Carding šŸ•µļøā€ā™‚ļø A CrdPro Exclusive: How To Bypass Modern AI Anti-Fraud Systems šŸ›”ļø



sack

Premium
Joined
20.07.24
Messages
30
Reaction score
3
Points
8
awesome guide mate
really appreciate what you do
 

dkpk117

ā‹†ļ½”ļ¾Ÿā˜ļøŽļ½”ā‹†ļ½” ļ¾Ÿā˜¾ ļ¾Ÿļ½”ā‹†
Supreme
Joined
04.03.22
Messages
159
Reaction score
140
Points
43
Thank you for a interesting topic.
 

ThatGuy42109

Carding Novice
Joined
21.08.24
Messages
3
Reaction score
1
Points
1

šŸ•µļøā€ā™‚ļø A CrdPro Exclusive: How To Bypass Modern AI Anti-Fraud Systems šŸ›”ļø


Ever wondered how you could have what is arguably the most flawless setup (high balance card, proper BIN, clean same city socks) imaginable on the cyberspace and still not get a good hit while carding something online? Ever wondered why Stripe keeps refusing your ā€˜high-balanceā€™ card even for a low amount? Or why even a cheap order on Shopify gets cancelled due to ā€˜unforeseen circumstancesā€™? šŸ¤”




šŸ›‘ The answer is quite simple: AI Anti-Fraud Systems. And today weā€™re tackling this concept that is foreign to noobs, but seasoned carders are all too familiar with. Understanding it essentially guarantees a shipment notification in your email, and not an order cancellation notice.

šŸ” What are modern anti-fraud systems?

Antifraud systems are essentially gates and hoops you have to bypass (besides the bank) in order for your order to get successfully processed. The systems decide whether to force you to go through 3DS, or not. The companies who run these include, but not limited to:

Stripe Radar
Signifyd
Riskified
Accertify
Forter
SEON




šŸ’” Who came up with this shit?


While large websites like Amazon, Walmart, etc roll their own, corporate assholes figured out that thereā€™s money to be made in stopping script kiddies from copy pasting free CCs from Telegram and getting their iPhone 15 Pro Maxes next day. Somehow they had the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: You install our javascript on your website and we watch over everyone whoā€™s trying to make an order from your store, we get to decide whether an order is approved or not. All orders we process we take a % cut. If we approve an order and it turns out to be fraudulent and the cardholder charges back, we compensate you 100% for your loss.

This is probably one of the most profitable venture ever created, just a little bit below a casino. Think about it: Not only are there statistically a minuscule percentage of fraudulent orders compared to legitimate ones, an overwhelming majority of carders doing fraud areā€”lets admit itā€”noobs and are very easy to detect. If youā€™re one, then keep reading as this is perfect for you.


šŸ”’ But what makes them different?

Two words: data & AI. Modern antifraud systems became much more effective since they are equipped with more dataā€”since hundreds/thousands of businesses use them, they are effectively collecting order data from thousands of shopping websitesā€”and this in turn results in far more superior AI decision making. These systems asses your risk in a point-system where each hit or risky aspect of your purchase adds to your overall ā€˜risk scoreā€™. Their software are actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if ever there were, they are covered and compensated by the antifraudā€™s guarantee system.



šŸ˜Ž At the heart of this is the tradeoff between true positives and false positives. An antifraud system that is too strict will block MOST of the fraudulent orders while at the same time blocking a huge portion of false positives (legitimate purchases). This is bad for the shop-owner, as often times their loss from blocked legitimate purchases are higher than the actual possibility of loss from fraudulent purchases; not to mention it damages their reputation whenever a legitimate customer attempts to purchase and is suddenly blocked without doing anything wrong. The job of the fraud detection companies is to fine-tune their AI and balance true positives to false positives.

And they need to make it as seamless as possible. A shopping owner nowadays wouldnā€™t have to hassle themselves in deciding if they should ship a shiny new PS5 to Brandon from Portland; the AI had already decided to reject the transaction because it has data that someone from the same delivery address charged-back a dildo purchase from six months ago. And if youā€™re shipping to a freight forwarder, good luck, because there are probably countless dildos already fraudulently purchased to that warehouseā€™s address. šŸ˜…

šŸ’» Ok I get it, Iā€™m fucked, how can I be not fucked?



Before you can start mowing down the shopping sites with your 517805s and 518698s you first need to understand what data during shopping is taken, how it is processed, and how huge of a factor each data plays in the AIā€™s decisions making process.


šŸŒ Common misconception regarding your IP address.



Back in the days you just needed choose a proxy in the same city/state as the billing of the card and youā€™re good to go. Go make a quick search on the forums for guides, and thatā€™s pretty much what everyone tells you: same IP city or state of the billing, and voila, your order goes from processing to preparing for shipment. That couldnā€™t bw further from truth nowadays. While proximity of your IP is a factor to the systemā€™s decision making, it isnā€™t the ONLY factor, nor is it the most important one.

The opposite is also true: if same city/state to cardholderā€™s billing is the most important deciding factor, why is it that your relatives, who orders online from anywhere else in the country still get their orders processed? Why is it that your Uncle, whoā€™s taking a vacation thousands of miles away from his billing address is still having no troubles getting his legitimate orders through?

šŸ“Š
IP quality > IP proximity. When deciding regarding your IP address, IP quality is a far more important factor than proximity. You could be using an IP on the same street as the billing details of your card, but if it was ran over a thousand times already by other cards your order will simply not push through.


Some websites that offer IP health checks include:

Scamalytics https://scamalytics.com/ip
Seon (this is good if youā€™re trying to hit a site that uses SEON to block fraud, as you get a picture of how the service looks at your IP) https://seon.io/resources/ip-fraud-score/
IPscore.IO https://ipscore.io/


These help with assessing your IPā€™s health, but it doesnā€™t paint the entire picture. Consider the recent IP address somebody used that scored extremely low on all these services. It passed through these tests with flying colors yet it failed Stripeā€™s Radar for mere $45 purchase:



šŸ”Why? Letā€™s take a look at Stripeā€™s AI decision-making:




Notice the ā€˜Previous disputes from IPā€™, ā€˜Authorization rateā€™, and ā€˜Number of cards previously associated withā€™?
While the IP health services sees the IP as clean, itā€™s obvious it has been ran over hundreds of times in the past hence the transaction failed.


šŸ’”But if I had no way of reliably knowing if the IP is clean or not, how can I pick which one?

You can increase your chance tremendously by combining the data you have: first the cleanliness of the IP on these tools, and the source youā€™re getting the IPs from. Making sure your IPs are actually squeaky clean is also a multi-step process:

1. First thing you need to make sure is that youā€™re getting either residential IPs, or 4G LTE IPs.
Some ISPs offer IP blocks to companies who host proxies on their own servers, while these proxies are FAST, they are considered ā€˜RISKYā€™ by fraud AIs as thereā€™s really a low chance an actual consumer will be using an IP from a company server. Steer clear of them and just use residential IP proxies.

2. Make sure the Socks/Proxy provider doesnā€™t primarily cater to carders/fraud audience
One extra tip is to go through each provider & know who they are primarily catering to. A company that is primarily offering its proxies to fraudsters give you a lower chance of success as its pool is most likely tainted by its own customers.

