06-11-2023, 03:28 PM
Listen up children, this is a punch lesson from yours truely, Omien. This is completely copy and pasted from Funshine god rest his soul whatever he is doing right now.
Alright let's talk about phishing for Credit Cards (CC) so you don't need to rely on purchasing that type of data from various marketplaces, vendors, or other places. Plus, when you purchase CCs you then need to figure out if the CCs you purchased are valid, expired, or even useful. It gets annoying trying to source that type of data from others without knowing if the CCs are already burned.
When it comes to obtaining bank accounts at our cybercriminal level is to target bank accounts you're familiar with or at minimum you have an account with them so you can obtain all the needed information for evilginx2 to function. Pretty simple right? You just log into your bank account, copy the cookie information, and feed it into your custom evilginx2 phishlet so you're able to phish XYZ bank accounts and off you go on your phishing adventures. Sounds so simple right? Everything can be trial and error with many variables at play which makes it more complicated than you think. How do you know the people you are phishing even have an account at XYZ bank? Right?
I'm not going into any depth with bank accounts since there will be a full course on compromising bank accounts in the future but I'm sure some people reading this will have an idea of how to obtain bank accounts and begin to test them out on their own with the knowledge taught here especially now that you know evilginx2. It's best to wait until the banking and account take over course are released so until then have some (more) patience.
When it comes to phishing credit card information through email this can be a little tricky since you have somehow entice the target(s) to enter their CC information which will rely heavily on how well you crafted your phishing email and the target you're pursing (are they educated, retarded, oblivious, etc.).
Personally, I never really sent random emails to people trying to phish for their CC information since I was already struggling with keeping my other phishing operations online and I found it annoying when you have to constantly re-setup and move your operations. Laziness really. Instead, I targeted specific people and places, never sending my phishing emails out to the masses and kept under the radar. You don't need 1000s of CCs. You just need handfuls of the rights ones at the right time. Unless of course you plan on capturing CCs and selling them to others. Many options.
If you're on Wi-Fi network then try to re-direct everyone to your phishing landing page which consists of a "Pay for Internet usage" type of landing page. Once the target(s) are on your page they'll either consider purchasing Internet usage so they can have Internet (good in cafe's and airport lounges) and enter their CC details for you or they won't. Either way it's a good technique to obtain CCs in your current area and cut out other middle men that you rely on.
When I first started out, I had to rely on others for malware, CCs, and everything needed to be a successful cybercriminal. I relied heavily on others to keep my operations going and when a resource dried up or that vendor/website began to scam their customers I was at their mercy. I'm sure like many of you reading this are too. What I realized was the amount of money I was spending on dead CCs and bullshit accounts was eating into my profits and affecting my confidence. I needed to cut that shit out.
My first attempt at phishing for CCs was pretty basic but it was successful and that's all that mattered to me. I'll share it with you in hopes it sparks some wicked ideas in your head how you can do the same.
What I would do is perform some reconnaissance in the city I was currently staying in at the time and look for locations where people would be using their laptops or computers that were easily accessible. The locations I targeted were almost always libraires, cafe's, hostels, hotels, and co-working spaces for the most part since this suited me personally and I was comfortable in those locations. I would be around those types of locations frequently since I was travelling and constantly on the move so I targeted those types of people because, in my mind, they were the type of people that would be accustomed to paying for Internet or be familiar with that type of request so nothing seems too out of place.
I'd launch a DoS attack against the business/personal Wi-Fi router taking it offline and created an open Wi-Fi network with a similar name with a basic website landing page requesting payment for a one-time fee for (3) weeks unlimited Internet usage for $0.50. I kept the amount really small, so people were more inclined to pay such a small amount then complain or leave that location. What's $0.50 to someone right? You see what I'm doing yes?
My website landing splash page was a basic HTML webpage with a POST function to a database so I could capture all the information they entered and a re-direct page to a webpage with an error after they clicked "Submit". The error webpage would consist of something about being unable to process the transaction please try again later type shit. That's it. I wasn't sending custom malware to capture their information or spending a 1000 years coding my own malware to get any of it. I was simply doing basic HTML shit and deploying an open Wi-Fi network. I would sit there for a few hours doing my thing which usually consisted of maintaining my other cybercriminal operations aiming to capture at least (1) CC per day. If you're sitting at the cafe launching your attacks and maintaining your devious cybercriminal operations you mind as well be collecting CCs on the side. Be efficient.
