View Single Post
  #1 Old 03-07-2019, 10:12 PM
Cartographer
 
Cartographer's Avatar
 
Join Date: Aug 2013
Posts: 511
Cartographer is on a distinguished road
Default Main Carding Tutorial for newbies

Carding Tutorial FULL {for beginners and pros}

Its always good to share and help others. So im doing my bit. Below is a carding guide written by myself - perfect for those noobs starting off. Dont no one have a go at me for anything, there may be spelling mistakes, there may be certain aspects that others wont agree with. If you have something to add which is helpful then great. Otherwise keep it to yourself - no one can complain about free info, especially something like this which others are charging for.

Good look to those who use this, show a little appreciation by liking the post, only if you found it helpful .

Lets start making some money, Please also share tips, any new sites you find cardable and what you encountered throughout the process i.e did they call, what amount you carded for, bill/ship or bill=ship etc.

PS - there may be certain (minor) aspects which are outdated, i wrote this a short while back, its all valid, but things may have improved in certain aspects.

================ W H A T W E N E E D ==========================
-Laptop
I would say get a separate machine, as in donít use your personal laptop or PC for any fraudulent work. Just go to ebay and get a laptop for cheap. It doesnít have to be anything spectacular, Iíd say stick to something with at least a dual core processor and 4gb RAM. Everything else doesnít matter. Donít keep this machine around the house, easily found. Find a place that you can hide it. Ima person that says itís easier to be safe then sorry.

-USB stick
We need this as we will be running our software of this. Donít buy a crappy quality stick. Get a well-known brand, I personally use SanDisk. Size doesnít really matter, theyíre dirt cheap these days. You can get a 128GB stick for about £20. Good thing with USB stick if the need arises, you can get rid of it much easily then a laptop. Go for a 128GB stick.

-Burner phone and SIM
I go to Argos and buy a cheap £10 Nokia phone. Nothing special but it does the job. I recommend using LycaMobile SIM cards. Reason being, is they donít need to be activated or anything. They are just straight plug íní play. Make sure your phone is either unlocked or if not it can accept O2 cards as Lyca is basically an O2 SIM card. Get a new SIM for every new time you use it for a full you have bought. Get a new phone every 10 hits.

-Socks
Now for those who donít know what socks are, for carding we need to get an IP that is as close to the card holders address as possible in terms of location, also we need to make sure the IP isnít black listed. Now you might be thinking a VPN, but I guarantee theyíll be blacklisted. You need clean SOCKs for this. You will most likely be seeing people talk about VIP72, I started of using them but use them less. I use Luxsocks.ru more often. I usually go for Luxsocks but when I am really struggling to find a clean SOCK that is located a good range from the card holders address Iíll go for another provider. When using Luxsocks, always go for the ones that have the DNS column ticked. Also I try to go for larger ISP providers if possible, so if I can get a SOCK with BT, Virgin, etc Iíll go for them more than your smaller providers.

-VPN
Everyone knows what this is or else you wouldnít be snooping on the DW. You need 2 providers, I personally use IPVanish and NordVPN. Youíll understand why we need 2 providers later. You donít have to use the ones I use go for what makes you comfortable. You can also go to Deepdotweb to check their comparison of VPN providers to help you make an informed decision

-Virtual Machine
This great piece of software allows you the have a virtual computer in your actual windows. I recommend VMware. I personally use VMware Workstation 12 if memory serves me correct. Donít go and buy it, just search it up on a torrents provider and download it from there. Get a copy of windows for your virtual machine as well. Whatever youíre comfortable with, however, keep it above windows vista. I use windows 7, as itís easy to use and still part of windows update. Again, just use a torrent file to obtain this.

-Fullz
Most important thing is fullz . I usually buy from AB (alphabay). Iíll be talking about them more on the next page.

======================== F U L L Z =======================
All cards have a BIN (Bank Identification Number), this is basically the first 6 digits of the card. What this info will tell you is the bank the card corresponds too and also what type of card it is e.g. visa platinum etc. Now there isnít really a list of good BINs in my view. Thatís always evolving and youíll build a list yourself of good BINs over time that have worked for you.

I personally always look for credit BINs first, and also providers that arenít large banks, so companies like Vanquis, MBNA, Capital One, Luma, etc.

The good thing with the smaller credit card providers is you usually can check the balance of the card via simple call to their automated line that usually asks for simple info like card number and DOB. This is also a good way to confirm the info you have is valid and the DOB is correct. Also If I remember correctly you can do this with Santander as well Ė they also just require the card number and DOB if memory serves me correct.