For example: while combing through CardProā€™s Proxy Section and picking a part each company offering their services, I can confidently say that ALL of them primarily cater to marketers, so their IPs pools are most likely CLEAN than random services online who source their IPs with malware-infected hosts.


3. The bigger the provider pool, the better
A proxy platform that offers a huge pool, sometimes upwards of millions, tend to increase your chances of success simply because any IP yo get will have a lower chance of having been used in the past by another fraudster. This effectively bypasses the pitfalls that happened to the Stripe transaction above.



Best Residential Proxy Right Now: https://www.922proxy.com/

šŸ”„MY EXTRA SECRET SAUCE REGARDING IPs FOR FREEšŸ”„
If you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:





Not only does it help you with privacy, Antifraud checker systems are forced to give a low fraud rating to IPs in Appleā€™s pool, simply because they are shared by all Apple users who uses Safari, and punishing any IP inside the pool will cause legitimate Apple device customers who uses the services to get hit too, causing legitimate purchases to get cancelled. Abuse this while Apple is forcing these privacy-breaking companiesā€™ hands.

https://news.ycombinator.com/item?id=27760391



šŸ•µļøā€ā™‚ļø Now, shifting gears from picking the right IPs, let's talk about another crucial detail : your browser fingerprint. It's like your browser's unique ID card on the internet and it's as vital as choosing the right IP.
Picture this: you've nailed the IP game, but forget about your browser fingerprint, and you might as well be wearing a neon ā€˜fraudsterā€™ sign online.
Surprisingly, a lot of newcomers in the carding scene fumble on this step, and that's where things can go south real quick.



šŸ”What is a browser fingerprint?

Your browser fingerprint is like your browser's secret recipe ā€“ a unique mix that makes it stand out online. When you visit a website, your browser spills the beans, sharing info like its version, type, operating system, screen resolution, plugins, fonts, time zone, language preferences ā€“ the works. And thanks to JavaScript, websites can even unearth more details about your browser's capabilities and device features. So, as you move through the internet, your browser unwittingly reveals its detailsā€”even your fucking battery percentage!ā€”basically broadcasting your digital identity to the websitesā€™ servers and antifraud mechanisms.




Companies collect millions of these fingerprints, as left by their users. By piecing together these fingerprints, they create a coherent picture of visitors without them even realizing it. It's like assembling a puzzle of online habits, preferences, and activities to get to know users on a more detailed level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past, linking their current browser & sessions with previous order sessions. Inversely, they can piece together that your current session does not fall in line with the cardholderā€™s sessions, ultimately resulting in declined/cancelled orders.





So, here's the deal with browser fingerprints: some folks think they should be like the James Bond of the internet ā€“ all unique and untraceable. But here's the twist ā€“ that's not the right move with fingerprints. Unlike IP addresses where you're after the squeakiest clean, with browser fingerprints, you're aiming for the dirtiest, most common fingerprint possible, as this allows you to blend in the crowd like any normal person would!

šŸŒAntidetect Browsers

Enter antidetect browsers ā€“ these are like your secret weapon. They're special browsers designed to make you blend in even more and throw off those pesky JavaScript trackers by antifraud systems. They let you tweak things like your user agent, disable browser plugins, and mess with cookie settings. The goal? To make your online fingerprint look so generic that it's hard to pick you out from the crowd. Plus, they help prevent trackers from linking your different online sessions on the same device. Some of these include:

CheBrowser
Linken Sphere
Multilogin

Kameleo
GoLogin

Incogniton

These browsers are primarily used by internet marketers and botters who snag the next Nike release, and for a monthly price they pretty much do all the heavy lifting in making sure each session is different from the other, while at the same time maintaining a ā€˜genericnessā€™ to it that makes you mix perfectly with the crowd.

Each browsers have their strengths and weaknesses, so try as many as you can and decide which works perfectly for your workflow. Just make sure you remember what I said: your goal with these browsers is to be as ā€˜non-uniqueā€™ as possible!


šŸ”„MY EXTRA SECRET SAUCE REGARDING Anti-detect/Browser FingerprintsšŸ”„
Hereā€™s another free sauce that will surely help your workflow. Did you know most Safari browsers on iOS have similar fingerprints? And here's the kicker ā€“ even iOS apps can't track your device 'hardware id' between resets.
So reset your iPhone, install the Surge App on the App Store, connect to your proxy and change your timezone: bam! you have the most perfect piece of anti detect software there is. Thereā€™s a reason why expert carders showing off their orders being shipped all take screenshots with their iPhones: it is simply the best tool to get the job done.

šŸ›’Browsing Patterns


Another huge part of the order flow that raises a red flag and increases your ā€˜risk scoreā€™ to the eyes of AI systems is your browsing pattern. Think about it: what kind of animal of a person would go to a shopping site, pick an expensive item within a span of a couple of seconds, checkout by pasting their credit card info, and keep refreshing the order status page every couple of minutes? Thatā€™s right, a CARDER.

Humans are creatures of habit, and these antifraud companies know this: thatā€™s why their systems are geared towards statistically comparing patterns of legitimate buyers to fraudsters, and using the recognized pattern to make decisions whether to approve orders or not. This is all done through the magic of modern Javascript, where all your cursor movements, clicks, scrolls, keystrokes, pastes, etc are recorded to perfection. Seriously check out the console for how many data goes to Stripe upon loading the page:





These data (117 requests) were gathered within a couple of seconds of loading the page. A single click creates a request to Stripeā€™s Radar servers letting them know that you clicked here and there. Now imagine this sort of thing being embedded in ALL of the pages in the shopping website. Yes, clicking the first expensive thing you see and going through the checkout page like a madman with a bunch of cards will surely get your session fucked.


šŸ”„ So how do I bypass this? Pretend like an 80-year old lady from Arkansas?

Perhaps you could, most antifraud pattern matching systemsā€”except Amazon, because Amazon is retardedā€”in my experience gives enough leeway for a purchaser even if the activity patterns donā€™t really match. Spend a couple of minutes here and there, pretend youā€™re having second-thoughts about your purchase, be finicky, scroll and check other products, just wander around a bit before going for the kill.

Again, always think about the diagram I showed you earlier: these systems want to be strict and catch noob carders, but they DONT WANT TO BE TOO STRICT and block legitimate purchases and hurt their clientā€™s bottomline.


šŸ”„MY EXTRA SECRET SAUCE REGARDING Shopping PatternsšŸ”„
(Donā€™t worry, this doesnā€™t require Apple devices anymore.) šŸ˜…
One extra-spicy method that weā€™ve been using all these years in order to bypass fraud checks, and this is especially effective for digital items is split in three steps:

1. Make sure the website accepts signup/checkout with ANY email without any form of email verification. If youā€™re purchasing a gift card, make sure that the gift card gets sent to an email of your choosing, or stored in the order history page that is completely accessible to you without OTP being sent to the person who ordered.

2. Checkout using the cardholderā€™s own email. Weird right? Well when you use the cardholderā€™s email, which the cardholder has most likely have a positive history of legitimate orders from, youā€™re pretty much guaranteeing the order will go through!