This seems silly I know but the amount of time you're probably spending on sourcing valid CCs is annoying and you're probably losing money to burned cards along the way. I mean fuck! the last audit I did on the CC resources at the Armory I had more burned CCs than I did working which is why you should focus on obtaining your own. Sure it'll require some time and commitment but welcome to the world my friends! Strive to be self-sufficient.
For every (1) CC I was able to obtain with that technique I was almost guaranteed to be able to card with it since the carding method I had at the time was working well and I was obtaining CCs from the local area. I want HackTown members to begin to think outside the box when it comes to obtaining the information you're after because it really doesn't have to be overly complicated.
Another method I used to capture Credit Card data was something more automated because, I'm sure like many reading this, I didn't want to spend too much of my time sitting around in coffee shops and bullshit places. I'd rather have it automated for me as I sit in my penthouse hotel room getting high all day not stressing about the time I needed to spend getting that shit and taking away from my own time. I know right? Princess shit but why sit around when you can automate some operations and let the items you're after come to you?
What I did was I created a fake website that was selling all sorts of high-end electronic products at discounted prices shipped anywhere in the world. Of course, once they entered their CC information to make a purchase the data was captured and the victims re-directed to an error website. Wow I'm so elite right?
There really wasn't anything sophisticated to what I was doing when you think about it but creativity is important with any type of cybercrime.
I actually stole this technique from a person I used to run with who was selling PayPal accounts like a fucking maniac at the time. I wanted to know how they were obtaining all these accounts so easily because I thought this individual was some sort of master email phisher or some shit capable of grabbing all these accounts at will. I was wrong.
All they were doing was running a fake store online selling high-end electronic equipment at discounted prices siphoning all CC data along with offering an option to pay with PayPal, which of course was a PayPal phishing page on their site. This person spent money on online advertising trying to get their fake online store higher up in the Google search results using some search engine optimization (SEO) techniques and just let the world come to their website. The crazy part was since there was no actual charge to the victim's credit cards it was even more difficult for the financial institutions to trace it back to the fake online store as the point of compromise. Genius. No random phishing emails needed or any of that shit right?! Super simple but effective.
I want you to begin to think like this too as one of my goals of HackTown is to make you think differently and outside of the box so you can begin to formulate a working method on your own that you're capable of being successful with. Whatever that may be. There are many ways at accomplishing the task at hand with most people being able to replicate the attacks and techniques taught here.
Alright so let's go over a super simple example of how to do this all shall we.
Download and Install Ubuntu in a VM on your computer. You should feel comfortable at doing this by now I would assume. We're going to use Ubuntu because it's easy to use and most VPS providers allow Ubuntu OS to be installed.
Important!
When using a Ubuntu VM go to the "Settings" then to "Network" to make sure it's Attached to the "Bridged Adapter" and not "NAT". It's best to change it to Bridged Adapter and then restart your Ubuntu VM before continuing.
Once you have the Ubuntu VM up and running open up Terminal then type the following:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.4 -y
sudo apt-get install net-tools nginx php7.4-fpm vim gedit -y
sudo service apache2 stop
sudo service nginx stop
sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default
sudo rm /etc/nginx/nginx.conf
sudo gedit /etc/nginx/sites-available/default
Copy and paste the text in purple below.
server {
keepalive_timeout 5 5;
send_timeout 10;
listen 80 default_server;
root /var/www/html;
index index.html login.php;
server_name _;
location ~ \.php$ {
try_files $uri @missing;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
}
location @missing {
rewrite ^ /error/404 break;
}
}
Save and close the file.
sudo gedit /etc/nginx/nginx.conf
Copy and paste the text in purple below.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_name_in_redirect off;
server_tokens off;
port_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Save and close the file.
sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
Next you need to download CCPhish.zip from the link below to your Ubuntu VM then move it into the /var/www/html directory where all your web files are located. Use a fresh Ubuntu VM so we're on the same page.
Click to download - CC Phishing Template files- PM ME ZADDY OMIEN IF U ACTUALLY CARE FOR THIS mwah
In Terminal go to where you downloaded CCPhish.zip and type the following:
sudo mv CCPhish.zip /var/www/html
cd /var/www/html
sudo unzip CCPhish.zip
sudo rm CCPhish.zip
sudo touch /var/www/html/log.txt
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 755 /var/www/html
sudo service nginx start
sudo ifconfig
Take note of the IP address of your Ubuntu VM.
Enter your Ubuntu VM IP address into the URL bar of your web browser followed by /index.html.