In terms of the best vendors, I donít really think there is one. You just have vendors with good stock at a certain point and that always changes. I always just follow the forum and other peoples reviews to ascertain the quality of the stock and sometimes you just have to take the dive and buy from a vendor and test his stock for yourself.

Below is an example of a full youíll purchase. All vendors generally have the same info and layout as below. The first part will be the email address and a password, in my experience that password isnít usually the same for that email account, however, on rare occasions youíll find the password is indeed for that account. If it is, then thatís a bonus as you can use the account to snoop around to confirm the info you have is correct like DOB etc, and also sometimes you can find ID scans that can come in handy.

Next section is self-explanatory, itís the personal information of the victim, usually it is correct but sometimes it can be incorrect, you could try doing an electoral roll search for people at the address as a way to try see if they are registered at the address. You can also use a new service that has been launched on the darkweb to check your details. Its called TORdata, im not affiliated with these guys im just providing a recommendation to help you guys out. The address is e2rxkwtaljhizkrw.onion/

Next section is the card details. This full, which is from Courvoisier has the credit score included, which is helpful once you start exploring other avenues beyond basic carding. You also have the motherís maiden name, which is the usual security question for banks. Lastly you have the VBV password. But good thing is if that password is invalid for whatever reason, you have all the info t reset the password like account number, sort code, etc. Different banks ask for different information to reset the password but I have found all the info to be included in the full.

Lastly you have the user agent and IP information. I recall when I first started off I had no idea what this could do, and I burnt through a lot of fullz without utilising this crucial information. When you go to a site and place an order they can see what type of devise your using and what browser you are using etc. Banks use this information to dictate the fraud score. Now letís say you always use your iPhone to place orders and one day randomly you place an order with a windows laptop your fraud score will increase as it doesnít really if your usual profile. So we want to emulate the user agent that is the victims usual string.

Fullz format:
+ ------------------------------------------+
| Known e-mail(s) : m3ga_d3f@hotmail.co.uk
| Known password(s) : oliverdani
+ ------------------------------------------+
+ Personal Information
| Full name : Oliver owens
| Date of birth : 30 / 09 / 1987
| Address : 39 Cutlers Green
| Address 2 : Cutlers Green, Luton, Luton LU2 8UN, UK
| Phone : 07455598298
| Credit Score: 544
+ ------------------------------------------+
+ Billing Information
| Card BIN : 450875
| Card Bank : COOPERATIVE
| Card Type : VISA DEBIT
| Cardholders Name : MR OLIVER OWENS
| Card Number : 4508750047341168
| Luhn Verified : YES
| Expiration date : 04 / 2018
| CVV : 850
| Account Number : 07240740
| Sortcode : 08-92-49
| MMN: HARE (69.48% likely)
| VBV/MC: oliverdani
+ ------------------------------------------+
+ Victim Information
| IP Address : 109.154.244.215 (host109-154-244-215.range109-154.btcentralplus.com)
| Location : , , United Kingdom
| UserAgent : Mozilla/5.0 (Linux; Android 5.1.1; SM-N910F Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/48.0.2564.95 Mobile Safari/537.36
| Browser : Chrome
| Platform : Android
+ ------------------------------------------+

=========================== S E T U P ================================
Now Iíll talk you through your setup. You have your host machine which is your actual laptop. Now on this machine you need to install one of your 2 VPN providersí software. Once its installed, we need to install the VMware software, along with that installation you need to install your copy of windows in VMware. However, we are not going to install it on to the laptop. Plug your USB stick in and when choosing the installation location, choose the USB stick. Once VMware is all setup and ready to go just login to your account on your VM (Virtual Machine). Always open up your host machine and then run its VPN and then your VMwareís VPN after that and always choose UK servers.

Now we need to go ahead and install the VPN software from your second provider on this VM. Now we need to install a few pieces of software to help us card. Install the following on your VM.

-Technitium MAC address changer
What this does is change your MAC address which sites use to identify you. If you card of the same MAC address, then chances are eventually they will just flag that address. technitium.com/tmac/

-CCleaner
Just download the free version, what this does is clean any cookies and other files.

-Bleachbit
This is pretty much similar to CCleaner, this is just used to ensure that CCleaner hasnít left anything behind, and if so, then Bleachbit can clean it.

-Proxifier
What this does is help channel all your network traffic through the SOCK. Some people just setup the SOCK to be used within Firefox, so only traffic through the browser is behind the SOCK but I prefer to keep all traffic behind the SOCK.

