Untitled

H40yQheute um 01:53 Uhr
H40yQ's guide for the carding novice. 02/15/2020


INHERENT TRUTHS FOR BEGINNERS

You won't be able to card bitcoin within the next couple months, please don't try until you are very confident in your skills. You won't be able to card $500 giftcards or jewelry immediately after learning how to card, please don't try until you are very confident in your skills. You won't be able to card amazon or ebay for medium/high ticket items right after learning how to card.

Introduction

I am writing and releasing this guide solely for the members of this discord group. I share my knowledge for anyone who is ready to put in the work required to utilize it. All of the content in this guide is up-to-date and should be for a while.

If you want to ever card successfully, there is a certain mindset you MUST have. This is non-negotiable, people who don't have this mindset will never card to a worthwhile capacity.

The mindset of someone who will become a successful carder:

Carding is a SKILL, and it is a SKILL with a massive learning curve. You must regard money as a tool that will be used to help you perfect this skill. You must be willing to do large amounts of research in order to piece together a further understanding of the subject. You must be OK with burning money, and you MUST NOT treat carding as if it is something you want to get into, make a couple hundred, and leave. I emphasize again, it takes money to make money, if you are broke, carding is not for you, please trust me on this.

GUIDE:

READ THIS PASTEBIN for an explanation of terms being used in here and just some good information overall.

https://pastebin.com/h95cjbRt
Pastebin
Carding terms - Pastebin.com

Before going into what to do, I'm going to specify what sites currently do to attempt to flag fraudsters.

SYS TIME - PROXY TIME MISMATCH: Websites are able to see your computer's time as well as the timezone of your IP address. This means if your computer timezone is from Texas and your proxy and cardholder timezone is in California, you will appear very suspicious to the website.

RISK FACTORING - This is what most big name sites use to determine if someone is a fraudster or not, anything that you do that seems suspicious to them will add to your fraud score. If your fraud score is above a certain score, they will automatically deny your order.

SHIP != BILL - Sites are obviously going to notice when the ship != bill, this is a red flag and will increase your fraud score. Unless your doing ATO (May explain in a later guide) your drop address won't be the same as the billing address. A lot of people advocate to set the billing address to the shipping address, but most US sites use AVS and verify it. Now, just because this increases your fraud score doesn't mean that it's extremely hard to do, it means that you have to be doing everything else properly so you don't get flagged.

BILL NOT AVS VERIFIED - Most USA sites are able to check billing address associated with the card. If you set a different billing address, some sites will flat out deny your order and some other sites will just raise your fraud score by a lot.

ACCOUNT AGE - Age of an account matters a lot with sites that use risk factoring. The newer your account is, the higher your fraud score is. However, it is still possible to do fraud while on a brand new account, you just have to make sure you're doing nothing else to increase your fraud score.

PERSONAL EMAIL - Having an email address that is hosted by companies such as google is actually more suspicious than having a email hosted on a registered domain (i.e marry.smith@globetrotters.com).

IN-SITE PROTOCOLS - Every site has their own way to detect fraudsters, some sites might track mouse movement, how often a person tabs out (As some fraudsters need to tab out to check cc info), How quickly you type, etc. These things that they track will only increase your fraud score, so it's best to emulate an average customer to the absolute best of your ability.

BILLING PHONE NUMBER - Sites can check if the phone number set on the billing address is on file with the bank, if it is not they will increase your fraud score. Most sites don't call billing phone number to verify unless if something is off about the order.

-SPOOFABLE-

WEBGL - This shares with sites your geolocation if you allow them to. Some sites like BestBuy use WebGL to see if the browser's geolocation is the same as their IP Address's. If your geolocation matches your IP address geolocation, it lowers your fraud risk.

WEBRTC - This is a built in plugin that leaks the host IP address through proxies. Sites try to check this to see if the customer is using a proxy.

FAKEOS - If the hardware specs, font list, max screen res, etc dont correspond with your useragent's OS, sites will be able to immediately tell that and it will make you seem very suspicious to the site.

FAKE RESOLUTION - If your resolution doesn't conform to the resolution of the device being used, sites will be able to see it.