Example:
My Ubuntu VM IP is: 192.168.2.123
In the URL of my web browser I would enter:
http://192.168.2.123/index.html
Once you've done that you will see a simple basic CC capturing webpage. I've left it very basic so people can learn from it and re-do it to their liking when phishing for VISA, MasterCard, etc. and for others to easily audit the code to ensure there's no fuckery a foot. The reality is you want yours as professional and convincing as possible so make yours better! Put effort into your phishing operations.
As you can see in the screenshot below everything is pre-configured for phishing CCs and the information you're going to want when carding online.
You should have the same screen as the screenshot below if you followed the instructions properly and if you do not see the screen below than you fucked up somewhere.
Once they've entered their information into the form and clicked on "Submit" all their CC information will be saved into "log.txt" located in the /var/www/html directory for you to go bananas with later. Go ahead and enter fake information into the form and click Submit to see how this specific phishing page is setup.
Once you've entered the information into the CC collector page open up a new Terminal in your Ubuntu VM and type the following:
cat /var/www/html/log.txt
And voila! There you have all the information you're going to need to go ahead and commit online fraud with the CCs of your choice without relying on others. This is VERY basic but effective means at obtaining CCs on your own. You don't need to spam it to the masses but you can send a phishing link pointing to this page and customize it as you see fit which means you know a little about HTML.
I made this example SUPER easy to learn from and modify so if you want to learn check out the source code of index.html and post.php and go through it. It's all pretty self-explanatory if you know the very basics of HTML and even if you don't I designed it to be very readable so please don't feel overwhelmed when looking at the source code for those files.
I highly suggest learning HTML basics so you're able to modify files like the ones in CCPhish.zip to suit your own needs, make it look more professional, add logos or company banners, or attach the phishing payment pages to your own fake website.
You can either send out phishing emails to trick people into entering their CC information OR you can setup fake companies and create phishing pages this way.
There are many ways to get shit done my friends and none of it has to be overly difficult. If it works then it works and that's all we need.
Alright let's talk about phishing for Credit Cards (CC) so you don't need to rely on purchasing that type of data from various marketplaces, vendors, or other places. Plus, when you purchase CCs you then need to figure out if the CCs you purchased are valid, expired, or even useful. It gets annoying trying to source that type of data from others without knowing if the CCs are already burned.
When it comes to obtaining bank accounts at our cybercriminal level is to target bank accounts you're familiar with or at minimum you have an account with them so you can obtain all the needed information for evilginx2 to function. Pretty simple right? You just log into your bank account, copy the cookie information, and feed it into your custom evilginx2 phishlet so you're able to phish XYZ bank accounts and off you go on your phishing adventures. Sounds so simple right? Everything can be trial and error with many variables at play which makes it more complicated than you think. How do you know the people you are phishing even have an account at XYZ bank? Right?
I'm not going into any depth with bank accounts since there will be a full course on compromising bank accounts in the future but I'm sure some people reading this will have an idea of how to obtain bank accounts and begin to test them out on their own with the knowledge taught here especially now that you know evilginx2. It's best to wait until the banking and account take over course are released so until then have some (more) patience.
When it comes to phishing credit card information through email this can be a little tricky since you have somehow entice the target(s) to enter their CC information which will rely heavily on how well you crafted your phishing email and the target you're pursing (are they educated, retarded, oblivious, etc.).
Personally, I never really sent random emails to people trying to phish for their CC information since I was already struggling with keeping my other phishing operations online and I found it annoying when you have to constantly re-setup and move your operations. Laziness really. Instead, I targeted specific people and places, never sending my phishing emails out to the masses and kept under the radar. You don't need 1000s of CCs. You just need handfuls of the rights ones at the right time. Unless of course you plan on capturing CCs and selling them to others. Many options.
If you're on Wi-Fi network then try to re-direct everyone to your phishing landing page which consists of a "Pay for Internet usage" type of landing page. Once the target(s) are on your page they'll either consider purchasing Internet usage so they can have Internet (good in cafe's and airport lounges) and enter their CC details for you or they won't. Either way it's a good technique to obtain CCs in your current area and cut out other middle men that you rely on.
When I first started out, I had to rely on others for malware, CCs, and everything needed to be a successful cybercriminal. I relied heavily on others to keep my operations going and when a resource dried up or that vendor/website began to scam their customers I was at their mercy. I'm sure like many of you reading this are too. What I realized was the amount of money I was spending on dead CCs and bullshit accounts was eating into my profits and affecting my confidence. I needed to cut that shit out.