-Firefox
This one is easy. Just google the link.
Once you installed the above on your VM, were almost close to being able to card. We need to install a few add-ons for Firefox. These add-ons will allow us to use the user agent string from our fullz. However, donít do this for your Admin account on your VM, youíll understand why later. Iím just going to run through what we need to install with Firefox in this section and later on in the guide youíll understand when you need to follow this step.

We need to install 2 add-ons:
-Canvas fingerprint blocker
Once you have installed this add-on, open Firefox, go to settings (the 3 stripe button in the top right), then click add-ons. Then in the screen that pops up select Extension on the column towards the left and find ďcanvas blockerĒ. Click options and then a new page will pop up. Just find the field ďblock modeĒ and make sure it says fake readout API. This should be the default value but itís better to always make sure

-User agent switcher
This will allow us to emulate a user string to match that of your victims. Now sometimes if you canít find the string you need from the already pre-set values, you can add your own in. You can do this by clicking the logo on the top right of Firefox.

Then click preferences from the drop down menu, a window will pop up. Just scroll to the bottom and copy your user string from your full and just paste it at the bottom. Click OK once youíre done and then your new value will be visible from the drop down menu.

addons.mozilla.org/en-GB/firefox/addon/user-agent-overrider/?src=search

You need to install these 2 add-ons for every new user account you create as it isnít passed on.

====================== P R O X I F I E R ===============================
Iím going to run though how to use this software quickly. Itís very easy and just looks complicated once you open it up. Iím going to assume you have got your SOCK from Luxsocks or another provider that gives you the IP address and port number. It will usually be in this format 85.452.25.63:5579. The first set of numbers is the IP address of your SOCK server and the number separated by the colon ) is the port number.

Open up proxifier application and then go to profiles and then select proxy servers. This should result in a window popping up, titled proxy servers. You need to click the Add button.

This should result in a new window popping up. You need to fill in the IP of the SOCKs server and also the port. Then just below you need to select the protocol your SOCK is, this will SOCKs 5. Go ahead and select that then we need check our setup is all working. So just click the Check button and then a new pop up window should come up which will test your settings, if all goes well youíll get the green light, if not then either you have not typed the IP or port number correctly or the server is down. Then you can click OK.

Once you click OK, it will pop up another window asking if you want this to be the default proxy to use. Click Ok.

Now go ahead and minimise the application, it will run in the background and channel all internet traffic through the SOCK. When you use the internet and at times when the SOCK server drops youíll start to see red lines in the log of the proxifier, I generally say when you red logs, then you have an offline server, or sometimes your VPN connection has dropped.
Verified by visa or Non verified by visa

If you have done some reading then youíll know a lot of carder talking about this, and complaining about it. Youíll have some say they are looking for non-VBV BINs or sites that donít use VBV system. If Iím honest, I wouldnít bother trying to search for a few cards that youíll find that donít use VBV, itíll be like looking for a needle in a haystack these days.
There are sites though, that donít use VBV, but this isnít by any means a sign of weakness, they incorporate other security measures to counter fraudulent transactions usually. So my advice is just deal with the VBV system, with fullz these days, you have enough information to change the password anyway.

If you come across sites that donít use VBV, then go for them, but donít shy away from sites that do incorporate this security feature

=========================== C A R D I N G ==================================
Now were onto the juicy bit lol. To begin with we need to set up a new user account for the full you have. So for each full, we will setup an individual user account on our VM. Donít worry, once youíre done with each car profile, you can delete the account to keep your sign in page clean. So letís say your victims name is Joe Bloggs, you need to create a new user account with the username Joe Bloggs or even Joe. Make it an admin account.

Also if your using Luxsocks or another provider that gives you a simple server IP and port number, I suggest you purchase your SOCK. Using Luxsocks, I can say they help check if the IP is blacklisted before you purchase. So go ahead and find the SOCK you need and click buy. Then a window will pop up with further information. Youíll see t has a proxy score and above that 4 DNS servers with either a yes or no value. Yes, obviously being it is blacklisted and no being it isnít. Sometimes it will say yes (low risk). When this comes up, and you can find another SOCK because the next one is too far away and you have checked another provider and you canít find a viable SOCK then go for it. Always buy out. I canít tell you if other providers offer a similar service of checking and IP if it is blacklisted but I know VIP72 allows you to right click the IP your looking to buy from the SOCK client and then select BL check. If you get all green indicators, then your good to go. Now go ahead and take note of the server IP and port on a piece of paper.

