SlideShare a Scribd company logo

[cb22] Understanding the Chinese underground card shop ecosystem and becoming a phishing master by Strawberry Donut

CODE BLUE
CODE BLUE

Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2021 have set records respectively in Taiwan and Japan. Where did this information get leaked and sold in the first place? The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals. An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling Taiwanese and Japanese PIIs, and therefore, TTPs of hackers from these card shops. We hope to inspire audiences to rethink how to reduce credit card frauds.

Related slideshows

ヤフー発のメッセージキュー「Pulsar」のご紹介
ヤフー発のメッセージキュー「Pulsar」のご紹介ヤフー発のメッセージキュー「Pulsar」のご紹介
ヤフー発のメッセージキュー「Pulsar」のご紹介
 
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
[cb22] Fight Against Malware Development Life Cycle by Shusei Tomonaga and Yu...
 
Red Team P1.pdf
Red Team P1.pdfRed Team P1.pdf
Red Team P1.pdf
 
1 of 63
Download to read offline
2022/10/16 Understanding the Chinese underground card shop ecosystem and becoming a phishing master
 Data Scientist focused on Fraud Detection  CAMS(Certified Anti-Money Laundering Specialist ) Member Strawberry Donut
Agenda  Background & Scope  How I Started This Journey  Card Shop Ecosystem  Conclusion & Next Steps Agenda
Our research is 100% compliant with law. We did not conduct any criminal activity. Disclaimer
Background & Scope
0 50 100 150 200 250 300 350 2014 2015 2016 2017 2018 2019 2020 2021 Credit Card Fraud Forged card Card number theft Total Hundred million yen Source: 日本クレジット���会 In Japan, credit card fraud in 2021 reached 33 billion yen, the highest amount ever. Card number theft accounts for 94% of the total 94% Card Number Theft
Japan is one of the main targets of credit card fraud  Japan is a fairly “ideal” market for the card fraudsters  3DSecure is static password  High credit line  Lots of card fraud marketplaces in the dark web (IRC/Forum → QQ/WeChat → TG) Goal: to understand the value chain of Chinese carding fraud Scope: The Chinese card shop ecosystem targeting Japan
Phishing JavaScript Injection Trojan Malware Methods to acquire credit card info
Phishing Scope: Phishing is the major method to acquire credit card info JavaScript Injection Trojan Malware
How I started this Journey..
 The community is a structured organization providing training and resources for beginners to start card-not- present fraud  Subscribers > 96,000 users  Over 500+ active paid students in first half year 2022 Entrance: One of the biggest credit card fraud community targeting Japan
 The community leader is located in GMT+8 time zone  Cannot speak Japanese at all. Using Google Translate a lot.  Had a revenue of 56 BTC in 3 years till June 2022  Got account takeover in June by clicking some malware porn file More stories about the community leader.. Received 56 BTC ~ 1.6 億日本円
 A new phone number to create a new telegram account  A new telegram account  A newly reformatted laptop  Rental VPS / RDP server  VPN  Proxy Persona Device Internet Initial Setup: An unattributable research environment
14 Tuition 3000 RMB paid in BTC Training Courses  Environment setup  Phishing mail lure sending  Phishing techniques  Credit card limit evaluation  Cash out demo Resources Provided  Basic knowledge and guidelines  Environment setup resources  E-mail database  Phishing kits  Anti bot pool  Cash out websites and buyers Training Program as an entrance
15 Tuition 3000 RMB paid in BTC Training Courses  Environment setup  Phishing mail lure sending  Phishing techniques  Credit card limit evaluation  Cash out demo Resources Provided  Basic knowledge and guidelines  Environment setup resources  E-mail database  Phishing kits  Anti bot pool  Cash out websites and buyers Training Program as an entrance Monitoring > 300 Chinese Card Shop Marketplaces
Card Shop Ecosystem
17 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
18 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
 Set dynamic device ID to avoid device hardware being tracked IP Setup Time Zone / Language Clean Cookies / DNS / cache Initial Setup 0 Initial Setup to avoid triggering security rules Change MAC or hardware ID  Set IP near the targeted country / prefecture Check IP not in blacklist  Major payment & e-commerce services blocked public proxy already → Check if your IP is not in the blacklist  Set VPS time zone and language to be the same with the targeted location  Keep the browser environment as clean as possible  Virtual browser can be an alternative option
