Carding

Sripathi Srinivasan
Nov 5 · 5 min read

“1.3 million Indians’ bank card details put on the dark web”

I’m sure many of us have come across this news recently. This process of fraudulently trafficking stolen card details is referred to as Carding. The information could have been stolen either through physical means by using devices like skimmers, or through cyberspace by using techniques like Phishing, or by telephonic means like Vishing (Voice Phishing), SMiShing (SMS Phishing).

Conventionally, card information were majorly stolen by affixing a detachable physical device to a Point-of-Sale (PoS) terminal or an ATM machine which can skim information from either the card’s magnetic strip and/or the keypad. Sometimes cameras are affixed to capture keystrokes.

A typical skimmer could look like either of the following:

It is often very difficult for a layman to spot the presence of skimmers on ATM machines and Point-of-Sale terminals.

Ever since people started going digital on payments, Phishing, Smishing and Vishing started becoming more prominent techniques for harvesting card information. Like I have already mentioned in my previous article on “Email Scams”, various social engineering techniques are used by hackers to harvest sensitive information from their targets. In most cases, Email, SMS and Phone calls are merely mediums to deliver the baits. The real problem starts when you start following them. The following scam which I investigated recently is a typical Smishing based scam.

A typical real-world SMiShing scam

I recently came across a scam which starts with a spam SMS in which a shortened link was mentioned. The recipient was requested to visit this link as shown below to redeem some “reward”. To get a brief idea about shortened link, please refer to my previous article on email scams.

Clicking this link will land you on a web page shown below.

If you notice carefully, you’ll be able to see a padlock symbol 🔒 in the address bar (because the site has implemented SSL). This simply means that your communication with the specified site is encrypted, or in other words, not plainly visible to anyone else. It DOES NOT imply anything about the authenticity of the site or the services it offers.

Then clicking on the “ GET A TRANSFER >> ” button will show you the following options:

Choosing any of the above mentioned options will take you to the following page:

Proceeding further from this page by entering valid details would definitely compromise your card information, and might also lead to direct financial loss.

Another thing to be noted is that the shortened link which was originally provided to the SMS recipients doesn’t directly redirect you to the scam site. It bounces off a third party site before landing on the scam site. It’ll be very difficult to notice this since it happens in a fraction of a second. Upon debugging, I was able to get hold of the link. The link belongs to a legitimate site which the hackers seem to have compromised. A possible reason behind this could be to keep switching the domain of the landing page frequently without actually affecting the original link that was sent to the targets.

To get the links of all hops in a chain of redirections, keep the console window of the browser open by pressing F12 key, and then enter the shortened link in the address bar and press Enter. Now look for the entries in the console window, starting with “Navigated to”.


Safeguarding measures

  • Ignore any SMS or email from strangers which claim to offer reward in exchange for an advance payment or sensitive information.
  • Do not enter your card information on untrusted sites.
  • Never make it a habit to store your card information even on trusted/legitimate sites. If your user account is compromised, then so is your card information. It won’t always be like you’re personally targeted by a scammer/hacker. If a website’s security is weak enough for hackers to get their hands on its database, your user account related details (including your card information) are still compromised.
  • Do not give out sensitive information like credit/debit card details to anyone who claims to represent the bank where you hold an account.
  • If you receive any email of suspicious nature, always mark it as spam, so that future emails of similar nature will be marked as spam automatically and never get to your inbox.
  • Do not make financial transactions or exchange sensitive information through public/untrusted networks.
  • Do not make financial transactions or exchange sensitive information with sites/services that do not implement SSL (the padlock symbol 🔒 discussed earlier in this article).
  • It’s preferable to use a trusted VPN service while carrying out financial transactions so that your transactions will always have an added layer of encryption provided by the VPN service, making it more difficult to crack.
  • If you have a strong reason to believe that your card details were already compromised, then you may hotlist/block your card by calling up the customer care service of the respective bank.

Kindly note that harvesting card information is not restricted only to the techniques mentioned in this article. Scammers always exercise and improvise their techniques of social engineering as per latest trends. It is not practically possible for us to restrain them. But we can always stay alert and safeguard ourselves.

OCySAP

Open Cyber Safety Awareness Program (OCySAP) is an initiative to educate people about Data Privacy and Internet Safety so that they can defend themselves against online scams and cyber harassment. It is NOT a certification program.

Sripathi Srinivasan

Written by

Sripathi is a Certified Cyber Crime Investigator, Hacker, tech enthusiast, and an Independent data privacy & cyber safety researcher.

OCySAP

OCySAP

Open Cyber Safety Awareness Program (OCySAP) is an initiative to educate people about Data Privacy and Internet Safety so that they can defend themselves against online scams and cyber harassment. It is NOT a certification program.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade