T) and the target website is secured by somekind like WAF (Web Application Firewall). Most of secured websites just can not avoid Time-based injection!
14.  
15. But, isn’t now webshops apply for PCI-DSS Compliant agreement for online payment?
16.  
17. Yes, right. With PCI standard, every webshops is prohibited from saving the customer credit card data in the database. Or, if they want to save it (for future payment method used by the customer), they have to use encryption to encrypt the credit card number, and other sensitive informations.
18.  
19. For example, in Magento, as we can see, there already many built-in payment methods, like Authorize.net, Paypal, Saved CC, Cybersource SOAP, etc. In saving the payment transaction, the credit card data are being encrypted first then saved in the database. The format of the credit card number shown on the back-end is something like this:
20.  
21. Credit Card Type: MasterCard
22. Credit Card Number: xxxx-1234
23.  
24. How to decrypt it? The data is encrypted deeply in the Magento core. Sorry, I’m not familiar enough with Magento, but I got information from online forum, that if the merchant wants to save the customer’s credit card data, expired date, and CVV, then he must edit several line of codes in the checkout payment file. The principal is:
25.  
26. CUSTOMER PAY ---> CREDIT DATA TRANSMITTED ---> (SAVE THE CREDIT CARD DATA) ---> ENCRYPT & PARSE THE PAYMENT INFO TO THE PAYMENT GATEWAY'S API
27.  
28. The key is here, (SAVE THE CREDIT CARD DATA). I’m sure most of you who have successfully hacked into Magento sites, and get root account, must be known on how to do it (as long as you understand OOP in PHP). This’s really silent method. Other silent method is using TCPDump, so that you (as root), can intercept the data being transmitted from the client to the server. You get clear/plain credit card data.
29.  
30. What file should be edited? Just googling around “how to save CC in magento“.
31.  
32. Alright, enough for the Magento sample. Other sample maybe same with Virtuemart on Joomla, or WordPress checkout.
33.  
34. Back to the topic about PCI payment standard.
35.  
36. Even most of websites use encrypted standard for the transmitted payment data, but few of them are still lack on the data security. I ever got one website which accepts online payment and it saved the credit card data in XML format. The XML data maybe used for API communication between the merchant and the 3rd party payment gateway. Principally, the XML data should not be saved in the database, but the merchant did save it. Even if the payment has gone through, the XML data (contains credit card sensitive info) is still in the database.
37.  
38. For example (this is only for example, the credit card data being exposed here is a FAKE):
39.  
40. [a2:paymentDetails]
41. [a3:amount]1500[/a3:amount]
42. [a3:creditCard]
43. [a3:cardNumber]376029564123482[/a3:cardNumber]
44. [a3:expiryMonth]12[/a3:expiryMonth]
45. [a3:expiryYear]2015[/a3:expiryYear][a3:validationCode]781[/a3:validationCode]
46. [/a3:creditCard]
47. [/a2:paymentDetails]
48.  
49. I found them in hundred records, and I dont understand, why did the developer should save the payment XML data in the database. It’s really againts the cyber law.
50.  
51. Well, recently the injection point of the vulnerable site has been fixed (…after about 2 years being vulnerable).
52.  
53. A positive lesson that I want to tell to every web developer in the world. Never ever save the customer sensitive data (like plain credit card number, exp data, and CVV) in the database. If you really have to save it, encrypt it first before saving. And also, secure your server, always check it routinely every time, check the file permission and the last accessed/edited date! Once the server get rooted, every traffic from and to of your website maybe intercepted, and your online business is totally DOOMED!
54.  
55. # Check Credit Card Active or Not and Credit Balance
56.  
57. One more thing, sometimes I read on a blog or site/forum, I found some fool questions like “how to check CC balance?”, “buy full CVV”, “check credit card balance online”, etc. I was thinking about the person, does he/she really know that it’s impossible to check the credit card balance, without having complete bank account login of the legal cardholder. Technically, someone has to log in to their personal bank account by inputting account’s Username & Password, or maybe personal PIN (PIN number is different with the CVV), to be able to check the credit balance in his/her credit card account. And now, if someone wants to check the balance of stolen credit card, only by using credit card number, exp date, and CVV, how does he/she supposed to get the correct info?? No online service would be able to do this.
58.  