Initial Setup 0 Residential proxy covers actor identity and fakes card holder location Residential Proxy Provider Residential IP Address Pool Targeted Destination Actor Major residential proxy used by fraudsters: 911 (China), oxylabs (Lithuania), BrightData (Israel)
21 Initial Setup 0 911 used by Chinese fraudsters - 1/2 Residential proxy IP available at city granularity
22 Initial Setup 0 911 used by Chinese fraudsters – 2/2 User-Agents Available
23 911 closed in July 2022 Initial Setup 0
24 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
25 Phishing Setup 1 Acquiring the targeted E-mail lists through web hacking
Ways to set up a Phishing Kit 1. Using compromised server  Pro: Higher website reputation  Con: Higher risk of being taken down 2. Using rental server (VPS)  Setup Apache/Nginx server and upload a Phishing kit  Bullet-proof hosting providers from Russia, etc.  Microsoft Azure needs months to take down phishing sites hosted Phishing Setup 1 AWS has extremely strict security rules Alert really soon right? Go for Azure Got banned after login with AWS
27 Phishing Setup 1 Phishing Kit Template Examples – 1/2 SMBC card MUFJ card Amazon American Express au pay Corona Vaccine
28 Phishing Setup 1 Phishing Kit Template Examples – 2/2 Eki-Net EPOS Card DMM Card AEON Card Docomo Account Rakuma
29 Phishing Setup 1 Phishing Kit Component - 1/6 amazon.co.jp Block all bots Block specific IP ranges Block all non-human visitors
30 Phishing Setup 1 Phishing Kit Component - 2/6 Resolve the IP address to domain name and block famous security organizations amazon.co.jp Block all non-human visitors
31 Phishing Setup 1 Phishing Kit Component - 3/6 If a user’s IP is not in China or Japan, return error If a victim is using Proxy, try to get the real IP amazon.co.jp Filter visitors
32 Phishing Setup 1 Phishing Kit Component - 4/6 Check if the card BIN inputted is valid with an open-source API If the length of inputted password is shorter than 4, return error amazon.co.jp Validate inputted information
33 Phishing Setup 1 Phishing Kit Component - 5/6 Returned format Send the phished info to the actor’s e-mail address; redirect the victim to real Amazon website amazon.co.jp Return phished information
34 Phishing Setup 1 Phishing Kit Component - 6/6 amazon.co.jp Fresh fished data (魚料) in mailbox Harvesting NetEase Free e-mail provider
 Change IP continuously: keep your IP as clean as possible  Avoid registering a domain name similar to famous websites: big companies have automatic system detecting domains similar to their brands  Register multiple domain names at the same time: to disperse the risk of being fully blocked at once  Do not add SSL: adding SSL will attract Google police web crawler and disclose your info  URL redirect: use redirect tools to generate a “seemingly more normal URL” to bypass spam filtering rules Environment Phishing kit domain server Phishing URL Phishing Setup 1 Tricks to bypass email spam filtering rules Mindset Always try to improve the contents / environments to bypass e-mail spam filtering rules
37 Phishing Setup 1 URL redirect tool - example Destination URL New URL
URL redirect tools make a URL looks more “normal”  starts with “HTTPS”, more trustworthy  Less suspicious domain names: domain name becomes the domain of the redirection tool  Ends with less suspicious strings: the name after the domain name can be customized Phishing Setup 1 Benefits of using URL redirect When blocked by e-mail spam filter mechanism or phishing site domain, a URL redirect tool helps a fraudster restart the phishing cycle faster.
39 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
40 Start Phishing 2 Essential  Card number + CVV  Card holder name  Expiration Date  Billing Address  Date of Birth  Device Footprint & Browser Info  User IP Optional  Phone number  3D ID & password  Website / Card Membership / Account name & Password Harvesting – Info acquired
Cryptocurrency / gift card websites that allows credit card Card Using Setup 3 Monetization approaches Deliver to domestic receivers to convert into money 1 2 website e-commerce product local receivers
Card Using Setup 3 Monetization approaches Donate to malicious Tiktok influencers to turn the money into legitimate earnings 3 TikTok TikTok coin Malicious TikTok influencer Money laundering through intangible goods such as NFT & e- books etc. 4 Platform Malicious NFT / e-book seller
43 Context  For fraudsters, a credit card stands for a real person with an unknown credit limit.  A fraudster’s goal is to steal as much as possible. Card Using Setup 3 Expected usable amount ~30% of the total credit limit Credit card limit estimation Evaluate from card info Social Engineering Confirm in Card Website 3 Ways to estimate a credit card value
