Personal Identifiable Information (PII) leaks have become more frequent in recent years, and losses from credit card fraud in 2021 have set records respectively in Taiwan and Japan. Where did this information get leaked and sold in the first place? The term "Dark web" refers to websites inaccessible without the use of Tor protocol, and given added privacy and anonymity while using Tor, and marketplaces in it are proven to be very attractive to criminals. An anonymous researcher will share experiences of dealing with vendors from card shops on marketplaces among dark web, focused on insights of shops selling Taiwanese and Japanese PIIs, and therefore, TTPs of hackers from these card shops. We hope to inspire audiences to rethink how to reduce credit card frauds.

1. 2022/10/16
Understanding the Chinese underground card shop
ecosystem and becoming a phishing master

2.  Data Scientist focused on Fraud
Detection
 CAMS（Certified Anti-Money
Laundering Specialist ) Member
Strawberry Donut

3. Agenda
 Background & Scope
 How I Started This Journey
 Card Shop Ecosystem
 Conclusion & Next Steps
Agenda

4. Our research is 100% compliant
with law. We did not conduct
any criminal activity.
Disclaimer

5. Background & Scope

6. 0
50
100
150
200
250
300
350
2014 2015 2016 2017 2018 2019 2020 2021
Credit Card Fraud
Forged card Card number theft Total
Hundred million yen
Source: 日本クレジット協会
In Japan, credit card fraud in 2021 reached 33 billion yen,
the highest amount ever. Card number theft accounts for
94% of the total
94%
Card Number Theft

7. Japan is one of the main targets of credit card fraud
 Japan is a fairly “ideal” market for the card
fraudsters
 3DSecure is static password
 High credit line
 Lots of card fraud marketplaces in the dark
web (IRC/Forum → QQ/WeChat → TG)
Goal: to understand the value chain of Chinese carding fraud
Scope: The Chinese card shop ecosystem targeting
Japan

8. Phishing JavaScript
Injection
Trojan
Malware
Methods to acquire credit card info

9. Phishing
Scope: Phishing is the major method to acquire credit
card info
JavaScript
Injection
Trojan
Malware

10. How I started this Journey..

11.  The community is a structured
organization providing training and
resources for beginners to start card-not-
present fraud
 Subscribers > 96,000 users
 Over 500+ active paid students in first
half year 2022
Entrance: One of the biggest credit card fraud
community targeting Japan

12.  The community leader is
located in GMT+8 time zone
 Cannot speak Japanese at all.
Using Google Translate a lot.
 Had a revenue of 56 BTC in 3
years till June 2022
 Got account takeover in June
by clicking some malware
porn file
More stories about the community leader..
Received 56 BTC
~ 1.6 億日本円

13.  A new phone number to
create a new telegram
account
 A new telegram account
 A newly reformatted
laptop
 Rental VPS / RDP server
 VPN
 Proxy
Persona Device Internet
Initial Setup: An unattributable research environment

14. 14
Tuition 3000 RMB paid in BTC
Training Courses  Environment setup
 Phishing mail lure sending
 Phishing techniques
 Credit card limit evaluation
 Cash out demo
Resources Provided  Basic knowledge and
guidelines
 Environment setup resources
 E-mail database
 Phishing kits
 Anti bot pool
 Cash out websites and buyers
Training Program as an entrance

15. 15
Tuition 3000 RMB paid in BTC
Training Courses  Environment setup
 Phishing mail lure sending
 Phishing techniques
 Credit card limit evaluation
 Cash out demo
Resources Provided  Basic knowledge and
guidelines
 Environment setup resources
 E-mail database
 Phishing kits
 Anti bot pool
 Cash out websites and buyers
Training Program as an entrance
Monitoring
> 300
Chinese Card Shop
Marketplaces

16. Card Shop Ecosystem

17. 17
Actor’s Value Chain
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

18. 18
Actor’s Value Chain
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

19.  Set dynamic device ID to avoid device hardware being tracked
IP Setup
Time Zone /
Language
Clean Cookies /
DNS / cache
Initial Setup 0
Initial Setup to avoid triggering security rules
Change MAC or
hardware ID
 Set IP near the targeted country / prefecture
Check IP not in
blacklist
 Major payment & e-commerce services blocked public proxy already
→ Check if your IP is not in the blacklist
 Set VPS time zone and language to be the same with the targeted location
 Keep the browser environment as clean as possible
 Virtual browser can be an alternative option

20. Initial Setup 0
Residential proxy covers actor identity and fakes card
holder location
Residential
Proxy Provider
Residential
IP Address Pool
Targeted
Destination
Actor
Major residential proxy used by fraudsters:
911 (China), oxylabs (Lithuania), BrightData (Israel)

21. 21
Initial Setup 0
911 used by Chinese fraudsters - 1/2
Residential proxy IP available
at city granularity

22. 22
Initial Setup 0
911 used by Chinese fraudsters – 2/2
User-Agents Available

