Lesson 3 of 22
In Progress

Spoofing

Zero Trace Support February 16, 2021

All these websites can read a plenty of information about our fingerprint. The browser fingerprint will be used to identify us and also used as possible evidence agains us (in case they have ou real IP and other sensate data).

And if they find something phishy, most likely they will put your fraudulent order on review or simply declined.

The secret here is to look like the average guy, and spoof as many details of the victim.

Remember that the greatest skill of a fraudster is to look as genuine as possible if not more genuine than a legit customer.

If you go on whoer.net, you will see that its able to read many thing about you.

There’s some rumors that whoer.net belong to LE, I say in response… Where is the evidence?

Contrary to widespread belief, having 100% score on whoer it totally bad, that’s an anonymity score, not a spoofing score, and generally speaking when you want to be anonymous, you have to hide stuff.

Another good one is browserleaks.com, when you check you spoofing setup you have to check on both of them.

I’m going to give you and ideal fingerprint that has high success rate for desktop based carding:

Do Not Track(DNT): DNT is a HTTP header that allows the user to avoid tracking his or her actions by third party websites. When you work online, all your actions are saved in your browser cache: visited URLs, search queries, purchases your made in stores, etc. all this data can be read by websites and then used for marketing or analysis purposes.

For example, a user typed ̈buy a bike ̈. This querie is saved in his or her browser cache and is now available for third parties to view. From now on, this user will be able to see bike ads all across the Internet.

Do not disable this like whoer recommends, no legit user deactivates DNT. CCleaner/Bleachbit are enough to delete that fingerprint.

OS: You will want to spoof your OS as Win7. Why? Because Win7 is the most widespread one at the moment.

User Agent: I recommend to spoof Chrome, as it’s the most widespread browser, always try to use the most recent version.

Source:
http://www.w3schools.com/browsers/browser_stats.asp

Screen Size: As for Screen resolution, the most widespread is 1366×768.

Source: http://www.w3schools.com/browsers/browser_display.asp

Canvas Fingerprinting: The HTML<canvas> element is used to draw graphics, on the fly, via scripting (Usualy JavaScript). The <canvas> element is only a container for graphics. You must use a script to actually draw the graphics. Canvas has several methods for drawing paths, boxes, circles, text and adding images.

Well-developed websites sometimes has this fingerprinting measure called canvas to recognize you every time you browse that site.

Firefox has an extension to randomize Canvas, Anti- detect something, same goes for Fraudfox.

Webrtc: About webRTC: ( Web Real-Time Communication) is an API definition drafted by the World Wide Web Consortion (W3C) that supports browser-to-browser applications for voice calling, video calling and P2P file sharing without the need of either internal or external plugins. We might be vulnerable to Webrtc IP leaks, WebRTC leaks your actual IP address from behind your VPN, by default. Luckily Fraudfox can spoof Webrtc, the latest Antidetect has a Webrtc changer too.

You can do a WebRTC leak test here: https://browserleaks.com/webrtc

Please don’t disable Webrtc from about:config, it really doesn’t look legit.

Plugins: Plugin Detection: all the plugins that you have installed can leave a footpring, both AD and Fraudfox can help to avoid this.

Time zone and Clock: when you perform operations of carding or impersonating identities of people residing in different places with different time zone you are in the position of having to change your time zone to have to align with the one of the victim.

You should match the time zone of the socks you are currently using, fortunately, with Windows this operation is very simple, just go to the clock in the bottom right of windows and click: ̈Edit Time and Date Settings.

Font Detection: Font fingerprinting – is what fonts you have, and how they are drawn. Based on measuring dimensions of the filled with the text HTML elements, it is possible to build and identifier that can be used to track the same browser over time. Long story short, if we install new fonts, that would leave a fingerprint. This is really a minor facto from my experience but we can still randomize and spoof that, so, no problem.

IP Spoofing: We will need to spoof the Cardholder location, we do that via SSH, RDP, Socks5, etc.

  1. The IP should Country/State/City match the cardholder. The closer the better.
  2. The chosen IP should have immaculate blacklisting (you can check blacklists on: http://www.ip-score.com and click MORE BLS) but truth be told, some this its hard to tell whether a sites has really blacklisted a given IP or not, as most have an internal blacklisting, for instance, Paypal might have its own internal blacklisting. Checking blacklists is still a good indicator though. Also you might notice that your personal IP might be blacklisted, even if you never did spam/fraud with it, so take that in consideration, even my real IP is blacklisted for I don’t know what reason.
  3. The chosen IP should have a low RiskScore, try to keep this riskscore at less than 5 it’s a metric from Minfraud, you can read more here:
    https://www.maxmind.com/en/explanation-of-minfraud-riskscore.
    I use: http://mcs.sx for checking RiskScore. You can also check it on xdedic.biz
  4. Low Proxyscore: Go at getipintel.net and test the IP, the proxy score should be 0.
  5. The IP has to be residential: you want to avoid datacenter IPs as they don’t really look legitimate in the eyes of anti-fraud systems, also business IPs look good. If you are wondering whether the IP is residential or not, simply go to whoer.net, and on the top you will read ISP. Generally if the IP has an American ISP, the you are on a good track, simple google: ¨list of American Internet service Provider¨ to get a good list of American ISP. Datacenter IPs have ¨data¨ ,¨hosting¨ ¨Cloud and related words as ISP.
  6. The IP should be as close as possible to fullz location, at least within 80 miles, I use distancebetweencities.com.