59. What the carder can do is only checking the credit card still active or not, and estimate the credit balance limit. To check the card, try to make an online purchase using the card, if the payment authorized successfully, it means the card is active and still have balance in it.
60.  
61. To check the exact balance, we can not! We can only estimate what’s the card balance, by referring to the information resulted from BIN check. Keep in mind that there are only 3 main card categories in the term of credit card, those are Classic, Gold, and Platinum card. Or we can add Black card. The other card types, are only inhereted from the main categories, eg: Travel card, student card, pre-paid card, etc. Different banks may use other term of the credit card type, eg: Business card (same as Gold card). To know exactly the card types that the bank offered, go to the official bank issuer website. You gonna get lot info from there.
62.  
63. And, how to estimate the balance limit based on the card type? Actually, it depends on the bank policy itself. But, the minimum credit balance can be started from $500 (for Classic). Different bank maybe lift up the limit to more than $1000 (for Classic card). And the Gold card, has the limit more than $5000 or maybe more. While Platinum or Black card has limit start from $25000 or maybe more.
64.  
65. So, if you’re trying to purchase something on the net with Classic card, make sure, the invoice grand total is below $500, or the bank might cancel the authorization, due to lack of balance. Also, keep in mind, that the card you stolen from someone else, the credit balance might has been used by the original cardholder for his/her own purpose. Thats why, we can’t be sure how much balance still remain in the card. What we can do is just guessing, to make a successful order with Classic card, make the grand total below $300 or $200. Why should $300 or $200? This’s because someone (the original cardholder) would not intend to make an online purchase nearly the credit limit that is $500 (in just one day), for personal purpose. So, we can strongly guess that the remain credit is between $100 or $300. So, we must not purchase something more than $400? No, I’m not saying that, I’m just recommend that the total purchase should be below $300, for successful chance. But, if you purchase something more than $400 and successfully authorized by the bank, then you’re just in lucky time.
66.  
67. If you’re using Gold or Platinum card type, you shouldn’t be much worry about the credit balance. As the balance is so high, so that it wouldn’t affect the purchase value if it just around $300 – $500.
68.  
69. If you want to check the credit card, try to use it to purchase digital service on this site: punypng.com (charge only $2 — needs card number, exp date, and CVV).
70.  
71. To check card BIN (Bank Idenfitication Number), you can check here: http://www.binlist.net
72.  
73. eg:
74. http://www.binlist.net/json/414997
75.  
76. {"bin":"414997","brand":"VISA","sub_brand":"","country_code":"US","country_name":"United States","bank":"LIBERTY SAVINGS BANK, F.S.B.","card_type":"DEBIT","card_category":"CLASSIC","latitude":"38","longitude":"-97","query_time":"344.695µs"}
77.  
78. # How about cash out the credit card?
79.  
80. I dont know what it means by “cash out” the card. If you talk about cashing the credit balance into a money cash, then you might talking somekind like Western Union service(?) or attach the card in to your Paypal account so that you can withdrawal the money(?) or you got another secret techniques(?). Forget about cashing credit balance using WU or Paypal. It will result in fail. So far, what I know about cashing the credit balance is by using DUMP BIN TRACK of the card. With the track 1 or track 2 number (codes), there’s a possibility to duplicate it into physical magnetic stripe card. By using the duplicated card, you can easily cashing out the credit balance into real money cash through ATM machine box.
81.  
82. Okay back to the topic, so here I share my credit card old data collections. Sorry, I can only share about 46 credit cards. Some of the files contain the webshop list which I ever used the card for online shopping, along with the result label (SUCCESS, FAILED, DECLINED).
83.  
84. 1. Credit card data 1
85.  
86. http://q.gs/88bgX
87.  
88. 2. Credit card data 2
89.  
90. http://q.gs/88bgY
91.  
92. 3. Credit card data 3
93.  
94. http://q.gs/88bgZ
95.  
96. 4. Credit card data 4
97.  
98. http://q.gs/88bga
99.  
100. 5. Credit card data 5
101.  
102. http://q.gs/88bgb
103.  
104. 6. Credit card data 6
105.  
106. http://q.gs/88bgc
107.  
108. 7. Credit card data 7
109.  
110. http://q.gs/88bgd
111.  
112. 8. Credit card data 8
113.  
114. http://q.gs/88bge
115.  
116. 9. Credit card data 9
117.  
118. http://q.gs/88bgf