My first attempt at phishing for CCs was pretty basic but it was successful and that's all that mattered to me. I'll share it with you in hopes it sparks some wicked ideas in your head how you can do the same.
What I would do is perform some reconnaissance in the city I was currently staying in at the time and look for locations where people would be using their laptops or computers that were easily accessible. The locations I targeted were almost always libraires, cafe's, hostels, hotels, and co-working spaces for the most part since this suited me personally and I was comfortable in those locations. I would be around those types of locations frequently since I was travelling and constantly on the move so I targeted those types of people because, in my mind, they were the type of people that would be accustomed to paying for Internet or be familiar with that type of request so nothing seems too out of place.
I'd launch a DoS attack against the business/personal Wi-Fi router taking it offline and created an open Wi-Fi network with a similar name with a basic website landing page requesting payment for a one-time fee for (3) weeks unlimited Internet usage for $0.50. I kept the amount really small, so people were more inclined to pay such a small amount then complain or leave that location. What's $0.50 to someone right? You see what I'm doing yes?
My website landing splash page was a basic HTML webpage with a POST function to a database so I could capture all the information they entered and a re-direct page to a webpage with an error after they clicked "Submit". The error webpage would consist of something about being unable to process the transaction please try again later type shit. That's it. I wasn't sending custom malware to capture their information or spending a 1000 years coding my own malware to get any of it. I was simply doing basic HTML shit and deploying an open Wi-Fi network. I would sit there for a few hours doing my thing which usually consisted of maintaining my other cybercriminal operations aiming to capture at least (1) CC per day. If you're sitting at the cafe launching your attacks and maintaining your devious cybercriminal operations you mind as well be collecting CCs on the side. Be efficient.
This seems silly I know but the amount of time you're probably spending on sourcing valid CCs is annoying and you're probably losing money to burned cards along the way. I mean fuck! the last audit I did on the CC resources at the Armory I had more burned CCs than I did working which is why you should focus on obtaining your own. Sure it'll require some time and commitment but welcome to the world my friends! Strive to be self-sufficient.
For every (1) CC I was able to obtain with that technique I was almost guaranteed to be able to card with it since the carding method I had at the time was working well and I was obtaining CCs from the local area. I want HackTown members to begin to think outside the box when it comes to obtaining the information you're after because it really doesn't have to be overly complicated.
Another method I used to capture Credit Card data was something more automated because, I'm sure like many reading this, I didn't want to spend too much of my time sitting around in coffee shops and bullshit places. I'd rather have it automated for me as I sit in my penthouse hotel room getting high all day not stressing about the time I needed to spend getting that shit and taking away from my own time. I know right? Princess shit but why sit around when you can automate some operations and let the items you're after come to you?
What I did was I created a fake website that was selling all sorts of high-end electronic products at discounted prices shipped anywhere in the world. Of course, once they entered their CC information to make a purchase the data was captured and the victims re-directed to an error website. Wow I'm so elite right?
There really wasn't anything sophisticated to what I was doing when you think about it but creativity is important with any type of cybercrime.
I actually stole this technique from a person I used to run with who was selling PayPal accounts like a fucking maniac at the time. I wanted to know how they were obtaining all these accounts so easily because I thought this individual was some sort of master email phisher or some shit capable of grabbing all these accounts at will. I was wrong.
All they were doing was running a fake store online selling high-end electronic equipment at discounted prices siphoning all CC data along with offering an option to pay with PayPal, which of course was a PayPal phishing page on their site. This person spent money on online advertising trying to get their fake online store higher up in the Google search results using some search engine optimization (SEO) techniques and just let the world come to their website. The crazy part was since there was no actual charge to the victim's credit cards it was even more difficult for the financial institutions to trace it back to the fake online store as the point of compromise. Genius. No random phishing emails needed or any of that shit right?! Super simple but effective.
I want you to begin to think like this too as one of my goals of HackTown is to make you think differently and outside of the box so you can begin to formulate a working method on your own that you're capable of being successful with. Whatever that may be. There are many ways at accomplishing the task at hand with most people being able to replicate the attacks and techniques taught here.
Alright so let's go over a super simple example of how to do this all shall we.
Download and Install Ubuntu in a VM on your computer. You should feel comfortable at doing this by now I would assume. We're going to use Ubuntu because it's easy to use and most VPS providers allow Ubuntu OS to be installed.
Important!
