Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


on the spot report of buying credit card on the dark net

Posted by zura at 2020-02-29

The writer is Zhenyu, first of all in the official account of WeChat, ID:darkinsider, and the official account of Lei Feng network and Lei Feng network (letshome) has been authorized to reprint. The original title of the article is "record of buying bank card on the dark net: no threshold for stealing and brushing"

The technology presented in this article is for the purpose of alerting readers and has no motive of instigating crimes, the home guest channel said.

Although it's almost the first month, I still want to tell you a story about my attempt to buy tickets home by stealing and swiping bank cards on the eve of Spring Festival. I hope that we can realize the importance of protecting the bank card information.

Cause: being forced into the dark net by bitches

"TMD, two product sluts are talking about my lack of money to go home.

Ha ha, I laugh. Who on earth has let the wind out! "

Just graduated from the operation of baby easy, haven't saved any money, it will be new year.

Tens of thousands of flowers for others to go home on New Year's day.

I'm so good. I don't go home. I have no money!

I had planned to celebrate the new year in the company myself, but I couldn't swallow this. Suddenly I thought that a hacker told me that there was everything in the dark net. I think it might help me.

At that time, there was a feeling of being forced to Liangshan

Before we get to the point, let you know what a dark net is

A kind of

Invisible dark net

The definition of encyclopedia is: the parts that can't be grasped by search engines form a dark net

For example, the search service on the Internet is like a large web search on the surface of the earth's ocean. Although a large amount of surface web information can be found in this way, there are still quite a lot of information lost by the search engine due to hiding in the deep. The traditional search engine can't "see" or get the content that exists in the dark web.

So, for the public, the dark net is invisible.

The content of the dark network accounts for about 96% of the total amount of the Internet, while the content we usually get through search is only 4%. That is to say, the content of dark net is almost 4000 ~ 5000 times that of search engine!

The father of dark net has the background of "army"

In May 1996, the U.S. Naval Research and Experiment Institute proposed to build a [hidden path information] system, in which users will not disclose their identity to the server when connecting to the Internet.

To access the dark network, you must use Tor (onion route). Because the password to protect data overlaps like an onion, the name onion route is very vivid and vivid!

Later, the source code was leaked and became the main access to the dark net, so that my pure baby can also go to the dark net to wave


The design of the dark net is so precise that its creators cannot destroy it.

Unregistered anonymous servers, relay interference and bitcoin as currency make the dark network exist for a long time.

Why does the U.S. government build such a system?

No one knows why. But it's not hard to think that with it, the police can investigate illegal websites without disturbing them; the military and intelligence agencies can make secret contact

(onion browser successfully connected)

In the "dark net", it's like hanging up

It's not enough to connect the browser. The domain name of the dark net is encrypted. It's all domain names like http://xxxxx.onion.

First Baidu has a domain name of the hidden wiki navigation page. With this navigation station similar to hao123, there will be no trouble finding domain names.

This kind of wiki is all the old drivers in the dark net. In order to facilitate the future generations, they will add the website links found here and clean up some invalid links from time to time.

(in the screenshot, I recited "a good man's life is safe" ~)

Anyway, I didn't go there, so I opened a website. Alphabay market, by name, seems to be an e-commerce website.

I was shocked to see the classification of commodities.

It's totally an underground black market. As long as it's against the law, it's all here.

(rough translation, all criminal tools and contraband)

Here are some pictures for you.

(110 dollars = 500 milligrams of heroin)

(50 euros for $52)

See this AK47, can't help but brain fill two products bitch kneeling to sing the picture of conquest, hum!

After searching China, I found that the passports, bank cards and accounts of the Chinese government were all sold at a price.

You can apply for passport and ID card. It's OK even to find a job, because they will also provide "real" proof of education.)

I can't help wondering how much it costs to buy a Beijing hukou. After all, the Hukou of the whole universe center has always been my dream. As a result, the seller did not reply. As you can see from the picture, from June 2015 to now, I haven't sold one time. The business is too bad... I guess the seller has given up.... only a few people have dreams like me.

All right, tourists. So far as sightseeing is concerned, it's time to get down to business.

Since it's to solve the problem of money, it's the best way to get a bank card.

I chose a seller with high evaluation.

Yes, you heard me right. There is an evaluation system in dark net.

In the blue box is the seller's level 3, and in the red box is the credit level 4. Boys and girls, shopping or to find a reputable seller oh.

Here are the seller's message, all kinds of praise seller credit, fast delivery, praise a piece... Found in the feeling of Taobao

It seems that "Internet + black market" also has a set of standardized system.

The product description reads: "all accounts are newly registered within two days, and all are real name registration. Different cards have different balances and can be consumed or cashed out at will. "  

Roughly speaking, the price of the card is only about one fifth of the balance.

The selling price is so much lower than the balance. Isn't the seller in a loss making business? Where are these bank cards from? Aren't they safe?

I'll send a private letter to the seller to find out these problems first.

The seller's private letter will come soon.

In order to gain my trust, the seller revealed the source of the card

A lot of "unlucky people" didn't pay attention to their consumption. They were secretly swiped by the cashier on the copying machine. All the data in the card, including the password and the card master information, were copied. Then it is made into a copy card, which has exactly the same function as the original card.

And the copy cards are magnetic stripe cards, because the chip card can not be copied

False identity account opening refers to first stealing other's identity information, and then opening an account in the bank. The card owner did not know the existence of this bank card, let alone that someone was using it.

The intimate seller also gave me tips for safe use... So touched.

The enthusiastic seller told me that the safest way to use it is online shopping. I don't need to show up. I need to fill in a transfer station with the receiving address, and then take it myself. No one will trace it.

For cash withdrawal or offline consumption, try not to show your face. After all, ATMs are cameras.