YOUR FINGERPRINT VS NEARBY FINGERPRINTS - Some big sites keep track of the fingerprints of all their users, they have algorithms that compare your fingerprint to fingerprints near where the cardholder is located, if your fingerprint differs drastically then it might increase your fraud score, if your fingerprint is very similar, then it will lower your fraud score. Good ADs have developed to account for this.

AUDIO FINGERPRINT - Sites are able to generate a hash for your audio devices called the OscillatorNode method hash, as well as This helps them to fingerprint people even after they run CCleaner.

FONTS HASH - This is a hash generated by the amount of fonts your computer has, what fonts they are, and the order they are in. This helps them to fingerprint people even after they run CCleaner.

CANVAS FINGERPRINTING - This is a unique fingerprint that sites use to assist generating a browser fingerprint. What makes each canvas fingerprint unique is not the final image that we see, but how each computer renders hinting and anti-aliasing. Different computers carry out each process differently, and this fact allows for effective fingerprinting. This helps them to fingerprint people even after they run CCleaner.


Now, given all of these ways that sites can track you and flag your orders, using google chrome incognito and running CCleaner isn't going to work anymore. Any guide that tells you to use CCleaner is outdated to some extent. What you need is a good AD. Good antidetects are monthly subscriptions of commonly $100. Antidetects spoof /all/ of the things below where I marked -Spoofable-, good antidetects have browser configs that they match everything that they spoof with to ensure hardware consistency. They will also spoof the WebGeoLocation to the geolocation of the IP Address, and they will make WebRTC leak the IP address of the proxy, making it seem like a legitimate IP. You NEED an antidetect in 2020.

HOW DO I CARD?

First, you will need to have ready all that I list below:

Antidetect
CC
CVV
EXP DATE
Phone number of CC owner (facultative, if you don't have cc holder phone number, use a phone number from the same area code)
Full billing address
Socks5 within 25 miles of CC owner (same zip lowers fraud score)
fraud.cat ($25 mail elite)


With all of this and an understanding of how not to pointlessly raise your fraud score, you should be able to card 3rd party sites with low security, shopify stores work well.(Do not try to card big name 3rd party sites such as newegg, they will deny all bill != ship orders, and AVS verify bill.

Instructions


0. Go to truepeoplesearch.com and search up the cardholder. This should confirm their billing address and phone number. If their address is different on truepeoplesearch and the cc gets denied by the site, try that address as the billing.
1. On your AD, make a new profile for the cardholder, assign the proxy to it.
2. Ensure that the WebRTC, WebGL, and everything else is being properly spoofed.
3. Visit the website you intend to card.
4. In a new tab, visit fraud.cat and login.
5. In fraud cat go to Mail -> Check Mail, and look through the elite domains and pick one you like. (For example lutgun.com)
4. Make an account on the website you intend to card, register using the cardholder's name, and for the email put the first letter of the cardholder's name and after that their last name (msmith@lutgun.com)
5. Browse around briefly on the website, add <4 items to your cart, including the item you want to card, and remove them from your cart a couple minutes later.
6. Depending on the quality of your proxy provider and AD this may or may not be doable, save your browser profile and wait 18.5 hours before continuing to the next step.
7. Load your browser profile, it should put you back on the website with the same cookies and everything.
8. Remove the extra items from your cart, keeping the item you want to card.
9. Purchase the item. HAVE ALL OF THE DETAILS OPEN IN A SECOND SCREEN OR ON PAPER SO YOU DONT HAVE TO TAB OUT.
When you are filling in the details, make sure not to type very fast, make sure not to copy and paste, and do your best to act as if you are a normal customer in every way you can.
10. After you purchase the item, sometimes sites will tell you that the order is on it's way while it's still processing, go to fraud.cat, Mail -> Check Mail, then check the email you set for the account.
11. If after two hours there is no email letting you know that the verification failed, there's a good chance that the card worked.

If they email you saying that the card failed and to reenter payment details or try a different card, that means that the card is dead.
If they email you saying that they couldn't verify some stuff, that means that either the billing address was wrong or your fraud score was too high, more often than not it's the fraud score.

That's all for this guide, when I have more time I might write a follow up to this that goes into detail about ATO and carding larger sites.