When using a Ubuntu VM go to the "Settings" then to "Network" to make sure it's Attached to the "Bridged Adapter" and not "NAT". It's best to change it to Bridged Adapter and then restart your Ubuntu VM before continuing.
Once you have the Ubuntu VM up and running open up Terminal then type the following:
sudo apt-get update && sudo apt-get dist-upgrade -y
sudo add-apt-repository ppa:ondrej/php
sudo apt-get update
sudo apt-get install php7.4 -y
sudo apt-get install net-tools nginx php7.4-fpm vim gedit -y
sudo service apache2 stop
sudo service nginx stop
sudo rm /etc/nginx/sites-available/default
sudo rm /etc/nginx/sites-enabled/default
sudo rm /etc/nginx/nginx.conf
sudo gedit /etc/nginx/sites-available/default
Copy and paste the text in purple below.
server {
keepalive_timeout 5 5;
send_timeout 10;
listen 80 default_server;
root /var/www/html;
index index.html login.php;
server_name _;
location ~ \.php$ {
try_files $uri @missing;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_pass unix:/run/php/php7.4-fpm.sock;
include fastcgi_params;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param DOCUMENT_ROOT $realpath_root;
}
location @missing {
rewrite ^ /error/404 break;
}
}
Save and close the file.
sudo gedit /etc/nginx/nginx.conf
Copy and paste the text in purple below.
user www-data;
worker_processes auto;
pid /run/nginx.pid;
events {
worker_connections 1024;
}
http {
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
server_name_in_redirect off;
server_tokens off;
port_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
gzip on;
gzip_disable "msie6";
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
Save and close the file.
sudo ln -s /etc/nginx/sites-available/default /etc/nginx/sites-enabled/
Next you need to download CCPhish.zip from the link below to your Ubuntu VM then move it into the /var/www/html directory where all your web files are located. Use a fresh Ubuntu VM so we're on the same page.
Click to download - CC Phishing Template files- PM ME ZADDY OMIEN IF U ACTUALLY CARE FOR THIS mwah
In Terminal go to where you downloaded CCPhish.zip and type the following:
sudo mv CCPhish.zip /var/www/html
cd /var/www/html
sudo unzip CCPhish.zip
sudo rm CCPhish.zip
sudo touch /var/www/html/log.txt
sudo chown -R www-data:www-data /var/www/html
sudo chmod -R 755 /var/www/html
sudo service nginx start
sudo ifconfig
Take note of the IP address of your Ubuntu VM.
Enter your Ubuntu VM IP address into the URL bar of your web browser followed by /index.html.
Example:
My Ubuntu VM IP is: 192.168.2.123
In the URL of my web browser I would enter:
http://192.168.2.123/index.html
Once you've done that you will see a simple basic CC capturing webpage. I've left it very basic so people can learn from it and re-do it to their liking when phishing for VISA, MasterCard, etc. and for others to easily audit the code to ensure there's no fuckery a foot. The reality is you want yours as professional and convincing as possible so make yours better! Put effort into your phishing operations.
As you can see in the screenshot below everything is pre-configured for phishing CCs and the information you're going to want when carding online.
You should have the same screen as the screenshot below if you followed the instructions properly and if you do not see the screen below than you fucked up somewhere.
Once they've entered their information into the form and clicked on "Submit" all their CC information will be saved into "log.txt" located in the /var/www/html directory for you to go bananas with later. Go ahead and enter fake information into the form and click Submit to see how this specific phishing page is setup.
Once you've entered the information into the CC collector page open up a new Terminal in your Ubuntu VM and type the following:
cat /var/www/html/log.txt
And voila! There you have all the information you're going to need to go ahead and commit online fraud with the CCs of your choice without relying on others. This is VERY basic but effective means at obtaining CCs on your own. You don't need to spam it to the masses but you can send a phishing link pointing to this page and customize it as you see fit which means you know a little about HTML.
I made this example SUPER easy to learn from and modify so if you want to learn check out the source code of index.html and post.php and go through it. It's all pretty self-explanatory if you know the very basics of HTML and even if you don't I designed it to be very readable so please don't feel overwhelmed when looking at the source code for those files.
I highly suggest learning HTML basics so you're able to modify files like the ones in CCPhish.zip to suit your own needs, make it look more professional, add logos or company banners, or attach the phishing payment pages to your own fake website.
You can either send out phishing emails to trick people into entering their CC information OR you can setup fake companies and create phishing pages this way.
There are many ways to get shit done my friends and none of it has to be overly difficult. If it works then it works and that's all we need.