Carding 05 DECLINED: Device fingerprinting, machine learning, heuristic early warning, and the future of CNP carding PART 1

crisiswhatcrisis

Director of Pussy Control
VIP Member
Joined
16.01.21
Messages
16
Reaction score
27
Points
13


So you thought your shit was swass af, with your regional or target-local RDP and your paid VPN connection and SOCKS5 proxies (rarely) configured correctly, or if you're a maverick because you went to DEFCON once or twice you're using Tor. Safe, right? Smooth sailing like every time, browse a little while on a site, change your user agent, browse some more, add some stupid petty shit to the cart once or twice, and you're getting ready for the victory lap to the checkout line. Everything looks good, and it looks like this mark's about to meet your hot-off-the-marketplace CVV for a little CNP with a side of bifurcated billing/shipping sauce on top.

.... A little bit of copypasta here, some JQueryUI datepicker there... Everything looks good... Check the billing and the shipping addresses aren't too far apart... Yeah, the CVV you bought has the phone number.. Sweet. Slap that sucker into the box, cross your fingers and hold onto your nuts cuz we're gonna CLICK... THAT... .BUY BUTTON! *click*

05 DECLINED
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."

Shit. What did I miss? Quick re-check shows nothing out of place on the form... You didn't use the marketplace checker when you bought it, so the issuer shouldn't be tripping out about the random USD $1.00 pre-authorization and immediate release from some weird Ukraine or Latvia-based webstore whose merchant account got hacked... Hm. Answer hazy, try again !

Fresh CVV, same locale, drop line A into box B... Double check, yup... yup... Click the Accept Terms checkbox... Finally, let's CLICK... THAT... BUTTON! !! *click*


05 DECLINED
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."

SHIT! WHAT THE FUCK IS GOING ON? How many CVVs will you burn through, each new fresh CVV gets burned the same way. What the fuck is happening? Change browsers, clear cookies, re-route your VPN shit via the Moon and slingshot it out and back from Mars... Re-try another CVV, same thing. DECLINED.

Well bro, chances are a few things may be true about your operation and environment in which you've been conducting yourself. Enter the world of "device fingerprinting", which is just as strange as it sounds. Just like some of us have been gifted a surprise makeover complete with new jewlery, clothes, and even our own glamour photo shoot, your workstation has just been made VISA-famous! In fact, you might as well call the Internet 'Cheers', cause everyone out there will know your name! Not literally, yet - but if the honchos in charge get their way some day it might be so.


Just like the fingerprints on our hands are unique to each individual, a digital device fingerprint is unique to the machine it was generated for, and is most commonly derived by client-side JavaScript running on a payment gateway checkout page. Once it has been generated by the hashing of sub-millisecond audio samples, a varied mixture of environmental variables visible to the DOM, including viewport and window size, texel/sprite display generation timing, and other silly bitwise metrics. I have seen implementations that have a Flash script hook that allows it to jump through the Flash player's viewspace and greedily lick at the unprivileged variable stack that Flash uses to control itself in properly behaved ways and grab the CPUID or other physical machine metrics used in derivation of the fingerprint data.

Back in the old days, when payment gateways were great lawless glory holes in the walls of Heaven, it didn't matter what you were browsing and buying with. Hell, remember the short-lived technorati fetish-box the MSN Companion, or other set-top 'WebTV' machines? Yep. Smooth as silk - not even any chips yet to fuck us up right? Ahh... Those were some heady days of youth. Every month new pairs of Jordans hit my feet, maybe the same with you, but not anymore. Every click you take, they'll be watching you.

Since the fingerprinting algorithm uses physical properties of the environment, meaning it can query the DOM and the operation of the JS engine/vm reliably and reproduce the same hash repeateedly. This means that nothing you can do, except radically change hardware (think CPU, sound card, graphics card - a major overhaul) and it would please the powers that be nothing more than to have us rotate through hardware like they tip wine glasses, essentially waging a war of attrition.

TL;DR: What does all of that shit have to do with the Carding Army? Everyfuckingthing, sweetheart. Those of you that have a single operating environment on a machine, those of you who use burner phones and burner SIM cards, and anybody that just doesn't give a fuck and want free pizza delivery, you already have been or will be at some point facing this technique as an adversary in pursuit of that new pair of AF1's at the expense of some old lady in Idaho. VISA, Mastercard, and American Express have all rolled out device fingerprinting around the same time as 3D Secure systems came online. These methodologies have the endorsement of the major merchant processors like Authorize.net, National, Square, et cetera, and the majority of those not only use it on their side of the transaction to prevent further loss (as in early warning systems that provide data to the merchant requesting the authorization) or incorporate it into their development APIs and hook into JS routines on the payment date page that deliver the needed analysis data as a blob in the POST data - OR - several turnkey shopping carts have plugins that hook the needed data.


Coming up in Part II: 3D Secure (VBV/AC/SK), Merchant-side fingerprinting vs. Gateway/Interchange fingerprinting, and how AI/ML-derived heuristics data is used in early warning - STAY TUNED!
 

AIDSBurger1337

Regular
Joined
25.08.21
Messages
3
Reaction score
0
Points
1
so...it doesn't matter if I keep rotating rdp's? since you said it's hardware based?
 

crisiswhatcrisis

Director of Pussy Control
VIP Member
Joined
16.01.21
Messages
16
Reaction score
27
Points
13
so...it doesn't matter if I keep rotating rdp's? since you said it's hardware based?