Now log out of your main account on your VM and go ahead and sign into the newly created account. On all the new accounts you create, youíll find CCleaner, MAC address, Proxifier and Bleachbit are already available. With Bleachbit it might not be easily found via start menu. To get around this you can go directly into program files and create a desktop shortcut for the application. So you would navigate to My computer > Local disk (C > Program files > Bleachbit > bleachbit.exe, right click and send to desktop.

The only thing we need to always repeat at this stage is the installation of the Firefox add-ons above. So go ahead and scroll up to refresh your memory. Also remember to select your user agent in the Firefox add-on to correspond to that of your fullz data. Once you have setup Firefox, close it down.
Now you need to disconnect the internet access to your VM. To do this on the bottom right corner on VMware youíll see an icon of 2 computers next to a few other icons. Right click it and click disconnect.

We need to make sure our users locale is set to the United Kingdom. To do this go to Start > Control panel > Clock, language and region > Region and language. This should result a new window popping up. Go through all the tabs and make sure everything corresponds to the United Kingdom. Also remember to change the keyboard language to the UK. Then on the last tab titles administrative, click on copy settings and then a window should pop up. Check the 2 boxes at the bottom and click Ok. This will result in all future accounts being changed to UK locale, but always check on each new account to confirm.

Now go back and open up your proxifier and set it up with the server information you wrote down earlier. You canít check if it works because the internet connection is disabled. Now close the application down, make sure it is actually closed and running in the background.

Next we need to open up our MAC address changer. Towards the bottom make sure the field ďuse Ď02í as first octet of MAC addressĒ is checked. Then click the random MAC address button just above that. Once that generates a new address, just click change now. After a few seconds a window should pop up telling you the change has been successful. Go ahead and close the application down.

Then open up CCleaner and check all the boxes under the windows and application tabs in the section marked cleaner. Click analyse and then once its doe that click run cleaner and wait for it to finish up. Then do the same for the registry section. Once you have done that, just close it down.

Now open up Bleachbit, make sure all the boxes are checked, just click OK on all the warning boxes. Then hit the preview button towards the top, once thatís scanned everything hit the clean button. Let that finish up.
Now we should basically have our locale set to the UK, proxifier setup, our machine wiped, and our MAC address changed. We should also have Firefox set up in terms of having those 2 add-ons installed and also having the user agent to match our profile already pre-selected.

Go ahead and re enable the internet connection. As soon as you do this open your VPN software on your VM, and get it up and running, select a UK server. Your host machines VPN should already be up and running from before. Now open up the proxifier application and test your SOCK. Things should all be green. If you have an issue with your SOCK, then try diagnose the issue, if it comes down to the fact that the server is offline then you can wait for a bit of get a new SOCK, but if you do this then you will need to repeat the whole wiping of the account using CCleaner and Bleachbit etc. If you find that you didnít set the SOCK up correctly, with a mistyped number or whatever, then once you have fixed the issue, disconnect the internet connect and repeat the process from wiping your system with CCleaner and Bleachbit.

Open up Firefox and head over to this site check2ip.com. When your on their page, it should tell you that the IP is not blacklisted to begin with. Then confirm the locale is indeed correct and the date and time corresponds to the UK. Next is the IP geolocation, now sometimes SOCKs providers can give you an incorrect location of the IP, so confirm it using this site. Finally, towards the bottom it will show you that your internal IP is visible, just click their link that quickly shows you to stop this from happening.

Now we are all setup to start carding.

--------------Setting up Email account and checking card is valid------------------------
We need to set up an email account for our mark. I use Yahoo as I have read on a fellow carders experiment postings on AB that Yahoo tends to result in a lower fraud score. When choosing what to call the email account, make it as close as possible to the victimís name. So for Joe Bloggs, try to get Joe.Bloggs@yahoo.co.uk or close as possible by adding a few numbers.
Now when you get your info from your vendors, youíll find not all the time the info is valid. Thatís just part of the game so please donít complain. But a good way to check is using the details to try sign up for a trial to a website. Netflix is an example, but you can be creative in who you use. These donít charge the card but check to see if they are valid.

====================== C A R D I N G Y O U R S I T E =================================
I see a lot of people saying some sites are cardable and some arenít. I agree with this statement to a certain degree. Now if you can buy something of a site using your legit details then in theory that site should be cardable, correct? But that said, some websites havenít invested as much into online security and hence they are cardable.

