[cb22] Understanding the Chinese underground card shop ecosystem and becoming a phishing master by Strawberry Donut
- 2. Data Scientist focused on Fraud
Detection
CAMS(Certified Anti-Money
Laundering Specialist ) Member
Strawberry Donut
- 3. Agenda
Background & Scope
How I Started This Journey
Card Shop Ecosystem
Conclusion & Next Steps
Agenda
- 4. Our research is 100% compliant
with law. We did not conduct
any criminal activity.
Disclaimer
- 6. 0
50
100
150
200
250
300
350
2014 2015 2016 2017 2018 2019 2020 2021
Credit Card Fraud
Forged card Card number theft Total
Hundred million yen
Source: 日本クレジット協会
In Japan, credit card fraud in 2021 reached 33 billion yen,
the highest amount ever. Card number theft accounts for
94% of the total
94%
Card Number Theft
- 7. Japan is one of the main targets of credit card fraud
Japan is a fairly “ideal” market for the card
fraudsters
3DSecure is static password
High credit line
Lots of card fraud marketplaces in the dark
web (IRC/Forum → QQ/WeChat → TG)
Goal: to understand the value chain of Chinese carding fraud
Scope: The Chinese card shop ecosystem targeting
Japan
- 11. The community is a structured
organization providing training and
resources for beginners to start card-not-
present fraud
Subscribers > 96,000 users
Over 500+ active paid students in first
half year 2022
Entrance: One of the biggest credit card fraud
community targeting Japan
- 12. The community leader is
located in GMT+8 time zone
Cannot speak Japanese at all.
Using Google Translate a lot.
Had a revenue of 56 BTC in 3
years till June 2022
Got account takeover in June
by clicking some malware
porn file
More stories about the community leader..
Received 56 BTC
~ 1.6 億日本円
- 13. A new phone number to
create a new telegram
account
A new telegram account
A newly reformatted
laptop
Rental VPS / RDP server
VPN
Proxy
Persona Device Internet
Initial Setup: An unattributable research environment
- 14. 14
Tuition 3000 RMB paid in BTC
Training Courses Environment setup
Phishing mail lure sending
Phishing techniques
Credit card limit evaluation
Cash out demo
Resources Provided Basic knowledge and
guidelines
Environment setup resources
E-mail database
Phishing kits
Anti bot pool
Cash out websites and buyers
Training Program as an entrance
- 15. 15
Tuition 3000 RMB paid in BTC
Training Courses Environment setup
Phishing mail lure sending
Phishing techniques
Credit card limit evaluation
Cash out demo
Resources Provided Basic knowledge and
guidelines
Environment setup resources
E-mail database
Phishing kits
Anti bot pool
Cash out websites and buyers
Training Program as an entrance
Monitoring
> 300
Chinese Card Shop
Marketplaces
- 17. 17
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 18. 18
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 19. Set dynamic device ID to avoid device hardware being tracked
IP Setup
Time Zone /
Language
Clean Cookies /
DNS / cache
Initial Setup 0
Initial Setup to avoid triggering security rules
Change MAC or
hardware ID
Set IP near the targeted country / prefecture
Check IP not in
blacklist
Major payment & e-commerce services blocked public proxy already
→ Check if your IP is not in the blacklist
Set VPS time zone and language to be the same with the targeted location
Keep the browser environment as clean as possible
Virtual browser can be an alternative option
- 20. Initial Setup 0
Residential proxy covers actor identity and fakes card
holder location
Residential
Proxy Provider
Residential
IP Address Pool
Targeted
Destination
Actor
Major residential proxy used by fraudsters:
911 (China), oxylabs (Lithuania), BrightData (Israel)
- 21. 21
Initial Setup 0
911 used by Chinese fraudsters - 1/2
Residential proxy IP available
at city granularity
- 24. 24
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 26. Ways to set up a Phishing Kit
1. Using compromised server
Pro: Higher website reputation
Con: Higher risk of being taken down
2. Using rental server (VPS)
Setup Apache/Nginx server and upload a Phishing kit
Bullet-proof hosting providers from Russia, etc.