To know the card level Card Using Setup 3 Estimate credit card limit evaluation with card info 4 Factors to evaluate a card’s credit limit Card Bin Mobile Phone Number Age Card Expiration Date 1950-1970 usually have the highest amount Compared to IP phone numbers started with 03, 04, 090, 050 , Phone numbers started with 070, 080 means that the card has been used for awhile A more recent expiration date means the card is older. Older cards tend to have a higher credit limit
45 Card Using Setup 3 account login Get into card website to confirm credit limit - examples EPOS Card new account registration SAISON Card
Card Using Setup 3 Disable OTP authentication: social engineering Make change Pass authentication Call the card company Wait Use card online Prepare questions such as ages Make an excuse to change billing address and phone number Use the card after 4-5 days to bypass security rules Phone call Steps Details
Card Using Setup 3 Disable OTP authentication: removing mobile phone numbers on the card membership website Change registered e-mail address Reset account password Forgot account ID & password Login Disable mobile phone number Temp e-mail address New account password Phished info Input Task Account ID Output Now authentication method becomes the account password we set! New account password Example - A Japanese Credit Card Membership Website
48 Card Using Setup 3 Disable OTP authentication – example Select “no mobile phone” Authentication method changed to account password
49 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
Use Card 4 Cards are used to buy goods that can be easily resold Popular Goods:  Electric Appliance  Brand Bag  Ticket & Gift Card  Brand Cosmetics  Liquor  Watch  Nike Shoes
Use Card 4 Cards are used to buy goods that can be easily resold You can actually get a cheaper Tokyo Disneyland ticket on Taobao! Disney – 8,400 yen Taobao – 6,708 yen Popular Goods:  Electric Appliance  Brand Bag  Ticket & Gift Card  Brand Cosmetics  Liquor  Watch  Nike Shoes
52 Receiver Addresses – example Use Card 4 Dealers usually hand out a list of addresses located dispersedly in Japan to match a card victim’s location
53 Use Card 4 To bypass AVS (Address Verification System) check, fraudsters change the delivery address after an order is accepted via the delivery company’s webpage
54 Use Card 4 Any JP delivery addresses can be changed? Change Addresses after an order is accepted – example Kuroneko is common These are the addresses changed Other delivery companies allow you to change in several kilometers, and Kuroneko you can change to several thousands Kilometer, but half of them got hold up
55 Bigger monetization dealers have their own delivery management system Use Card 4
56 Monetization 5 Monetization dealers demonstrate their accountability by showing the goods received
Successful e-mail delivery Victim – mail awareness Victim – mail click Victim – card info input Correct card info input Successful authentication Successful cash-out Summary - Actor’s Monetization Funnel Success Rate 0.01% ~ 0.1% 40% ~ 90% > 80% ~ 0.001 – 0.01% Overall
Conclusion & Next Steps
59 Phisher Card User Monetization Dealer Roles broke down to avoid legal sanctions  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
60  Firsthand e-mail databases for sending phishing mails  Legit phishing kits and anti-bot mechanisms to bypass security rules  Adequate e-mail contents to increase the ratio of successful delivery Phisher Card User Monetization Dealer  Honest card info supplier  Patience and solid environment setup to fake user behavior  Recruit enough domestic package receivers  Abundant cashflow  Cross-border money laundering techniques Summary – Key success factors for each role
61 Relevant stakeholders shall collaborate to defend effectively  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing The parts we can defend
62 First Step: Protect your customers with SMS OTP & 3DSecure Trigger SMS OTP / 3DSecure whenever any of the following changed:  Device Fingerprint  Time Zone  Browser Language  User Agent  Delivery Address  Receiver Name Reducing > 60% card-not- present fraud
63 All stakeholders shall collaborate together to defend effectively and speedily. Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations Issuer Bank User Payment Network Merchant POS e-commerce Visa / Mastercard / Amex Delivery Acquirer Bank Payment Gateway Stripe / Square Merchant Acquirer POS
Thank you Contact | donut.strawberry@outlook.com