3. Use email spam services and spam the email right after the purchase was done. This guarantees the email from the shopping website doesnā€™t get read by the account holder, or the gift cards/digital goodies you purchased gets to him. There are plenty of email spam services out there.







šŸ”„Another Spicy Sauce is using Ad Blockers like uBlock OriginšŸ”„
Remember the concept of blending in the crowd? This also applies to shopping patterns: AdBlockers block scripts that track a users movement in the site, effectively making the AI blind to any of your actions; while you may think this will make the AI suspicious and outright block you it will surely wonā€™t because millions of people use ad-blocks, and by using one youā€™re effectively blending in with millions of people whoā€™s activity inside the shop the AI cannot track. This works so good on some site I used to actually charge people to help them order stuff while using this. And now Iā€™m giving it to you for free.



šŸ Address


Now, let's talk about the last leg of our journey ā€“ the delivery address. Honestly, it's a critical part of the whole order thing and can either make it or break it. Some big-shot shopping sites like Amazon and Walmart might cut you some slack when it comes to the delivery address, but others, like Forter, Signifyd, Riskified, play hardball and shut down transactions to addresses with a history of fraudulent orders.

Now, you could try these residential drop services floating around the forums and Telegram, but they're a bit like playing roulette ā€“ unpredictable and often risky. They might even rat you out, and worst-case scenario, your stuff could get swiped. Another option is hopping on services like Reship, Shipito, etc., but let's be real ā€“ those addresses have been raped by molested by carders since time immemorial, not to mention they tend to suddenly require complicated KYC processes once they catch a whiff of carded items. So how do we reliably deal with this? Enter my free sauce for you miscreants:


šŸ”„Free Sauce, Address JiggingšŸ”„
Address jigging, primarily used by sneaker botters, is in my experience, an effective way of bypassing address checks by AI system. Remember weā€™re bypassing AI systems, they might be smart but theyā€™re not infallible, and one prominent weakness of these AI systems is they have no imagination, and this is the part we exploit to get our orders through. šŸŽÆ
Address jigging involves intentionally changing your delivery address just enough for it to be different, but not too much for your items to not get delivered.

1. 4 Letter Jig: Add four random letters in front of your address. The AI might see it differently, but your UPS driver won't notice. Profit.

2. Abbreviation Game: Swap street or road with abbreviations. It may not fool strict sites, but it works from time to time.
3. Apartment/Floor Twist: If you're not in an apartment, throw in "APT" to signal a change to the antifraud system. The courier won't care. Gold.
4. On/At Jig: Stick "on" or "at" to your street number. Messes with the AI systems, and you're good to go.




šŸ“šUnderstand your enemy

Congratulations, youā€™ve gotten this far, I wish youā€™ve taken all Iā€™ve laid out here to heart, but thereā€™s a crucial missing piece of the puzzle you must understand that should premise all your carding sessions: you must understand your enemy. Each website is different, they have different checkout flows, different antifraud systems, and different rigidity in how they employ their antifraud. Itā€™s not just about success; itā€™s about consistent successā€”and knowing your enemy fully-well guarantees this.

šŸŒ One way you can go about this is by checking the HTTP console and looking for clues as to what fraud system the website employs:
For example, Farfetch uses Riskified:




šŸ”—You can find the guide on how fraud score is calculated by Riskified here:
https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-

šŸ”—You can also sign-up to these services, and test your fingerprint, one good example of this is SEON which allows non-KYC sign ups, though this is only effective if the site youā€™re trying to hit uses SEON:
https://seon.io/try-for-free/


šŸ” Another one is Stripe, which you can sign up and use their Radar service, get a couple orders through and look at how they assess your sessions:



Once youā€™ve signed up for these sites you can use your API keys to approve ā€˜pretend ordersā€™ as 3DS validated making sure the system trusts you enough so that when you go for the kill you get away with it flawlessly.

šŸ¤Understood. Iā€™ve increased my fraud IQ, but why are you giving these away for free?
I think we should all work together for the improvement of the industry as a whole and not look at each other as competitors in the space.
The more we share knowledge with each other, the better we all get, the better money there is to be made for each of us. This is a three part series exclusive to CrdPro, and I will be posting the next installation (cashing out) perhaps next week. See you then! šŸš€

USEFUL LINKS:
Best Residential Proxy Right Now: https://www.922proxy.com/
Best Checker That Doesn't Kill Cards (4Check):
https://shorturl.at/FG456
Seon Fraud Score Check:
https://seon.io/fraud-detection-services/ip-lookup-service-api/

Email Flooder:
t.me/devil_flood_bot


Great piece you shared with us her. Greatly appreciated. I learned a lot. Thank you very much.
 

legado

Carding Novice
Joined
06.08.24
Messages
1
Reaction score
0
Points
1
I believe that the more transparency a marketplace and its sellers provide to buyers, the better the results will be. A marketplace can quickly lose its reputation if sellers offer poor-quality products. However, this dynamic shifts when buyers are allowed to leave reviews or ratings. This system encourages repeat customers and pushes sellers to consistently deliver higher-quality products, building loyalty not only to the seller but also to the marketplace itself.

Finding trustworthy sellers in these markets can be difficult, but concepts like Saint Partick and BidenCash offer great examples of how to create a reliable and transparent environment for both buyers and sellers.

Iā€™m not endorsing these sites, but simply commenting on the favorable concept they represent, for us all.
 

rapidin1

Active Carder
Joined
30.10.24
Messages
35
Reaction score
1
Points
8

šŸ•µļøā€ā™‚ļø A CrdPro Exclusive: How To Bypass Modern AI Anti-Fraud Systems šŸ›”ļø


Ever wondered how you could have what is arguably the most flawless setup (high balance card, proper BIN, clean same city socks) imaginable on the cyberspace and still not get a good hit while carding something online? Ever wondered why Stripe keeps refusing your ā€˜high-balanceā€™ card even for a low amount? Or why even a cheap order on Shopify gets cancelled due to ā€˜unforeseen circumstancesā€™? šŸ¤”




šŸ›‘ The answer is quite simple: AI Anti-Fraud Systems. And today weā€™re tackling this concept that is foreign to noobs, but seasoned carders are all too familiar with. Understanding it essentially guarantees a shipment notification in your email, and not an order cancellation notice.

šŸ” What are modern anti-fraud systems?

Antifraud systems are essentially gates and hoops you have to bypass (besides the bank) in order for your order to get successfully processed. The systems decide whether to force you to go through 3DS, or not. The companies who run these include, but not limited to:

Stripe Radar
Signifyd
Riskified
Accertify
Forter
SEON




šŸ’” Who came up with this shit?


While large websites like Amazon, Walmart, etc roll their own, corporate assholes figured out that thereā€™s money to be made in stopping script kiddies from copy pasting free CCs from Telegram and getting their iPhone 15 Pro Maxes next day. Somehow they had the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: You install our javascript on your website and we watch over everyone whoā€™s trying to make an order from your store, we get to decide whether an order is approved or not. All orders we process we take a % cut. If we approve an order and it turns out to be fraudulent and the cardholder charges back, we compensate you 100% for your loss.