23. 23
911 closed in July 2022
Initial Setup 0

24. 24
Actor’s Value Chain
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

25. 25
Phishing Setup 1
Acquiring the targeted E-mail lists through web hacking

26. Ways to set up a Phishing Kit
1. Using compromised server
 Pro: Higher website reputation
 Con: Higher risk of being taken down
2. Using rental server (VPS)
 Setup Apache/Nginx server and upload a Phishing kit
 Bullet-proof hosting providers from Russia, etc.
 Microsoft Azure needs months to take down phishing sites hosted
Phishing Setup 1
AWS has extremely strict security rules
Alert really soon right?
Go for Azure
Got banned after login with AWS

27. 27
Phishing Setup 1
Phishing Kit Template Examples – 1/2
SMBC card MUFJ card Amazon
American Express au pay Corona Vaccine

28. 28
Phishing Setup 1
Phishing Kit Template Examples – 2/2
Eki-Net EPOS Card DMM Card
AEON Card Docomo Account Rakuma

29. 29
Phishing Setup 1
Phishing Kit Component - 1/6 amazon.co.jp
Block all bots Block specific IP ranges
Block all non-human visitors

30. 30
Phishing Setup 1
Phishing Kit Component - 2/6
Resolve the IP address to domain name
and block famous security organizations
amazon.co.jp
Block all non-human visitors

31. 31
Phishing Setup 1
Phishing Kit Component - 3/6
If a user’s IP is not in China or
Japan, return error
If a victim is using Proxy,
try to get the real IP
amazon.co.jp
Filter visitors

32. 32
Phishing Setup 1
Phishing Kit Component - 4/6
Check if the card BIN inputted is valid
with an open-source API
If the length of inputted password is
shorter than 4, return error
amazon.co.jp
Validate inputted information

33. 33
Phishing Setup 1
Phishing Kit Component - 5/6
Returned format
Send the phished info to the actor’s
e-mail address; redirect the victim to
real Amazon website
amazon.co.jp
Return phished information

34. 34
Phishing Setup 1
Phishing Kit Component - 6/6 amazon.co.jp
Fresh fished data (魚料)
in mailbox
Harvesting
NetEase
Free
e-mail
provider

35.  Change IP continuously: keep your IP as clean as possible
 Avoid registering a domain name similar to famous websites:
big companies have automatic system detecting domains similar to
their brands
 Register multiple domain names at the same time: to disperse the
risk of being fully blocked at once
 Do not add SSL: adding SSL will attract Google police web crawler
and disclose your info
 URL redirect: use redirect tools to generate a “seemingly more
normal URL” to bypass spam filtering rules
Environment
Phishing kit
domain server
Phishing URL
Phishing Setup 1
Tricks to bypass email spam filtering rules
Mindset
Always try to improve the contents / environments to bypass e-mail spam filtering rules

36. 37
Phishing Setup 1
URL redirect tool - example
Destination URL
New URL

37. URL redirect tools make a URL looks more “normal”
 starts with “HTTPS”, more trustworthy
 Less suspicious domain names: domain name becomes the
domain of the redirection tool
 Ends with less suspicious strings: the name after the domain
name can be customized
Phishing Setup 1
Benefits of using URL redirect
When blocked by e-mail spam filter mechanism or
phishing site domain, a URL redirect tool helps a
fraudster restart the phishing cycle faster.

38. 39
Actor’s Value Chain
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

39. 40
Start Phishing 2
Essential
 Card number + CVV
 Card holder name
 Expiration Date
 Billing Address
 Date of Birth
 Device Footprint & Browser Info
 User IP
Optional
 Phone number
 3D ID & password
 Website / Card Membership / Account
name & Password
Harvesting – Info acquired

40. Cryptocurrency / gift
card websites that
allows credit card
Card Using Setup 3
Monetization approaches
Deliver to domestic
receivers to convert into
money
1
2
website
e-commerce
product
local
receivers

41. Card Using Setup 3
Monetization approaches
Donate to malicious
Tiktok influencers to
turn the money into
legitimate earnings
3
TikTok
TikTok
coin
Malicious
TikTok
influencer
Money laundering
through intangible
goods such as NFT & e-
books etc.
4
Platform
Malicious
NFT / e-book
seller

42. 43
Context
 For fraudsters, a credit card stands for a real person
with an unknown credit limit.
 A fraudster’s goal is to steal as much as possible.
Card Using Setup 3
Expected usable
amount ~30% of
the total credit
limit
Credit card limit estimation
Evaluate from card
info
Social
Engineering
Confirm in Card
Website
3 Ways to estimate a credit card value

43. To know the card level
Card Using Setup 3
Estimate credit card limit evaluation with card info
4 Factors to evaluate a card’s credit limit
Card Bin
Mobile
Phone Number
Age
Card
Expiration Date
1950-1970 usually have the highest amount
Compared to IP phone numbers started with 03, 04, 090,
050 , Phone numbers started with 070, 080 means that the
card has been used for awhile
A more recent expiration date means
the card is older. Older cards tend to
have a higher credit limit