Ok, I also like to discus about socks5 RDP and SSH.

Socks5 is a protocol that works with the proxy server, a popular choice amongst carders, I believe it’s the most effective way of spoofing you IP. However, most of fraudster are carding through SSH nowadays, so I suggest SSH as you main way of IP Spoofing.


I use proxifier or Foxyproxy to link socks to my machine.


Some proxy providers:
http://www.seproxysoft.com/en
luxsocks.ru(provider has closed registration but still worth mentioning )
Premsocks.com, truesocks.net, ironsocket.com, sockslist.net, isocks.biz
Vip72.com (overly blacklisted but they have plenty of locations worth mentioning)


For linking socks to machine I recommend you proxifier and Foxyproxy.

RDPs stands for Remote Desktop Protocol, you are basically connecting to a remote computer. In fraud they are generally used to maintain Bank Drops and PayPal Middleman Accounts. But they are also used for carding.


You can get RDPs from the clearnet, just googling rdp will do.

The problem with non-hacked RDPs is that their IPs come from a range of database IPs that have some history with fraud. 

That’s where HACKED RDP comes in handy, hacked RDP generally have a clean residential IP, there are plenty of illegal autoshops selling them:


You can buy them from: xdedic.biz, http://uas-store.ru, pp24.ws, tunastock.ru, rdpterminals.tw.


Once you login to the RDP, remember to change the password and create an hidden username aka ghost user, so that the real owner will not notice, there is a tutorial on both xdedic and uas-store.ru for it.


Also, you can card from there, you don’t have to think much about spoofing as they are an identity themselves and a real device.


Socks5 vs RDO vs SSH


RDPs are more expensive but they are identify themselves, you can card from there, absolutely no spoofing needed whereas socks are more cost effective but they require a spoof setup. There’s a rumor that in 2017 carding with socks is dead, I say its bullshit its probably because these peope have bad socks and/or crappy spoof setup. I sugest to start from RDP carding then move onto Socks one you are more confident. SSH is a middle way and should be the most used way of spoofing IP for intermediate carders, they cost slightly more than socks.

SSH Tunnel: Port forward via SSH (SSH Tunneling) creates a secure connection between a local computer and a remote machine through which services can be relayed. Because the connection is encrypted, SSH tunneling is useful for transmitting information that uses an encrypted protocol, such as IMAP, VNC or IRC.


Long story short thanks to SSH you can connect to a remote machine and get its IP.
Now the thing about SSH Tunnels, is that we get the IP of another machine and we can use it in our machine, i generally make a new virtual machine, use SSH Tunnel, and there we go.

I buy SSH from: pp24.ws and tunastock.ru. in order to use SSH you need to:

  1. Download and install bitvise client from bitvise.com
  2. Launch the software and go to SSH tab, click on all the blue links such as Key Exchange Algorithms and tick all the Checkboxes, do that for all the links, below a screenshot:
  3. Go to services tab and tick the ¨enabled¨ box in the SOCKS/HTTP proxy forward part
  4. Now, on that part, the listen interface should be 127.0.0.1, Listen Port on 5555
  5. You are done with bitvise, you will need to click on ¨login¨ tab and put the login data for SSH.

Another step is to install proxifier if you have not done it already, proxifier allows to tunnel SSH IP to ALL you VM softwares.

  1. open Proxifier and go to profile -> Proxy Servers ->Add
  2. on ¨Server¨ put 127.0.0.1 and on Port put 555
  3. On Protocol check SocksV5 Server
  4. Go to Profile -> Name Resolution -> Uncheck “Detect DNS automatically” -> Check “Resolves Hostnames Through Proxy”
  5. We are done with Proxifier, now all we have to do is to go on tunastocks.ru or pp24.ws and get an SSH.

Accept Language: is together with the User-Agent HTTP header another HTTP header, which identifies the network, the language used by the system that is making the navigation.

Use an Accept Language header that matches language of the victim.

Flash version spoofing: Always spoof the latest flash version.
Email Spoofing: We will need to use an e-mail that looks legit. This is not really that discussed on forums, according to emailage, Square and Western Union are their clients

So emailage checks on plenty of things:
1) it checks if the email has the name and surname of the customer.
2) It calculates the score of the email domain.
3) It calculates the age of a specific email, fraudster are well known for creating quicly e-mails, and that how they can spot us.

So depending on the score you get from them, they will either approve you attempt, put your order on review or simply decline it.

To make thins worse, they have an internal blacklist of e-mails, so reusing emails with them isn’t wise.

They also have all the other IP validation stuff that any other anti-fraud protection provider has.

So my best advice is, always put name and surname of the victim when you make an email, date of birth is a bonus.

Use a good domain, gmail and private emails, the best one are .edu emails and you can buy them from fiverr.

For private emails, I suggest to get an anonymous email provider, one like domain cheap (They accept BTC) and get who is protection. Also, will you attach the domain to an anonymous hosting provider. You can make as many emails as you wish with same domain from cpanel.

Emailage doesn’t reveal all the info about their measures, but I think somehow they can also check the age of free emails, private emails are very easy as you can check the domain age of a website.


Now lets go to the actual spoofing softwares, I believe there are 3 mainly choices here: A Configured Portable Browser, Antidetect and Firefox.