This is probably one of the most profitable venture ever created, just a little bit below a casino. Think about it: Not only are there statistically a minuscule percentage of fraudulent orders compared to legitimate ones, an overwhelming majority of carders doing fraud areā€”lets admit itā€”noobs and are very easy to detect. If youā€™re one, then keep reading as this is perfect for you.


šŸ”’ But what makes them different?

Two words: data & AI. Modern antifraud systems became much more effective since they are equipped with more dataā€”since hundreds/thousands of businesses use them, they are effectively collecting order data from thousands of shopping websitesā€”and this in turn results in far more superior AI decision making. These systems asses your risk in a point-system where each hit or risky aspect of your purchase adds to your overall ā€˜risk scoreā€™. Their software are actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if ever there were, they are covered and compensated by the antifraudā€™s guarantee system.



šŸ˜Ž At the heart of this is the tradeoff between true positives and false positives. An antifraud system that is too strict will block MOST of the fraudulent orders while at the same time blocking a huge portion of false positives (legitimate purchases). This is bad for the shop-owner, as often times their loss from blocked legitimate purchases are higher than the actual possibility of loss from fraudulent purchases; not to mention it damages their reputation whenever a legitimate customer attempts to purchase and is suddenly blocked without doing anything wrong. The job of the fraud detection companies is to fine-tune their AI and balance true positives to false positives.

And they need to make it as seamless as possible. A shopping owner nowadays wouldnā€™t have to hassle themselves in deciding if they should ship a shiny new PS5 to Brandon from Portland; the AI had already decided to reject the transaction because it has data that someone from the same delivery address charged-back a dildo purchase from six months ago. And if youā€™re shipping to a freight forwarder, good luck, because there are probably countless dildos already fraudulently purchased to that warehouseā€™s address. šŸ˜…

šŸ’» Ok I get it, Iā€™m fucked, how can I be not fucked?



Before you can start mowing down the shopping sites with your 517805s and 518698s you first need to understand what data during shopping is taken, how it is processed, and how huge of a factor each data plays in the AIā€™s decisions making process.


šŸŒ Common misconception regarding your IP address.



Back in the days you just needed choose a proxy in the same city/state as the billing of the card and youā€™re good to go. Go make a quick search on the forums for guides, and thatā€™s pretty much what everyone tells you: same IP city or state of the billing, and voila, your order goes from processing to preparing for shipment. That couldnā€™t bw further from truth nowadays. While proximity of your IP is a factor to the systemā€™s decision making, it isnā€™t the ONLY factor, nor is it the most important one.

The opposite is also true: if same city/state to cardholderā€™s billing is the most important deciding factor, why is it that your relatives, who orders online from anywhere else in the country still get their orders processed? Why is it that your Uncle, whoā€™s taking a vacation thousands of miles away from his billing address is still having no troubles getting his legitimate orders through?

šŸ“Š
IP quality > IP proximity. When deciding regarding your IP address, IP quality is a far more important factor than proximity. You could be using an IP on the same street as the billing details of your card, but if it was ran over a thousand times already by other cards your order will simply not push through.


Some websites that offer IP health checks include:

Scamalytics https://scamalytics.com/ip
Seon (this is good if youā€™re trying to hit a site that uses SEON to block fraud, as you get a picture of how the service looks at your IP) https://seon.io/resources/ip-fraud-score/
IPscore.IO https://ipscore.io/


These help with assessing your IPā€™s health, but it doesnā€™t paint the entire picture. Consider the recent IP address somebody used that scored extremely low on all these services. It passed through these tests with flying colors yet it failed Stripeā€™s Radar for mere $45 purchase:



šŸ”Why? Letā€™s take a look at Stripeā€™s AI decision-making:




Notice the ā€˜Previous disputes from IPā€™, ā€˜Authorization rateā€™, and ā€˜Number of cards previously associated withā€™?
While the IP health services sees the IP as clean, itā€™s obvious it has been ran over hundreds of times in the past hence the transaction failed.


šŸ’”But if I had no way of reliably knowing if the IP is clean or not, how can I pick which one?

You can increase your chance tremendously by combining the data you have: first the cleanliness of the IP on these tools, and the source youā€™re getting the IPs from. Making sure your IPs are actually squeaky clean is also a multi-step process:

1. First thing you need to make sure is that youā€™re getting either residential IPs, or 4G LTE IPs.
Some ISPs offer IP blocks to companies who host proxies on their own servers, while these proxies are FAST, they are considered ā€˜RISKYā€™ by fraud AIs as thereā€™s really a low chance an actual consumer will be using an IP from a company server. Steer clear of them and just use residential IP proxies.

2. Make sure the Socks/Proxy provider doesnā€™t primarily cater to carders/fraud audience
One extra tip is to go through each provider & know who they are primarily catering to. A company that is primarily offering its proxies to fraudsters give you a lower chance of success as its pool is most likely tainted by its own customers.

For example: while combing through CardProā€™s Proxy Section and picking a part each company offering their services, I can confidently say that ALL of them primarily cater to marketers, so their IPs pools are most likely CLEAN than random services online who source their IPs with malware-infected hosts.


3. The bigger the provider pool, the better
A proxy platform that offers a huge pool, sometimes upwards of millions, tend to increase your chances of success simply because any IP yo get will have a lower chance of having been used in the past by another fraudster. This effectively bypasses the pitfalls that happened to the Stripe transaction above.



Best Residential Proxy Right Now: https://www.922proxy.com/

šŸ”„MY EXTRA SECRET SAUCE REGARDING IPs FOR FREEšŸ”„
If you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:





Not only does it help you with privacy, Antifraud checker systems are forced to give a low fraud rating to IPs in Appleā€™s pool, simply because they are shared by all Apple users who uses Safari, and punishing any IP inside the pool will cause legitimate Apple device customers who uses the services to get hit too, causing legitimate purchases to get cancelled. Abuse this while Apple is forcing these privacy-breaking companiesā€™ hands.

https://news.ycombinator.com/item?id=27760391



šŸ•µļøā€ā™‚ļø Now, shifting gears from picking the right IPs, let's talk about another crucial detail : your browser fingerprint. It's like your browser's unique ID card on the internet and it's as vital as choosing the right IP.
Picture this: you've nailed the IP game, but forget about your browser fingerprint, and you might as well be wearing a neon ā€˜fraudsterā€™ sign online.
Surprisingly, a lot of newcomers in the carding scene fumble on this step, and that's where things can go south real quick.



šŸ”What is a browser fingerprint?

Your browser fingerprint is like your browser's secret recipe ā€“ a unique mix that makes it stand out online. When you visit a website, your browser spills the beans, sharing info like its version, type, operating system, screen resolution, plugins, fonts, time zone, language preferences ā€“ the works. And thanks to JavaScript, websites can even unearth more details about your browser's capabilities and device features. So, as you move through the internet, your browser unwittingly reveals its detailsā€”even your fucking battery percentage!ā€”basically broadcasting your digital identity to the websitesā€™ servers and antifraud mechanisms.