Well, in a perfect world you would have to ensure you rotate actual hardware underlying the RDP session. This means you would have to ensure you are connecting to a wholly different system each time you open a session, but in practice this is mainly made difficult by the nature of RDP vendors - either they have one or two physical boxes that are used as TS servers, in which case you have the same physical hardware (and same fingerprint) even if sessions are different users, networks, et cetera - or, you are using RDP to connect to compromised desktops, which in this case may be better than the first option, for many reasons… But the latter scenario is getting to be rarer and rarer to find, outside of some specific scenarios.

Remember that the fingerprinting is based on the “noise” generated by the GPU as it renders the predetermined sequence of polygons - it’s elegant, if not brute.
 

yangchao

Regular
Joined
16.01.22
Messages
11
Reaction score
3
Points
3


So you thought your shit was swass af, with your regional or target-local RDP and your paid VPN connection and SOCKS5 proxies (rarely) configured correctly, or if you're a maverick because you went to DEFCON once or twice you're using Tor. Safe, right? Smooth sailing like every time, browse a little while on a site, change your user agent, browse some more, add some stupid petty shit to the cart once or twice, and you're getting ready for the victory lap to the checkout line. Everything looks good, and it looks like this mark's about to meet your hot-off-the-marketplace CVV for a little CNP with a side of bifurcated billing/shipping sauce on top.

.... A little bit of copypasta here, some JQueryUI datepicker there... Everything looks good... Check the billing and the shipping addresses aren't too far apart... Yeah, the CVV you bought has the phone number.. Sweet. Slap that sucker into the box, cross your fingers and hold onto your nuts cuz we're gonna CLICK... THAT... .BUY BUTTON! *click*

05 DECLINED
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."

拉屎。我错过了什么?快速重新检查显示表格上没有任何异常...您购买时没有使用市场检查器,因此发行人不应该对随机的 1.00 美元预授权和某些人的立即释放感到不安奇怪的乌克兰或拉脱维亚网上商店的商家帐户被黑了......嗯。回答朦胧,再试一次!

新鲜的 CVV,相同的语言环境,将行 A 放入框 B...仔细检查,是的...是的...单击接受条款复选框...最后,让我们单击...那个...按钮!!!*点击*


05 拒绝
“很抱歉,请联系您的银行以获取更多信息。否则,请选择其他付款方式。”

拉屎! 他妈的是怎么回事? 你会烧掉多少个 CVV,每个新的 CVV 都会以同样的方式被烧掉。到底是怎么回事?更改浏览器,清除 cookie,通过月球重新路由您的 VPN 垃圾,然后将其从火星弹射回来......重新尝试另一个 CVV,同样的事情。拒绝。

好吧,兄弟,关于您的运营和您一直在其中的环境,有几件事可能是真实的。进入“设备指纹识别”的世界,这听起来很奇怪。就像我们中的一些人得到了惊喜改造,包括新的珠宝、衣服,甚至我们自己的魅力照片,您的工作站刚刚成为 VISA 的名人!事实上,您不妨将互联网称为“干杯”,因为那里的每个人都会知道您的名字!还不是字面意思——但如果负责的大佬有一天能如愿以偿,那可能就是这样。


就像我们手上的指纹对每个人来说都是独一无二的一样,数字设备指纹对于生成它的机器来说也是独一无二的,并且最常见的是通过在支付网关结账页面上运行的客户端 JavaScript 派生的。一旦它通过亚毫秒音频样本的散列生成,DOM 可见的各种环境变量的混合,包括视口和窗口大小、纹理/精灵显示生成时间以及其他愚蠢的按位指标。我见过有一个 Flash 脚本钩子的实现,它允许它跳过 Flash 播放器的视图空间并贪婪地舔非特权变量堆栈,Flash 用来以适当的行为方式控制自己并获取派生中使用的 CPUID 或其他物理机器指标的指纹数据。

回到过去,当支付网关是天堂墙壁上无法无天的荣耀洞时,您浏览和购买什么并不重要。该死,还记得 MSN Companion 或其他机顶盒“WebTV”机器的短暂技术迷信盒吗?是的。像丝绸一样光滑——甚至没有任何芯片可以把我们搞砸,对吧?啊……那是一些令人兴奋的青春岁月。每个月都有一双新的乔丹鞋打在我的脚下,也许你也一样,但现在不是了。你的每一次点击,他们都会看着你。

由于指纹算法使用环境的物理属性,这意味着它可以可靠地查询 DOM 和 JS 引擎/vm 的操作,并重复地重现相同的哈希。 这意味着除了从根本上改变硬件(想想 CPU、声卡、显卡 - 一次大修)之外,你无能为力,而且它只会让我们像倒酒杯一样在硬件中旋转,本质上是取悦权力发动消耗战。

TL;DR:所有这些狗屎与 Carding Army 有什么关系?他妈的,亲爱的。那些在机器上拥有单一操作环境的人,那些使用刻录机电话和刻录机 SIM 卡的人,以及任何不关心并希望免费提供比萨饼的人,你已经或将要参加一些以这种技术为对手,以牺牲爱达荷州的一些老妇人为代价追求那双新的 AF1。VISA、万事达卡和美国运通都在 3D Secure 系统上线的同时推出了设备指纹识别。这些方法得到了 Authorize.net、National、Square 等主要商家处理器的认可,


第二部分即将介绍:3D 安全 (VBV/AC/SK)、商家端指纹识别与网关/交换指纹识别,以及如何在预警中使用 AI/ML 衍生的启发式数据 - 敬请期待!
吨hank you
 
Top Bottom