More Related Content

[cb22] Understanding the Chinese underground card shop ecosystem and becoming a phishing master by Strawberry Donut

  • 1. 2022/10/16 Understanding the Chinese underground card shop ecosystem and becoming a phishing master
  • 2.  Data Scientist focused on Fraud Detection  CAMS(Certified Anti-Money Laundering Specialist ) Member Strawberry Donut
  • 3. Agenda  Background & Scope  How I Started This Journey  Card Shop Ecosystem  Conclusion & Next Steps Agenda
  • 4. Our research is 100% compliant with law. We did not conduct any criminal activity. Disclaimer
  • 6. 0 50 100 150 200 250 300 350 2014 2015 2016 2017 2018 2019 2020 2021 Credit Card Fraud Forged card Card number theft Total Hundred million yen Source: 日本クレジット協会 In Japan, credit card fraud in 2021 reached 33 billion yen, the highest amount ever. Card number theft accounts for 94% of the total 94% Card Number Theft
  • 7. Japan is one of the main targets of credit card fraud  Japan is a fairly “ideal” market for the card fraudsters  3DSecure is static password  High credit line  Lots of card fraud marketplaces in the dark web (IRC/Forum → QQ/WeChat → TG) Goal: to understand the value chain of Chinese carding fraud Scope: The Chinese card shop ecosystem targeting Japan
  • 9. Phishing Scope: Phishing is the major method to acquire credit card info JavaScript Injection Trojan Malware
  • 10. How I started this Journey..
  • 11.  The community is a structured organization providing training and resources for beginners to start card-not- present fraud  Subscribers > 96,000 users  Over 500+ active paid students in first half year 2022 Entrance: One of the biggest credit card fraud community targeting Japan
  • 12.  The community leader is located in GMT+8 time zone  Cannot speak Japanese at all. Using Google Translate a lot.  Had a revenue of 56 BTC in 3 years till June 2022  Got account takeover in June by clicking some malware porn file More stories about the community leader.. Received 56 BTC ~ 1.6 億日本円
  • 13.  A new phone number to create a new telegram account  A new telegram account  A newly reformatted laptop  Rental VPS / RDP server  VPN  Proxy Persona Device Internet Initial Setup: An unattributable research environment
  • 14. 14 Tuition 3000 RMB paid in BTC Training Courses  Environment setup  Phishing mail lure sending  Phishing techniques  Credit card limit evaluation  Cash out demo Resources Provided  Basic knowledge and guidelines  Environment setup resources  E-mail database  Phishing kits  Anti bot pool  Cash out websites and buyers Training Program as an entrance
  • 15. 15 Tuition 3000 RMB paid in BTC Training Courses  Environment setup  Phishing mail lure sending  Phishing techniques  Credit card limit evaluation  Cash out demo Resources Provided  Basic knowledge and guidelines  Environment setup resources  E-mail database  Phishing kits  Anti bot pool  Cash out websites and buyers Training Program as an entrance Monitoring > 300 Chinese Card Shop Marketplaces
  • 17. 17 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 18. 18 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 19.  Set dynamic device ID to avoid device hardware being tracked IP Setup Time Zone / Language Clean Cookies / DNS / cache Initial Setup 0 Initial Setup to avoid triggering security rules Change MAC or hardware ID  Set IP near the targeted country / prefecture Check IP not in blacklist  Major payment & e-commerce services blocked public proxy already → Check if your IP is not in the blacklist  Set VPS time zone and language to be the same with the targeted location  Keep the browser environment as clean as possible  Virtual browser can be an alternative option
  • 20. Initial Setup 0 Residential proxy covers actor identity and fakes card holder location Residential Proxy Provider Residential IP Address Pool Targeted Destination Actor Major residential proxy used by fraudsters: 911 (China), oxylabs (Lithuania), BrightData (Israel)
  • 21. 21 Initial Setup 0 911 used by Chinese fraudsters - 1/2 Residential proxy IP available at city granularity
  • 22. 22 Initial Setup 0 911 used by Chinese fraudsters – 2/2 User-Agents Available
  • 23. 23 911 closed in July 2022 Initial Setup 0
  • 24. 24 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 25. 25 Phishing Setup 1 Acquiring the targeted E-mail lists through web hacking