Companies collect millions of these fingerprints, as left by their users. By piecing together these fingerprints, they create a coherent picture of visitors without them even realizing it. It's like assembling a puzzle of online habits, preferences, and activities to get to know users on a more detailed level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past, linking their current browser & sessions with previous order sessions. Inversely, they can piece together that your current session does not fall in line with the cardholderā€™s sessions, ultimately resulting in declined/cancelled orders.





So, here's the deal with browser fingerprints: some folks think they should be like the James Bond of the internet ā€“ all unique and untraceable. But here's the twist ā€“ that's not the right move with fingerprints. Unlike IP addresses where you're after the squeakiest clean, with browser fingerprints, you're aiming for the dirtiest, most common fingerprint possible, as this allows you to blend in the crowd like any normal person would!

šŸŒAntidetect Browsers

Enter antidetect browsers ā€“ these are like your secret weapon. They're special browsers designed to make you blend in even more and throw off those pesky JavaScript trackers by antifraud systems. They let you tweak things like your user agent, disable browser plugins, and mess with cookie settings. The goal? To make your online fingerprint look so generic that it's hard to pick you out from the crowd. Plus, they help prevent trackers from linking your different online sessions on the same device. Some of these include:

CheBrowser
Linken Sphere
Multilogin

Kameleo
GoLogin

Incogniton

These browsers are primarily used by internet marketers and botters who snag the next Nike release, and for a monthly price they pretty much do all the heavy lifting in making sure each session is different from the other, while at the same time maintaining a ā€˜genericnessā€™ to it that makes you mix perfectly with the crowd.

Each browsers have their strengths and weaknesses, so try as many as you can and decide which works perfectly for your workflow. Just make sure you remember what I said: your goal with these browsers is to be as ā€˜non-uniqueā€™ as possible!


šŸ”„MY EXTRA SECRET SAUCE REGARDING Anti-detect/Browser FingerprintsšŸ”„
Hereā€™s another free sauce that will surely help your workflow. Did you know most Safari browsers on iOS have similar fingerprints? And here's the kicker ā€“ even iOS apps can't track your device 'hardware id' between resets.
So reset your iPhone, install the Surge App on the App Store, connect to your proxy and change your timezone: bam! you have the most perfect piece of anti detect software there is. Thereā€™s a reason why expert carders showing off their orders being shipped all take screenshots with their iPhones: it is simply the best tool to get the job done.

šŸ›’Browsing Patterns


Another huge part of the order flow that raises a red flag and increases your ā€˜risk scoreā€™ to the eyes of AI systems is your browsing pattern. Think about it: what kind of animal of a person would go to a shopping site, pick an expensive item within a span of a couple of seconds, checkout by pasting their credit card info, and keep refreshing the order status page every couple of minutes? Thatā€™s right, a CARDER.

Humans are creatures of habit, and these antifraud companies know this: thatā€™s why their systems are geared towards statistically comparing patterns of legitimate buyers to fraudsters, and using the recognized pattern to make decisions whether to approve orders or not. This is all done through the magic of modern Javascript, where all your cursor movements, clicks, scrolls, keystrokes, pastes, etc are recorded to perfection. Seriously check out the console for how many data goes to Stripe upon loading the page:





These data (117 requests) were gathered within a couple of seconds of loading the page. A single click creates a request to Stripeā€™s Radar servers letting them know that you clicked here and there. Now imagine this sort of thing being embedded in ALL of the pages in the shopping website. Yes, clicking the first expensive thing you see and going through the checkout page like a madman with a bunch of cards will surely get your session fucked.


šŸ”„ So how do I bypass this? Pretend like an 80-year old lady from Arkansas?

Perhaps you could, most antifraud pattern matching systemsā€”except Amazon, because Amazon is retardedā€”in my experience gives enough leeway for a purchaser even if the activity patterns donā€™t really match. Spend a couple of minutes here and there, pretend youā€™re having second-thoughts about your purchase, be finicky, scroll and check other products, just wander around a bit before going for the kill.

Again, always think about the diagram I showed you earlier: these systems want to be strict and catch noob carders, but they DONT WANT TO BE TOO STRICT and block legitimate purchases and hurt their clientā€™s bottomline.


šŸ”„MY EXTRA SECRET SAUCE REGARDING Shopping PatternsšŸ”„
(Donā€™t worry, this doesnā€™t require Apple devices anymore.) šŸ˜…
One extra-spicy method that weā€™ve been using all these years in order to bypass fraud checks, and this is especially effective for digital items is split in three steps:

1. Make sure the website accepts signup/checkout with ANY email without any form of email verification. If youā€™re purchasing a gift card, make sure that the gift card gets sent to an email of your choosing, or stored in the order history page that is completely accessible to you without OTP being sent to the person who ordered.

2. Checkout using the cardholderā€™s own email. Weird right? Well when you use the cardholderā€™s email, which the cardholder has most likely have a positive history of legitimate orders from, youā€™re pretty much guaranteeing the order will go through!

3. Use email spam services and spam the email right after the purchase was done. This guarantees the email from the shopping website doesnā€™t get read by the account holder, or the gift cards/digital goodies you purchased gets to him. There are plenty of email spam services out there.







šŸ”„Another Spicy Sauce is using Ad Blockers like uBlock OriginšŸ”„
Remember the concept of blending in the crowd? This also applies to shopping patterns: AdBlockers block scripts that track a users movement in the site, effectively making the AI blind to any of your actions; while you may think this will make the AI suspicious and outright block you it will surely wonā€™t because millions of people use ad-blocks, and by using one youā€™re effectively blending in with millions of people whoā€™s activity inside the shop the AI cannot track. This works so good on some site I used to actually charge people to help them order stuff while using this. And now Iā€™m giving it to you for free.



šŸ Address


Now, let's talk about the last leg of our journey ā€“ the delivery address. Honestly, it's a critical part of the whole order thing and can either make it or break it. Some big-shot shopping sites like Amazon and Walmart might cut you some slack when it comes to the delivery address, but others, like Forter, Signifyd, Riskified, play hardball and shut down transactions to addresses with a history of fraudulent orders.

Now, you could try these residential drop services floating around the forums and Telegram, but they're a bit like playing roulette ā€“ unpredictable and often risky. They might even rat you out, and worst-case scenario, your stuff could get swiped. Another option is hopping on services like Reship, Shipito, etc., but let's be real ā€“ those addresses have been raped by molested by carders since time immemorial, not to mention they tend to suddenly require complicated KYC processes once they catch a whiff of carded items. So how do we reliably deal with this? Enter my free sauce for you miscreants:


šŸ”„Free Sauce, Address JiggingšŸ”„
Address jigging, primarily used by sneaker botters, is in my experience, an effective way of bypassing address checks by AI system. Remember weā€™re bypassing AI systems, they might be smart but theyā€™re not infallible, and one prominent weakness of these AI systems is they have no imagination, and this is the part we exploit to get our orders through. šŸŽÆ
Address jigging involves intentionally changing your delivery address just enough for it to be different, but not too much for your items to not get delivered.

1. 4 Letter Jig: Add four random letters in front of your address. The AI might see it differently, but your UPS driver won't notice. Profit.