Once you know which site you want to card, you should go and browse a few pages of that site. The art of carding is making a website believe you are the card holder. So when you decide to buy something, usually youíre going to browse around the site to find the product you want, maybe youíll look at a few other items that may fit your requirements and then youíll find the product you want in the end. Youíre not going to go online and search a specific product add it to your basket and try buy it straight away. So once you have added the item you want to your basket go ahead and complete transaction.

Now when it comes to inputting all the information, donít just be lazy and copy and paste it. Would you do that if you were placing a legit transaction? No, you would look at your card and input it like that. So do the same. Remember we need to fool the site into thinking you are the cardholder.

Now if you are carding a site that uses the VBV system, then youíre going to most likely be hit with the password page. If your full data came with the password, then try that password. If it turns out to be incorrect then click forgotten password and input the information, it is asking for so that you can change the password.

At this stage, you can also run into issues as you can sometimes get an error to call the bank or the bank is going to call you. Then the card is most likely not going to work on other VBV sites. Thatís just the luck you have and part of this game.
If, however you are successful in bypassing the VBV system then thatís great and if the mark does have the funds available then your order should go through. Donít get too excited as even if the order goes through, some sites can cancel a few hours later or they might ask for scans.

=================== W H E N T O C A R D ======================
Donít be trying to card at 1am in the morning. Not many people do that, so stick to a normal time, usually working hours. Also I tend to card on weekdays only an also to enable my items to be delivered the very next day to limit the time for the order being cancelled if the cardholder realises in time.

Also, I tend to card during the first 2 weeks of the month, especially if it is a debit card, as most people will have a job, and pay day comes at the beginning of the month, so thatís the most likely time theyíll have funds available.
Next tip is always card one thing at a time on the same card and wait for the item to be delivered before you do the next one. If you try going for many transactions in a short period, then the bank will most likely block any further transactions to be safe.

==================== W H A T T O C A R D ==========================
We want to go for things they wonít expect a carder to hit. So things like kitchenware, kitchen appliances, toys etc. Its things like this you wouldnít really expect someone to card. You would also be surprised at the price you can sell these for.
How much should I go for?

When it comes to thinking about how much to card in a transaction, i always keep the first transaction at £250 - £300. Now you spent about £50 getting all setup, you want to at least make your money back. So you buy an item for £300 and with the right platform to sell it on, you can sell it for about £200. Thatís a profit of £150. You need to stop yourself from getting greedy. I wanted to always go for big money, but after losing a lot of money I began to coach myself to keep transactions small, but enough to keep me happy.

Once you have made a bit of money you can start to experiment with different BINs, different sites and then also with varying amounts.

Also, once you receive an order from a certain website, you can try go for them again, as you know your setup worked the first time you just have to repeat and if the card is live with a good balance then itís easy picking.

================ D R O P S ============================
There isnít really a magic way of getting these. There are people who have their way of getting drops and they are selling how to get them, feel free to buy their guide. You just have to be a bit creative. I have estate agent buddies and so I gave them like £20-£30 a parcel delivered to an address they gave. You can also try using your neighbourís house. I once ordered something to my neighbourís house and said I mistyped the door number and I have a parcel coming here so can you let me know when it has arrived.

Another thing you can do is use Collect+. Great thing is they donít need photographic ID, a bill is more the adequate but I have found that your usual corner shops wonít ask for any ID, just the package barcode. But if they do ask for ID you can make a bill easily or if you donít know how to then use a vendor on the market that can help with scans. Donít get the item delivered to your home town, go out a bit and get it sent to a shop somewhere far from you.

===================================CONTINUED BELOW=====================================

====================== T I P S ===========================
Youíll have some cards that will just get blocked after the first transaction. You just have to take the hit and move on to the next full. You wonít have a 100% success rate nor a 100% fullz validity rate.
Sometimes, if you place multiple transactions in the same day then the card will get blocked, and youíll usually only do this when they are not going through and most likely chance is the mark doesnít have the money available, sometimes it can be because the card was already dead, but good luck trying to ask a vendor for a refund. Youíre better off just not complaining and making your relationship with that vendor sour up, just try them again a few times and if you still not getting success then donít use that vendor again.

Donít go around asking everyone whatís a good BIN list, you need to build your own as youíll find some people have good success with a BIN and some wont on the same one. So build your own list, this also applies to sites you find card able. But you can find a lot people sharing this information.

A good site to check BINs out is bins.pro. itís nice and simple to use.
__________________
Advertising Policies
Cartographer is offline   Reply With Quote