Microsoft Azure needs months to take down phishing sites hosted
Phishing Setup 1
AWS has extremely strict security rules
Alert really soon right?
Go for Azure
Got banned after login with AWS
- 30. 30
Phishing Setup 1
Phishing Kit Component - 2/6
Resolve the IP address to domain name
and block famous security organizations
amazon.co.jp
Block all non-human visitors
- 31. 31
Phishing Setup 1
Phishing Kit Component - 3/6
If a user’s IP is not in China or
Japan, return error
If a victim is using Proxy,
try to get the real IP
amazon.co.jp
Filter visitors
- 32. 32
Phishing Setup 1
Phishing Kit Component - 4/6
Check if the card BIN inputted is valid
with an open-source API
If the length of inputted password is
shorter than 4, return error
amazon.co.jp
Validate inputted information
- 33. 33
Phishing Setup 1
Phishing Kit Component - 5/6
Returned format
Send the phished info to the actor’s
e-mail address; redirect the victim to
real Amazon website
amazon.co.jp
Return phished information
- 35. Change IP continuously: keep your IP as clean as possible
Avoid registering a domain name similar to famous websites:
big companies have automatic system detecting domains similar to
their brands
Register multiple domain names at the same time: to disperse the
risk of being fully blocked at once
Do not add SSL: adding SSL will attract Google police web crawler
and disclose your info
URL redirect: use redirect tools to generate a “seemingly more
normal URL” to bypass spam filtering rules
Environment
Phishing kit
domain server
Phishing URL
Phishing Setup 1
Tricks to bypass email spam filtering rules
Mindset
Always try to improve the contents / environments to bypass e-mail spam filtering rules
- 37. URL redirect tools make a URL looks more “normal”
starts with “HTTPS”, more trustworthy
Less suspicious domain names: domain name becomes the
domain of the redirection tool
Ends with less suspicious strings: the name after the domain
name can be customized
Phishing Setup 1
Benefits of using URL redirect
When blocked by e-mail spam filter mechanism or
phishing site domain, a URL redirect tool helps a
fraudster restart the phishing cycle faster.
- 38. 39
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 39. 40
Start Phishing 2
Essential
Card number + CVV
Card holder name
Expiration Date
Billing Address
Date of Birth
Device Footprint & Browser Info
User IP
Optional
Phone number
3D ID & password
Website / Card Membership / Account
name & Password
Harvesting – Info acquired
- 40. Cryptocurrency / gift
card websites that
allows credit card
Card Using Setup 3
Monetization approaches
Deliver to domestic
receivers to convert into
money
1
2
website
e-commerce
product
local
receivers
- 41. Card Using Setup 3
Monetization approaches
Donate to malicious
Tiktok influencers to
turn the money into
legitimate earnings
3
TikTok
TikTok
coin
Malicious
TikTok
influencer
Money laundering
through intangible
goods such as NFT & e-
books etc.
4
Platform
Malicious
NFT / e-book
seller
- 42. 43
Context
For fraudsters, a credit card stands for a real person
with an unknown credit limit.
A fraudster’s goal is to steal as much as possible.
Card Using Setup 3
Expected usable
amount ~30% of
the total credit
limit
Credit card limit estimation
Evaluate from card
info
Social
Engineering
Confirm in Card
Website
3 Ways to estimate a credit card value
- 43. To know the card level
Card Using Setup 3
Estimate credit card limit evaluation with card info
4 Factors to evaluate a card’s credit limit
Card Bin
Mobile
Phone Number
Age
Card
Expiration Date
1950-1970 usually have the highest amount
Compared to IP phone numbers started with 03, 04, 090,
050 , Phone numbers started with 070, 080 means that the
card has been used for awhile
A more recent expiration date means
the card is older. Older cards tend to
have a higher credit limit
- 44. 45
Card Using Setup 3
account login
Get into card website to confirm credit limit - examples
EPOS Card
new account
registration
SAISON Card
- 45. Card Using Setup 3
Disable OTP authentication: social engineering
Make change
Pass
authentication
Call the card
company
Wait
Use card
online
Prepare questions
such as ages
Make an excuse to
change billing address
and phone number
Use the card after
4-5 days to bypass
security rules
Phone call
Steps
Details
- 46. Card Using Setup 3
Disable OTP authentication: removing mobile phone
numbers on the card membership website
Change
registered
e-mail address
Reset
account
password
Forgot
account ID &
password
Login
Disable mobile
phone number
Temp e-mail
address
New account
password
Phished
info
Input
Task
Account ID
Output
Now authentication
method becomes the
account password we set!