2. Abbreviation Game: Swap street or road with abbreviations. It may not fool strict sites, but it works from time to time.
3. Apartment/Floor Twist: If you're not in an apartment, throw in "APT" to signal a change to the antifraud system. The courier won't care. Gold.
4. On/At Jig: Stick "on" or "at" to your street number. Messes with the AI systems, and you're good to go.




šŸ“šUnderstand your enemy

Congratulations, youā€™ve gotten this far, I wish youā€™ve taken all Iā€™ve laid out here to heart, but thereā€™s a crucial missing piece of the puzzle you must understand that should premise all your carding sessions: you must understand your enemy. Each website is different, they have different checkout flows, different antifraud systems, and different rigidity in how they employ their antifraud. Itā€™s not just about success; itā€™s about consistent successā€”and knowing your enemy fully-well guarantees this.

šŸŒ One way you can go about this is by checking the HTTP console and looking for clues as to what fraud system the website employs:
For example, Farfetch uses Riskified:




šŸ”—You can find the guide on how fraud score is calculated by Riskified here:
https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-

šŸ”—You can also sign-up to these services, and test your fingerprint, one good example of this is SEON which allows non-KYC sign ups, though this is only effective if the site youā€™re trying to hit uses SEON:
https://seon.io/try-for-free/


šŸ” Another one is Stripe, which you can sign up and use their Radar service, get a couple orders through and look at how they assess your sessions:



Once youā€™ve signed up for these sites you can use your API keys to approve ā€˜pretend ordersā€™ as 3DS validated making sure the system trusts you enough so that when you go for the kill you get away with it flawlessly.

šŸ¤Understood. Iā€™ve increased my fraud IQ, but why are you giving these away for free?
I think we should all work together for the improvement of the industry as a whole and not look at each other as competitors in the space.
The more we share knowledge with each other, the better we all get, the better money there is to be made for each of us. This is a three part series exclusive to CrdPro, and I will be posting the next installation (cashing out) perhaps next week. See you then! šŸš€

USEFUL LINKS:
Best Residential Proxy Right Now: https://www.922proxy.com/
Best Checker That Doesn't Kill Cards (4Check):
https://shorturl.at/FG456
Seon Fraud Score Check:
https://seon.io/fraud-detection-services/ip-lookup-service-api/

Email Flooder:
t.me/devil_flood_bot

thank you so much
 

gstarrwa

Carding Novice
Joined
25.10.24
Messages
11
Reaction score
1
Points
1
Thank u for taking the time out your day to write these helpful guides for new carders. You're the fookin G.O.A.T šŸ Much appreciated d0c
 

calicoxhx

Elite
Joined
09.02.24
Messages
7
Reaction score
1
Points
3
šŸ¤Æ muy completo šŸ¤Æ impresionante muchas. dudas aclaradas muchas gracias!! sin miedo al exito!
 

giogebz

Carding Novice
Joined
13.11.24
Messages
8
Reaction score
0
Points
1
I have never seen anyone on any forum putting so much effort into sharing such quality knowledge. Truly a pro, Bravo!
 

guiyrtfrrshtgsr5h2234

Carding Novice
Joined
16.10.24
Messages
9
Reaction score
0
Points
1

šŸ•µļøā€ā™‚ļø A CrdPro Exclusive: How To Bypass Modern AI Anti-Fraud Systems šŸ›”ļø


Ever wondered how you could have what is arguably the most flawless setup (high balance card, proper BIN, clean same city socks) imaginable on the cyberspace and still not get a good hit while carding something online? Ever wondered why Stripe keeps refusing your ā€˜high-balanceā€™ card even for a low amount? Or why even a cheap order on Shopify gets cancelled due to ā€˜unforeseen circumstancesā€™? šŸ¤”




šŸ›‘ The answer is quite simple: AI Anti-Fraud Systems. And today weā€™re tackling this concept that is foreign to noobs, but seasoned carders are all too familiar with. Understanding it essentially guarantees a shipment notification in your email, and not an order cancellation notice.

šŸ” What are modern anti-fraud systems?

Antifraud systems are essentially gates and hoops you have to bypass (besides the bank) in order for your order to get successfully processed. The systems decide whether to force you to go through 3DS, or not. The companies who run these include, but not limited to:

Stripe Radar
Signifyd
Riskified
Accertify
Forter
SEON




šŸ’” Who came up with this shit?


While large websites like Amazon, Walmart, etc roll their own, corporate assholes figured out that thereā€™s money to be made in stopping script kiddies from copy pasting free CCs from Telegram and getting their iPhone 15 Pro Maxes next day. Somehow they had the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: You install our javascript on your website and we watch over everyone whoā€™s trying to make an order from your store, we get to decide whether an order is approved or not. All orders we process we take a % cut. If we approve an order and it turns out to be fraudulent and the cardholder charges back, we compensate you 100% for your loss.

This is probably one of the most profitable venture ever created, just a little bit below a casino. Think about it: Not only are there statistically a minuscule percentage of fraudulent orders compared to legitimate ones, an overwhelming majority of carders doing fraud areā€”lets admit itā€”noobs and are very easy to detect. If youā€™re one, then keep reading as this is perfect for you.


šŸ”’ But what makes them different?

Two words: data & AI. Modern antifraud systems became much more effective since they are equipped with more dataā€”since hundreds/thousands of businesses use them, they are effectively collecting order data from thousands of shopping websitesā€”and this in turn results in far more superior AI decision making. These systems asses your risk in a point-system where each hit or risky aspect of your purchase adds to your overall ā€˜risk scoreā€™. Their software are actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if ever there were, they are covered and compensated by the antifraudā€™s guarantee system.



šŸ˜Ž At the heart of this is the tradeoff between true positives and false positives. An antifraud system that is too strict will block MOST of the fraudulent orders while at the same time blocking a huge portion of false positives (legitimate purchases). This is bad for the shop-owner, as often times their loss from blocked legitimate purchases are higher than the actual possibility of loss from fraudulent purchases; not to mention it damages their reputation whenever a legitimate customer attempts to purchase and is suddenly blocked without doing anything wrong. The job of the fraud detection companies is to fine-tune their AI and balance true positives to false positives.

And they need to make it as seamless as possible. A shopping owner nowadays wouldnā€™t have to hassle themselves in deciding if they should ship a shiny new PS5 to Brandon from Portland; the AI had already decided to reject the transaction because it has data that someone from the same delivery address charged-back a dildo purchase from six months ago. And if youā€™re shipping to a freight forwarder, good luck, because there are probably countless dildos already fraudulently purchased to that warehouseā€™s address. šŸ˜…

šŸ’» Ok I get it, Iā€™m fucked, how can I be not fucked?



Before you can start mowing down the shopping sites with your 517805s and 518698s you first need to understand what data during shopping is taken, how it is processed, and how huge of a factor each data plays in the AIā€™s decisions making process.


šŸŒ Common misconception regarding your IP address.



Back in the days you just needed choose a proxy in the same city/state as the billing of the card and youā€™re good to go. Go make a quick search on the forums for guides, and thatā€™s pretty much what everyone tells you: same IP city or state of the billing, and voila, your order goes from processing to preparing for shipment. That couldnā€™t bw further from truth nowadays. While proximity of your IP is a factor to the systemā€™s decision making, it isnā€™t the ONLY factor, nor is it the most important one.