  • 26. Ways to set up a Phishing Kit 1. Using compromised server  Pro: Higher website reputation  Con: Higher risk of being taken down 2. Using rental server (VPS)  Setup Apache/Nginx server and upload a Phishing kit  Bullet-proof hosting providers from Russia, etc.  Microsoft Azure needs months to take down phishing sites hosted Phishing Setup 1 AWS has extremely strict security rules Alert really soon right? Go for Azure Got banned after login with AWS
  • 27. 27 Phishing Setup 1 Phishing Kit Template Examples – 1/2 SMBC card MUFJ card Amazon American Express au pay Corona Vaccine
  • 28. 28 Phishing Setup 1 Phishing Kit Template Examples – 2/2 Eki-Net EPOS Card DMM Card AEON Card Docomo Account Rakuma
  • 29. 29 Phishing Setup 1 Phishing Kit Component - 1/6 amazon.co.jp Block all bots Block specific IP ranges Block all non-human visitors
  • 30. 30 Phishing Setup 1 Phishing Kit Component - 2/6 Resolve the IP address to domain name and block famous security organizations amazon.co.jp Block all non-human visitors
  • 31. 31 Phishing Setup 1 Phishing Kit Component - 3/6 If a user’s IP is not in China or Japan, return error If a victim is using Proxy, try to get the real IP amazon.co.jp Filter visitors
  • 32. 32 Phishing Setup 1 Phishing Kit Component - 4/6 Check if the card BIN inputted is valid with an open-source API If the length of inputted password is shorter than 4, return error amazon.co.jp Validate inputted information
  • 33. 33 Phishing Setup 1 Phishing Kit Component - 5/6 Returned format Send the phished info to the actor’s e-mail address; redirect the victim to real Amazon website amazon.co.jp Return phished information
  • 34. 34 Phishing Setup 1 Phishing Kit Component - 6/6 amazon.co.jp Fresh fished data (魚料) in mailbox Harvesting NetEase Free e-mail provider
  • 35.  Change IP continuously: keep your IP as clean as possible  Avoid registering a domain name similar to famous websites: big companies have automatic system detecting domains similar to their brands  Register multiple domain names at the same time: to disperse the risk of being fully blocked at once  Do not add SSL: adding SSL will attract Google police web crawler and disclose your info  URL redirect: use redirect tools to generate a “seemingly more normal URL” to bypass spam filtering rules Environment Phishing kit domain server Phishing URL Phishing Setup 1 Tricks to bypass email spam filtering rules Mindset Always try to improve the contents / environments to bypass e-mail spam filtering rules
  • 36. 37 Phishing Setup 1 URL redirect tool - example Destination URL New URL
  • 37. URL redirect tools make a URL looks more “normal”  starts with “HTTPS”, more trustworthy  Less suspicious domain names: domain name becomes the domain of the redirection tool  Ends with less suspicious strings: the name after the domain name can be customized Phishing Setup 1 Benefits of using URL redirect When blocked by e-mail spam filter mechanism or phishing site domain, a URL redirect tool helps a fraudster restart the phishing cycle faster.
  • 38. 39 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 39. 40 Start Phishing 2 Essential  Card number + CVV  Card holder name  Expiration Date  Billing Address  Date of Birth  Device Footprint & Browser Info  User IP Optional  Phone number  3D ID & password  Website / Card Membership / Account name & Password Harvesting – Info acquired
  • 40. Cryptocurrency / gift card websites that allows credit card Card Using Setup 3 Monetization approaches Deliver to domestic receivers to convert into money 1 2 website e-commerce product local receivers
  • 41. Card Using Setup 3 Monetization approaches Donate to malicious Tiktok influencers to turn the money into legitimate earnings 3 TikTok TikTok coin Malicious TikTok influencer Money laundering through intangible goods such as NFT & e- books etc. 4 Platform Malicious NFT / e-book seller
  • 42. 43 Context  For fraudsters, a credit card stands for a real person with an unknown credit limit.  A fraudster’s goal is to steal as much as possible. Card Using Setup 3 Expected usable amount ~30% of the total credit limit Credit card limit estimation Evaluate from card info Social Engineering Confirm in Card Website 3 Ways to estimate a credit card value
  • 43. To know the card level Card Using Setup 3 Estimate credit card limit evaluation with card info 4 Factors to evaluate a card’s credit limit Card Bin Mobile Phone Number Age Card Expiration Date 1950-1970 usually have the highest amount Compared to IP phone numbers started with 03, 04, 090, 050 , Phone numbers started with 070, 080 means that the card has been used for awhile A more recent expiration date means the card is older. Older cards tend to have a higher credit limit