New account
password
Example - A Japanese Credit Card
Membership Website
- 47. 48
Card Using Setup 3
Disable OTP authentication – example
Select “no mobile phone” Authentication method
changed to account
password
- 48. 49
Actor’s Value Chain
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 49. Use Card 4
Cards are used to buy goods that can be easily resold
Popular Goods:
Electric Appliance
Brand Bag
Ticket & Gift Card
Brand Cosmetics
Liquor
Watch
Nike Shoes
- 50. Use Card 4
Cards are used to buy goods that can be easily resold
You can actually get a cheaper Tokyo
Disneyland ticket on Taobao!
Disney – 8,400 yen Taobao – 6,708 yen
Popular Goods:
Electric Appliance
Brand Bag
Ticket & Gift Card
Brand Cosmetics
Liquor
Watch
Nike Shoes
- 51. 52
Receiver Addresses – example
Use Card 4
Dealers usually hand out a list
of addresses located
dispersedly in Japan to
match a card victim’s
location
- 52. 53
Use Card 4
To bypass AVS (Address
Verification System) check,
fraudsters change the
delivery address after
an order is accepted
via the delivery company’s
webpage
- 53. 54
Use Card 4
Any JP delivery addresses can be changed?
Change Addresses after an order is accepted – example
Kuroneko is common
These are the addresses changed
Other delivery companies allow you to
change in several kilometers, and Kuroneko
you can change to several thousands
Kilometer, but half of them got hold up
- 56. Successful e-mail delivery
Victim – mail awareness
Victim – mail click
Victim – card info input
Correct card info input
Successful authentication
Successful cash-out
Summary - Actor’s Monetization Funnel
Success Rate
0.01% ~ 0.1%
40% ~ 90%
> 80%
~ 0.001 – 0.01%
Overall
- 58. 59
Phisher
Card User
Monetization
Dealer
Roles broke down to avoid legal sanctions
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
- 59. 60
Firsthand e-mail
databases for sending
phishing mails
Legit phishing kits and
anti-bot mechanisms to
bypass security rules
Adequate e-mail
contents to increase the
ratio of successful
delivery
Phisher Card User Monetization Dealer
Honest card info supplier
Patience and solid
environment setup to
fake user behavior
Recruit enough domestic
package receivers
Abundant cashflow
Cross-border money
laundering techniques
Summary – Key success factors for each role
- 60. 61
Relevant stakeholders shall collaborate to defend effectively
VPS / RDP setup
Residential Proxy
Check IP not in
blacklist
Change MAC or
hardware ID
Clean cookies / DNS
/ cache
Select monetization method
Credit limit evaluation
OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
e-mail database
Phishing kit setup
Phishing e-mail lure setup
Email address domain
preparation / SMTP setup
Harvesting
Card testing
The parts we can defend
- 61. 62
First Step: Protect your customers
with SMS OTP & 3DSecure
Trigger SMS OTP / 3DSecure whenever any
of the following changed:
Device Fingerprint
Time Zone
Browser Language
User Agent
Delivery Address
Receiver Name
Reducing
> 60%
card-not-
present fraud
- 62. 63
All stakeholders shall collaborate together to defend
effectively and speedily.
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Issuer Bank
User
Payment Network
Merchant POS
e-commerce
Visa / Mastercard / Amex
Delivery
Acquirer Bank
Payment Gateway
Stripe / Square
Merchant
Acquirer POS