The opposite is also true: if same city/state to cardholderā€™s billing is the most important deciding factor, why is it that your relatives, who orders online from anywhere else in the country still get their orders processed? Why is it that your Uncle, whoā€™s taking a vacation thousands of miles away from his billing address is still having no troubles getting his legitimate orders through?

šŸ“Š
IP quality > IP proximity. When deciding regarding your IP address, IP quality is a far more important factor than proximity. You could be using an IP on the same street as the billing details of your card, but if it was ran over a thousand times already by other cards your order will simply not push through.


Some websites that offer IP health checks include:

Scamalytics https://scamalytics.com/ip
Seon (this is good if youā€™re trying to hit a site that uses SEON to block fraud, as you get a picture of how the service looks at your IP) https://seon.io/resources/ip-fraud-score/
IPscore.IO https://ipscore.io/


These help with assessing your IPā€™s health, but it doesnā€™t paint the entire picture. Consider the recent IP address somebody used that scored extremely low on all these services. It passed through these tests with flying colors yet it failed Stripeā€™s Radar for mere $45 purchase:



šŸ”Why? Letā€™s take a look at Stripeā€™s AI decision-making:




Notice the ā€˜Previous disputes from IPā€™, ā€˜Authorization rateā€™, and ā€˜Number of cards previously associated withā€™?
While the IP health services sees the IP as clean, itā€™s obvious it has been ran over hundreds of times in the past hence the transaction failed.


šŸ’”But if I had no way of reliably knowing if the IP is clean or not, how can I pick which one?

You can increase your chance tremendously by combining the data you have: first the cleanliness of the IP on these tools, and the source youā€™re getting the IPs from. Making sure your IPs are actually squeaky clean is also a multi-step process:

1. First thing you need to make sure is that youā€™re getting either residential IPs, or 4G LTE IPs.
Some ISPs offer IP blocks to companies who host proxies on their own servers, while these proxies are FAST, they are considered ā€˜RISKYā€™ by fraud AIs as thereā€™s really a low chance an actual consumer will be using an IP from a company server. Steer clear of them and just use residential IP proxies.

2. Make sure the Socks/Proxy provider doesnā€™t primarily cater to carders/fraud audience
One extra tip is to go through each provider & know who they are primarily catering to. A company that is primarily offering its proxies to fraudsters give you a lower chance of success as its pool is most likely tainted by its own customers.

For example: while combing through CardProā€™s Proxy Section and picking a part each company offering their services, I can confidently say that ALL of them primarily cater to marketers, so their IPs pools are most likely CLEAN than random services online who source their IPs with malware-infected hosts.


3. The bigger the provider pool, the better
A proxy platform that offers a huge pool, sometimes upwards of millions, tend to increase your chances of success simply because any IP yo get will have a lower chance of having been used in the past by another fraudster. This effectively bypasses the pitfalls that happened to the Stripe transaction above.



Best Residential Proxy Right Now: https://www.922proxy.com/

šŸ”„MY EXTRA SECRET SAUCE REGARDING IPs FOR FREEšŸ”„
If you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:





Not only does it help you with privacy, Antifraud checker systems are forced to give a low fraud rating to IPs in Appleā€™s pool, simply because they are shared by all Apple users who uses Safari, and punishing any IP inside the pool will cause legitimate Apple device customers who uses the services to get hit too, causing legitimate purchases to get cancelled. Abuse this while Apple is forcing these privacy-breaking companiesā€™ hands.

https://news.ycombinator.com/item?id=27760391



šŸ•µļøā€ā™‚ļø Now, shifting gears from picking the right IPs, let's talk about another crucial detail : your browser fingerprint. It's like your browser's unique ID card on the internet and it's as vital as choosing the right IP.
Picture this: you've nailed the IP game, but forget about your browser fingerprint, and you might as well be wearing a neon ā€˜fraudsterā€™ sign online.
Surprisingly, a lot of newcomers in the carding scene fumble on this step, and that's where things can go south real quick.



šŸ”What is a browser fingerprint?

Your browser fingerprint is like your browser's secret recipe ā€“ a unique mix that makes it stand out online. When you visit a website, your browser spills the beans, sharing info like its version, type, operating system, screen resolution, plugins, fonts, time zone, language preferences ā€“ the works. And thanks to JavaScript, websites can even unearth more details about your browser's capabilities and device features. So, as you move through the internet, your browser unwittingly reveals its detailsā€”even your fucking battery percentage!ā€”basically broadcasting your digital identity to the websitesā€™ servers and antifraud mechanisms.




Companies collect millions of these fingerprints, as left by their users. By piecing together these fingerprints, they create a coherent picture of visitors without them even realizing it. It's like assembling a puzzle of online habits, preferences, and activities to get to know users on a more detailed level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past, linking their current browser & sessions with previous order sessions. Inversely, they can piece together that your current session does not fall in line with the cardholderā€™s sessions, ultimately resulting in declined/cancelled orders.





So, here's the deal with browser fingerprints: some folks think they should be like the James Bond of the internet ā€“ all unique and untraceable. But here's the twist ā€“ that's not the right move with fingerprints. Unlike IP addresses where you're after the squeakiest clean, with browser fingerprints, you're aiming for the dirtiest, most common fingerprint possible, as this allows you to blend in the crowd like any normal person would!

šŸŒAntidetect Browsers

Enter antidetect browsers ā€“ these are like your secret weapon. They're special browsers designed to make you blend in even more and throw off those pesky JavaScript trackers by antifraud systems. They let you tweak things like your user agent, disable browser plugins, and mess with cookie settings. The goal? To make your online fingerprint look so generic that it's hard to pick you out from the crowd. Plus, they help prevent trackers from linking your different online sessions on the same device. Some of these include:

CheBrowser
Linken Sphere
Multilogin

Kameleo
GoLogin

Incogniton

These browsers are primarily used by internet marketers and botters who snag the next Nike release, and for a monthly price they pretty much do all the heavy lifting in making sure each session is different from the other, while at the same time maintaining a ā€˜genericnessā€™ to it that makes you mix perfectly with the crowd.

Each browsers have their strengths and weaknesses, so try as many as you can and decide which works perfectly for your workflow. Just make sure you remember what I said: your goal with these browsers is to be as ā€˜non-uniqueā€™ as possible!


šŸ”„MY EXTRA SECRET SAUCE REGARDING Anti-detect/Browser FingerprintsšŸ”„
Hereā€™s another free sauce that will surely help your workflow. Did you know most Safari browsers on iOS have similar fingerprints? And here's the kicker ā€“ even iOS apps can't track your device 'hardware id' between resets.
So reset your iPhone, install the Surge App on the App Store, connect to your proxy and change your timezone: bam! you have the most perfect piece of anti detect software there is. Thereā€™s a reason why expert carders showing off their orders being shipped all take screenshots with their iPhones: it is simply the best tool to get the job done.

šŸ›’Browsing Patterns


Another huge part of the order flow that raises a red flag and increases your ā€˜risk scoreā€™ to the eyes of AI systems is your browsing pattern. Think about it: what kind of animal of a person would go to a shopping site, pick an expensive item within a span of a couple of seconds, checkout by pasting their credit card info, and keep refreshing the order status page every couple of minutes? Thatā€™s right, a CARDER.