And acting skills are good, just like the plot of a TV play, it must be natural, just like using your own card. Life is like a play, when to get the convenience depends on acting.

Inner OS: if you buy a card, you can give away the head cover or something.

Because these cards are the identity information of others, they can also be used for money laundering and bribery. Even if they are found, they are not easy to track down.

Why don't sellers keep them for their own use?

The reason why the seller sells the bank card at a low price but does not use it by himself is that the risk of selling the duplicate card on the dark net is very low, and it will hardly be caught.

However, the use of these bank cards for consumption and money laundering needs to bear greater risks, because the bank's capital whereabouts and consumption records are easier to trace. So in order to drive for ten thousand years, smart sellers are very careful and prefer to earn less.

The mode of transaction is similar to that of movie bridge.

The seller told me that if only the information on the card (CVV, name, address, etc.) is not needed for the card, then the transaction can be completed on the network (because online shopping only needs the information on the card).

If you want a card, you can use DHL express, or trade it offline. The offline transaction seller will put the card in a specific place, maybe a corner of an alley, or an abandoned mailbox, and then tell you the place. This way is undoubtedly the most exciting. If it is not far away from the ocean, I really want to experience it for myself.

Can't the owner of the card find out?

In order to reassure me, the seller also replied to my question.

Most of these bank cards are long-term idle bank cards, or accounts without SMS reminder. So when the card owner finds out, the money on the card will be used up.

If it is found, the cardholder will also go to the bank to rent the cards. These cards are basically overseas. For this money, they will not be caught across the country.

I also asked a friend who had been stolen and swiped. It is said that if the credit card does not have a password, and after being stolen and swiped, I quickly went to the ATM to operate, and the proof card is beside me, so the bank can only fill in this hole by itself.

Rest assured, this card is worth having.

Excitedly click "buy", and then a page that I have to use Google translation to understand appears.

It means that the dark net trades with bitcoin, asking me to recharge bitcoin, and the recharge account is the mysterious code... What's more, the address will fail in a few hours.

Hurry up and make up for the usage of bitcoin.

In short, it is a kind of global encrypted electronic currency. The account address is anonymous, and the address where bitcoin is stored will change constantly. An address disappears after a few hours, which is hard to trace. Therefore, black market transactions and money laundering are conducted with bitcoin.

Buy a bit of bitcoin and recharge it into this account. It's called "one point" because now 1 bitcoin costs 8000 yuan, and I only bought 0.02 to complete the transaction.

(waiting for delivery from the seller)

Sure enough, a few hours later, the goods arrived.

(all credit card information)

This is a MasterCard in China, including card number, CVC code, expiration time, card owner's name, address and phone number.

According to the information, the card owner is a Hangzhou person. He lives at XX Huzhou street. His phone number is 1861283xxx, and the card number is 52010xxx3373279.

The seller said the cards could be consumed online. It should refer to foreign e-commerce platforms.

As far as I know, when binding the bank card, the Chinese e-commerce platform needs to confirm with the bank and confirm the verification code sent to the bound mobile phone.

So I chose Amazon in America.

Correct information, credit card added successfully!

Now the card is ready to use.

Try to see if you can actually buy it.

The purchase was successful. Foreign e-commerce platforms have loose control over credit card payment. No wonder I heard that cross-border e-commerce often occurs theft.

Cancel the order immediately after the test.

Don't forget the first thought... Book a ticket quickly.

Screenshot invoice circle, let them see, is so willful, Spring Festival a plane directly home.

However, I cancelled before the ticket was issued, but benbao was too kind to steal others' money to go home.

Spring Festival is still in the company, wuwuwu.

The lack of cardholder's safety awareness is embarrassing

Since I know the information and phone number of the card owner, I still think I should inform the card owner.

When the card owner knows that the information has been leaked, he has a completely indifferent reaction. As long as the password is not disclosed, there will be no risk, and the card number, validity period and CVC code on the card are not important.

You can feel a lot of hostility just by texting. Even the function of the information on the card is not clear, and it's hard to blame the rampant theft.

How to deal with stealing and swiping bank card in China

In short, copying other people's bank card information, using other people's credit card and other acts may constitute the crime of credit card fraud. For different amounts and circumstances, different penalties will be imposed, from two years to more than ten years, as well as different amounts of fines.

From the past cases, in the final analysis, the bank's failure to guarantee the uniqueness and non replicability of the bank card due to technical loopholes will lead to the phenomenon of stealing and brushing. The bank has the obligation to take full responsibility for the loss suffered by the card owner, so "bank's full compensation" is the general rule at present.

Dark net let you know that American TV has no imagination

From drugs and guns to the $100000 registered permanent residence in China, criminals can easily change their identities when they think of watching American dramas before, thus hiding in the crowd and dealing with the police. All kinds of delicate details and easy to get forged documents make people enjoy themselves. I'm not aware that I admire the wonderful descriptions of various cyber crimes in American dramas. I always admire the imagination of directors and screenwriters, and I can design such novel and exciting plots.

(story of card house)

In the face of the real dark network, in the black market with the network, looking at the "crime" of being sold at a price, I realized that they didn't imagine anything, or even write it.

Cruel joy will bring about cruel results

The dark net is indeed unique, which makes me open my eyes, but too much ugliness and filth has exceeded the scope of curiosity hunting. If you want to taste something fresh and find something exciting, you don't have to spend a lot of time looking for the entrance of dark net. It is said that some people have a mental breakdown due to their long-term addiction to the Internet

Although the dark network has enjoyed a high degree of concealment, but with the rapid development of technology today, these dark industries lurking in the deep layer of the network are no longer safe. It is a good example that the so-called "drug eBay" Silk Road collapsed suddenly.

Quoting Shakespeare's famous saying: "cruel joy will bring cruel ending.".