44. 45
Card Using Setup 3
account login
Get into card website to confirm credit limit - examples
EPOS Card
new account
registration
SAISON Card

45. Card Using Setup 3
Disable OTP authentication: social engineering
Make change
Pass
authentication
Call the card
company
Wait
Use card
online
Prepare questions
such as ages
Make an excuse to
change billing address
and phone number
Use the card after
4-5 days to bypass
security rules
Phone call
Steps
Details

46. Card Using Setup 3
Disable OTP authentication: removing mobile phone
numbers on the card membership website
Change
registered
e-mail address
Reset
account
password
Forgot
account ID &
password
Login
Disable mobile
phone number
Temp e-mail
address
New account
password
Phished
info
Input
Task
Account ID
Output
Now authentication
method becomes the
account password we set!
New account
password
Example - A Japanese Credit Card
Membership Website

47. 48
Card Using Setup 3
Disable OTP authentication – example
Select “no mobile phone” Authentication method
changed to account
password

48. 49
Actor’s Value Chain
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

49. Use Card 4
Cards are used to buy goods that can be easily resold
Popular Goods:
 Electric Appliance
 Brand Bag
 Ticket & Gift Card
 Brand Cosmetics
 Liquor
 Watch
 Nike Shoes

50. Use Card 4
Cards are used to buy goods that can be easily resold
You can actually get a cheaper Tokyo
Disneyland ticket on Taobao!
Disney – 8,400 yen Taobao – 6,708 yen
Popular Goods:
 Electric Appliance
 Brand Bag
 Ticket & Gift Card
 Brand Cosmetics
 Liquor
 Watch
 Nike Shoes

51. 52
Receiver Addresses – example
Use Card 4
Dealers usually hand out a list
of addresses located
dispersedly in Japan to
match a card victim’s
location

52. 53
Use Card 4
To bypass AVS (Address
Verification System) check,
fraudsters change the
delivery address after
an order is accepted
via the delivery company’s
webpage

53. 54
Use Card 4
Any JP delivery addresses can be changed?
Change Addresses after an order is accepted – example
Kuroneko is common
These are the addresses changed
Other delivery companies allow you to
change in several kilometers, and Kuroneko
you can change to several thousands
Kilometer, but half of them got hold up

54. 55
Bigger monetization dealers
have their own
delivery management
system
Use Card 4

55. 56
Monetization 5
Monetization dealers demonstrate their accountability
by showing the goods received

56. Successful e-mail delivery
Victim – mail awareness
Victim – mail click
Victim – card info input
Correct card info input
Successful authentication
Successful cash-out
Summary - Actor’s Monetization Funnel
Success Rate
0.01% ~ 0.1%
40% ~ 90%
> 80%
~ 0.001 – 0.01%
Overall

57. Conclusion & Next Steps

58. 59
Phisher
Card User
Monetization
Dealer
Roles broke down to avoid legal sanctions
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing

59. 60
 Firsthand e-mail
databases for sending
phishing mails
 Legit phishing kits and
anti-bot mechanisms to
bypass security rules
 Adequate e-mail
contents to increase the
ratio of successful
delivery
Phisher Card User Monetization Dealer
 Honest card info supplier
 Patience and solid
environment setup to
fake user behavior
 Recruit enough domestic
package receivers
 Abundant cashflow
 Cross-border money
laundering techniques
Summary – Key success factors for each role

60. 61
Relevant stakeholders shall collaborate to defend effectively
 VPS / RDP setup
 Residential Proxy
 Check IP not in
blacklist
 Change MAC or
hardware ID
 Clean cookies / DNS
/ cache
 Select monetization method
 Credit limit evaluation
 OTP authentication
disablement
Initial Setup
0 Phishing Setup
1 Start Phishing
2
Card Using Setup Use Card
4
3 Monetization
5
 e-mail database
 Phishing kit setup
 Phishing e-mail lure setup
 Email address domain
preparation / SMTP setup
 Harvesting
 Card testing
The parts we can defend

61. 62
First Step: Protect your customers
with SMS OTP & 3DSecure
Trigger SMS OTP / 3DSecure whenever any
of the following changed:
 Device Fingerprint
 Time Zone
 Browser Language
 User Agent
 Delivery Address
 Receiver Name
Reducing
> 60%
card-not-
present fraud

62. 63
All stakeholders shall collaborate together to defend
effectively and speedily.
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Source: Security Certification in Payment Card Industry: Testbeds, Measurements, and Recommendations
Issuer Bank
User
Payment Network
Merchant POS
e-commerce
Visa / Mastercard / Amex
Delivery
Acquirer Bank
Payment Gateway
Stripe / Square
Merchant
Acquirer POS

63. Thank you
Contact | donut.strawberry@outlook.com