Humans are creatures of habit, and these antifraud companies know this: thatā€™s why their systems are geared towards statistically comparing patterns of legitimate buyers to fraudsters, and using the recognized pattern to make decisions whether to approve orders or not. This is all done through the magic of modern Javascript, where all your cursor movements, clicks, scrolls, keystrokes, pastes, etc are recorded to perfection. Seriously check out the console for how many data goes to Stripe upon loading the page:





These data (117 requests) were gathered within a couple of seconds of loading the page. A single click creates a request to Stripeā€™s Radar servers letting them know that you clicked here and there. Now imagine this sort of thing being embedded in ALL of the pages in the shopping website. Yes, clicking the first expensive thing you see and going through the checkout page like a madman with a bunch of cards will surely get your session fucked.


šŸ”„ So how do I bypass this? Pretend like an 80-year old lady from Arkansas?

Perhaps you could, most antifraud pattern matching systemsā€”except Amazon, because Amazon is retardedā€”in my experience gives enough leeway for a purchaser even if the activity patterns donā€™t really match. Spend a couple of minutes here and there, pretend youā€™re having second-thoughts about your purchase, be finicky, scroll and check other products, just wander around a bit before going for the kill.

Again, always think about the diagram I showed you earlier: these systems want to be strict and catch noob carders, but they DONT WANT TO BE TOO STRICT and block legitimate purchases and hurt their clientā€™s bottomline.


šŸ”„MY EXTRA SECRET SAUCE REGARDING Shopping PatternsšŸ”„
(Donā€™t worry, this doesnā€™t require Apple devices anymore.) šŸ˜…
One extra-spicy method that weā€™ve been using all these years in order to bypass fraud checks, and this is especially effective for digital items is split in three steps:

1. Make sure the website accepts signup/checkout with ANY email without any form of email verification. If youā€™re purchasing a gift card, make sure that the gift card gets sent to an email of your choosing, or stored in the order history page that is completely accessible to you without OTP being sent to the person who ordered.

2. Checkout using the cardholderā€™s own email. Weird right? Well when you use the cardholderā€™s email, which the cardholder has most likely have a positive history of legitimate orders from, youā€™re pretty much guaranteeing the order will go through!

3. Use email spam services and spam the email right after the purchase was done. This guarantees the email from the shopping website doesnā€™t get read by the account holder, or the gift cards/digital goodies you purchased gets to him. There are plenty of email spam services out there.







šŸ”„Another Spicy Sauce is using Ad Blockers like uBlock OriginšŸ”„
Remember the concept of blending in the crowd? This also applies to shopping patterns: AdBlockers block scripts that track a users movement in the site, effectively making the AI blind to any of your actions; while you may think this will make the AI suspicious and outright block you it will surely wonā€™t because millions of people use ad-blocks, and by using one youā€™re effectively blending in with millions of people whoā€™s activity inside the shop the AI cannot track. This works so good on some site I used to actually charge people to help them order stuff while using this. And now Iā€™m giving it to you for free.



šŸ Address


Now, let's talk about the last leg of our journey ā€“ the delivery address. Honestly, it's a critical part of the whole order thing and can either make it or break it. Some big-shot shopping sites like Amazon and Walmart might cut you some slack when it comes to the delivery address, but others, like Forter, Signifyd, Riskified, play hardball and shut down transactions to addresses with a history of fraudulent orders.

Now, you could try these residential drop services floating around the forums and Telegram, but they're a bit like playing roulette ā€“ unpredictable and often risky. They might even rat you out, and worst-case scenario, your stuff could get swiped. Another option is hopping on services like Reship, Shipito, etc., but let's be real ā€“ those addresses have been raped by molested by carders since time immemorial, not to mention they tend to suddenly require complicated KYC processes once they catch a whiff of carded items. So how do we reliably deal with this? Enter my free sauce for you miscreants:


šŸ”„Free Sauce, Address JiggingšŸ”„
Address jigging, primarily used by sneaker botters, is in my experience, an effective way of bypassing address checks by AI system. Remember weā€™re bypassing AI systems, they might be smart but theyā€™re not infallible, and one prominent weakness of these AI systems is they have no imagination, and this is the part we exploit to get our orders through. šŸŽÆ
Address jigging involves intentionally changing your delivery address just enough for it to be different, but not too much for your items to not get delivered.

1. 4 Letter Jig: Add four random letters in front of your address. The AI might see it differently, but your UPS driver won't notice. Profit.

2. Abbreviation Game: Swap street or road with abbreviations. It may not fool strict sites, but it works from time to time.
3. Apartment/Floor Twist: If you're not in an apartment, throw in "APT" to signal a change to the antifraud system. The courier won't care. Gold.
4. On/At Jig: Stick "on" or "at" to your street number. Messes with the AI systems, and you're good to go.




šŸ“šUnderstand your enemy

Congratulations, youā€™ve gotten this far, I wish youā€™ve taken all Iā€™ve laid out here to heart, but thereā€™s a crucial missing piece of the puzzle you must understand that should premise all your carding sessions: you must understand your enemy. Each website is different, they have different checkout flows, different antifraud systems, and different rigidity in how they employ their antifraud. Itā€™s not just about success; itā€™s about consistent successā€”and knowing your enemy fully-well guarantees this.

šŸŒ One way you can go about this is by checking the HTTP console and looking for clues as to what fraud system the website employs:
For example, Farfetch uses Riskified:




šŸ”—You can find the guide on how fraud score is calculated by Riskified here:
https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-

šŸ”—You can also sign-up to these services, and test your fingerprint, one good example of this is SEON which allows non-KYC sign ups, though this is only effective if the site youā€™re trying to hit uses SEON:
https://seon.io/try-for-free/


šŸ” Another one is Stripe, which you can sign up and use their Radar service, get a couple orders through and look at how they assess your sessions:



Once youā€™ve signed up for these sites you can use your API keys to approve ā€˜pretend ordersā€™ as 3DS validated making sure the system trusts you enough so that when you go for the kill you get away with it flawlessly.

šŸ¤Understood. Iā€™ve increased my fraud IQ, but why are you giving these away for free?
I think we should all work together for the improvement of the industry as a whole and not look at each other as competitors in the space.
The more we share knowledge with each other, the better we all get, the better money there is to be made for each of us. This is a three part series exclusive to CrdPro, and I will be posting the next installation (cashing out) perhaps next week. See you then! šŸš€

USEFUL LINKS:
Best Residential Proxy Right Now: https://www.922proxy.com/
Best Checker That Doesn't Kill Cards (4Check):
https://shorturl.at/FG456
Seon Fraud Score Check:
https://seon.io/fraud-detection-services/ip-lookup-service-api/

Email Flooder:
t.me/devil_flood_bot

what do you think of the use of a macOS VM and the safari web-browser, when it comes to bypassing "Modern AI Fraud-Systems", would it decrease fraud-score, do websites trust macOS, and its system's more than other known OS, let me know what you think.
 
Top Bottom