  • 44. 45 Card Using Setup 3 account login Get into card website to confirm credit limit - examples EPOS Card new account registration SAISON Card
  • 45. Card Using Setup 3 Disable OTP authentication: social engineering Make change Pass authentication Call the card company Wait Use card online Prepare questions such as ages Make an excuse to change billing address and phone number Use the card after 4-5 days to bypass security rules Phone call Steps Details
  • 46. Card Using Setup 3 Disable OTP authentication: removing mobile phone numbers on the card membership website Change registered e-mail address Reset account password Forgot account ID & password Login Disable mobile phone number Temp e-mail address New account password Phished info Input Task Account ID Output Now authentication method becomes the account password we set! New account password Example - A Japanese Credit Card Membership Website
  • 47. 48 Card Using Setup 3 Disable OTP authentication – example Select “no mobile phone” Authentication method changed to account password
  • 48. 49 Actor’s Value Chain  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 49. Use Card 4 Cards are used to buy goods that can be easily resold Popular Goods:  Electric Appliance  Brand Bag  Ticket & Gift Card  Brand Cosmetics  Liquor  Watch  Nike Shoes
  • 50. Use Card 4 Cards are used to buy goods that can be easily resold You can actually get a cheaper Tokyo Disneyland ticket on Taobao! Disney – 8,400 yen Taobao – 6,708 yen Popular Goods:  Electric Appliance  Brand Bag  Ticket & Gift Card  Brand Cosmetics  Liquor  Watch  Nike Shoes
  • 51. 52 Receiver Addresses – example Use Card 4 Dealers usually hand out a list of addresses located dispersedly in Japan to match a card victim’s location
  • 52. 53 Use Card 4 To bypass AVS (Address Verification System) check, fraudsters change the delivery address after an order is accepted via the delivery company’s webpage
  • 53. 54 Use Card 4 Any JP delivery addresses can be changed? Change Addresses after an order is accepted – example Kuroneko is common These are the addresses changed Other delivery companies allow you to change in several kilometers, and Kuroneko you can change to several thousands Kilometer, but half of them got hold up
  • 54. 55 Bigger monetization dealers have their own delivery management system Use Card 4
  • 55. 56 Monetization 5 Monetization dealers demonstrate their accountability by showing the goods received
  • 56. Successful e-mail delivery Victim – mail awareness Victim – mail click Victim – card info input Correct card info input Successful authentication Successful cash-out Summary - Actor’s Monetization Funnel Success Rate 0.01% ~ 0.1% 40% ~ 90% > 80% ~ 0.001 – 0.01% Overall
  • 58. 59 Phisher Card User Monetization Dealer Roles broke down to avoid legal sanctions  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing
  • 59. 60  Firsthand e-mail databases for sending phishing mails  Legit phishing kits and anti-bot mechanisms to bypass security rules  Adequate e-mail contents to increase the ratio of successful delivery Phisher Card User Monetization Dealer  Honest card info supplier  Patience and solid environment setup to fake user behavior  Recruit enough domestic package receivers  Abundant cashflow  Cross-border money laundering techniques Summary – Key success factors for each role
  • 60. 61 Relevant stakeholders shall collaborate to defend effectively  VPS / RDP setup  Residential Proxy  Check IP not in blacklist  Change MAC or hardware ID  Clean cookies / DNS / cache  Select monetization method  Credit limit evaluation  OTP authentication disablement Initial Setup 0 Phishing Setup 1 Start Phishing 2 Card Using Setup Use Card 4 3 Monetization 5  e-mail database  Phishing kit setup  Phishing e-mail lure setup  Email address domain preparation / SMTP setup  Harvesting  Card testing The parts we can defend
  • 61. 62 First Step: Protect your customers with SMS OTP & 3DSecure Trigger SMS OTP / 3DSecure whenever any of the following changed:  Device Fingerprint  Time Zone  Browser Language  User Agent  Delivery Address  Receiver Name Reducing > 60% card-not- present fraud
  • 62. 63 All stakeholders shall collaborate together to defend effectively and speedily. Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations Issuer Bank User Payment Network Merchant POS e-commerce Visa / Mastercard / Amex Delivery Acquirer Bank Payment Gateway Stripe / Square Merchant Acquirer POS
  • 63. Thank you Contact | donut.strawberry@outlook.com