![Abraham_Lincoln](https://pic-cc.com/data/avatars/m/78/78018.jpg?1725326756"){kind=avatar}
- Joined
- 13.07.22
- Messages
- 468
- Reaction score
- 12,474
- Points
- 93
I remember back in 2020 a lot of carders of the Sunday afternoon after 6 beers, and then grabbing a free cvv giveaway on a thread with 1 billion reads was saying:
Carding is dead ! It was easier back in 2019… Now with the otp and new vbv system it’s blah blah blah and just sitting on the couch yappin and cappin after trying to card with a giveaway cvv. 1 hit failure and he gets to explain why carding is dead.
A hacker of the sunday afternoon would complain: Yeah now they don’t even store the cards in the sql db, what is the point of hacking?
This poor mental attitude has always been the biggest Brake for beginners. The best way to succeed is by learning then trial and error and finding your unique way of carding or hacking.
In 2021, same thing was being said by the same people, 2022 same story, 2023 same story 2024 “
Now we are in 2025 and some lazy people are still finding reasons to not try again with more experience from past failures.
In a year we have 365 days and there are 24 hours in a day.
It takes 1 hour to prepare, execute and profit from a carding operation if you have the right amount of right knowledge.
while these people was complaining, some people got iPhones delivered and sold for them so people carded hotels and penthouses for months each of the summers while the Sunday afternoon carders was still complaining.
Like any other line of work, carding is not easy and comes with a fair amount of difficulty compensated by the relatively big financial rewards.
For those who can read between the lines here is a recent story for you:
A top Watch site e-shop was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
Any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.
The incident was discovered by JSCrambler, who notified the site on January 28. The malicious script was removed from the site within 24 hours.
JSCrambler says the attack leveraged Magento vulnerabilities and also targeted 17 other websites. The other company's names are being withheld as the researchers work with the affected sites to remove the infections.
Skimmer Payload Source Code :
The second stage is obfuscated using custom encoding and XOR-based string concealing to evade detection.
Once the victim added items to their virtual cart, the skimmer loaded a fake checkout form instead of directing them to the actual checkout page, as most skimmers do.
Fake checkout form (3 steps)
The form wasn't designed to match The site's overall website theme, and it won't trigger if "buy now" is clicked, indicating a lack of sophistication in the attack.
The malicious form is designed to steal the customer's sensitive data, including billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.
After entering all details, the victim is presented with a bogus error and then redirected to the site’s legitimate checkout page to complete their order as usual.
The stolen data is AES-256-CBC encrypted and exfiltrated to the attacker's server, which, in all of the observed cases, was a X IP address.
(Decrypted) sample of the exfiltrated data
JSCrambler comments that Casio had Content Security Policy (CSP) protections in place, which should restrict malicious script execution on the website, but it was configured too loosely.
"The site had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),"
"As a result, CSP violations were only logged in the browser console rather than actively preventing the attack."
Carding is dead ! It was easier back in 2019… Now with the otp and new vbv system it’s blah blah blah and just sitting on the couch yappin and cappin after trying to card with a giveaway cvv. 1 hit failure and he gets to explain why carding is dead.
A hacker of the sunday afternoon would complain: Yeah now they don’t even store the cards in the sql db, what is the point of hacking?
This poor mental attitude has always been the biggest Brake for beginners. The best way to succeed is by learning then trial and error and finding your unique way of carding or hacking.
In 2021, same thing was being said by the same people, 2022 same story, 2023 same story 2024 “
Now we are in 2025 and some lazy people are still finding reasons to not try again with more experience from past failures.
In a year we have 365 days and there are 24 hours in a day.
It takes 1 hour to prepare, execute and profit from a carding operation if you have the right amount of right knowledge.
while these people was complaining, some people got iPhones delivered and sold for them so people carded hotels and penthouses for months each of the summers while the Sunday afternoon carders was still complaining.
Like any other line of work, carding is not easy and comes with a fair amount of difficulty compensated by the relatively big financial rewards.
For those who can read between the lines here is a recent story for you:
A top Watch site e-shop was hacked to include malicious scripts that stole credit card and customer information between January 14 and 24, 2025.
Any customers who made purchases between those dates may have had their personal details and credit card data stolen by hackers.
The incident was discovered by JSCrambler, who notified the site on January 28. The malicious script was removed from the site within 24 hours.
JSCrambler says the attack leveraged Magento vulnerabilities and also targeted 17 other websites. The other company's names are being withheld as the researchers work with the affected sites to remove the infections.
Skimmer Payload Source Code :
Operation details
From a technical perspective, the attack uses a simple first-stage skimmer planted on the website, which dynamically fetches the second-stage skimmer from a bulletproof hosting provider (ru-jsciot).The second stage is obfuscated using custom encoding and XOR-based string concealing to evade detection.
Once the victim added items to their virtual cart, the skimmer loaded a fake checkout form instead of directing them to the actual checkout page, as most skimmers do.
The form wasn't designed to match The site's overall website theme, and it won't trigger if "buy now" is clicked, indicating a lack of sophistication in the attack.
The malicious form is designed to steal the customer's sensitive data, including billing address, email address, phone number, credit card holder's name, credit card number, credit card expiration date, and credit card CVV code.
After entering all details, the victim is presented with a bogus error and then redirected to the site’s legitimate checkout page to complete their order as usual.
The stolen data is AES-256-CBC encrypted and exfiltrated to the attacker's server, which, in all of the observed cases, was a X IP address.
JSCrambler comments that Casio had Content Security Policy (CSP) protections in place, which should restrict malicious script execution on the website, but it was configured too loosely.
"The site had a Content Security Policy (CSP) in place, but it was set to report-only mode (Content-Security-Policy-Report-Only) and was not configured to report back any violations (no report-uri or report-to directives),"
"As a result, CSP violations were only logged in the browser console rather than actively preventing the attack."
Last edited:
![dkpk117](https://pic-cc.com/data/avatars/m/62/62045.jpg?1719361614"){kind=avatar}