Carder.life - FAQ: The art of digital reconnaissance for carders part 2 (2025)

<div id="post_message_793472">

Welcome back ambitious bastards. If <a href="https://2crd.cc/showthread.php?t=162281" target="_blank">part 1</a> was the starter, then get ready for the main event of carding recon. Were about to get into the technical stuff that separates the noobs from the pros. 
 
This part is all about Man in the Middle (MITM) tools like Caido and Burp Suite. These aren't just fancy names - they're the real deal for dissecting your targets defenses. 
 
Well break down how these tools work, teach you to spot AI antifraud systems and payment gateways, and show you the ins and outs of HTTP packet tampering. By the end you'll see websites in a whole new light. 
 
Warning: this isn't for noobs. If you're still trying to figure out how to use a VPN you might want to build up your skills first. But if you're ready to level up, this guide is your ticket to really understanding the websites you're trying to hit. 
 
So sit back and focus. Were about to get technical and class is in session. Advanced carding recon ahead. 
<blockquote>Disclaimer: The information provided in this write-up is intended for educational purposes only. It is a study of how fraud operates and is not intended to promote, endorse, or facilitate any illegal activities. I cannot be held liable for any actions taken based on this material. Please use this information responsibly and do not engage in any criminal activities.</blockquote><div align="center">What are MITM Tools?</div> 
Burp Suite and Caido aren't just fancy toys - they're the scalpels you'll use to dissect your targets. 
 
At their core, these tools work by inserting themselves between your browser and the target website. Every request you send and every response you receive passes through them first. Its like having a nosy bastard reading all your mail, except in this case, you're the nosy bastard. 
 
Here's the basic flow: 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/NgRH0yrw/image.png"/> <ul><li>You type a URL into your browser</li>
<li>Your browser sends the request to Burp/Caido</li>
<li>Burp/Caido forwards the request to the website</li>
<li>The website sends its response back to Burp/Caido</li>
<li>Burp/Caido passes the response to your browser</li>
</ul>But here's where it gets interesting for us carders. These tools don't just passively observe - they let you intercept, modify and even replay requests. Think of it as having a pause button for the internet. 
 
Say you're scoping out a big e-commerce site. With Burp or Caido, you can:<ul><li>See exactly what data is being sent when you add items to your cart</li>
<li>Identify what APIs are being called during checkout</li>
<li>Spot any hidden fields or tokens used for fraud prevention</li>
<li>Detect what kind of payment gateway they're using</li>
</ul>This intel is fucking gold for crafting your carding strategy. You can see precisely what info the site collects, how its formatted and where potential weak points might be. 
 
For example, you might notice the site sends a "riskScore" parameter during checkout. Bingo - you've just identified part of their fraud prevention system. Or maybe you spot calls to a Stripe API. Now you know to use cards that haven't been burned on Stripe-powered sites. 
 
The real power comes when you start modifying requests. Changing parameters, altering headers, even injecting your own code - its all possible. This lets you test the sites defenses without actually placing orders. You can probe for weaknesses, see how the site reacts to unusual data and fine-tune your approach before risking a single card. 
 
<div align="center">Setting Up Your Digital Scalpel: Burp Suite</div> 
Before we dive into the juicy stuff, you need to get your tools ready. Burp Suite is like the swiss army knife of web app hacking, and for us carders, its fucking essential. Here's how to set this beauty up:<ul><li>Download and Install: Head to <a href="https://portswigger.net/burp/communitydownload" target="_blank">PortSwiggers</a> website and grab the Community Edition. Its free and packs enough punch for what we need. Once downloaded, install that shit.</li>
<li>Configure Your Browser: Were using Firefox for this guide cause its less of a pain in the ass with certificates. Open Firefox, go to Settings > Network Settings and set your proxy to manual. Use these settings: 
HTTP Proxy: 127.0.0.1 Port: 8080 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/WW7qQxnB/image.png"/> 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/8gVKMGBV/image.png"/> 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/kgHCNVvD/image.png"/> </li>
<li>Install BurpsCertificate: This is crucial. Without it, you'll get more security warnings than a government whistleblower.<ul><li>Open Burp and go to <a href="http://burp" target="_blank">http://burp</a></li>
<li>Click "CA Certificate" in the top right</li>
</ul> 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/Z6MK6tb5/image.png"/> 
 
- In Firefox, go to Settings > Privacy & Security > Certificates > View Certificates 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/99pb8ZNN/image.png"/> 
 
- Import the downloaded certificate and trust it for websites 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/5WTRFdMW/image.png"/> </li>
<li>Adding a SOCKS Proxy(Optional): If you're using a residential proxy here's how to chain it:<ul><li>In Burp, go to User options > SOCKS Proxy</li>
<li>Enable SOCKS proxy</li>
<li>Enter your proxy details</li>
</ul></li>
</ul>Now Burp will MITM your traffic and route it all through your SOCKS proxy. Slick, right? 
 
Pro Tip: For initial recon, I usually just use a VPN set to the same country as the card I'm planning to use. Its cleaner and less likely to raise flags. When its time to actually hit the site, that's when I switch to a full antidetect setup. 
 
Mobile Recon: Yeah, you can do this shit on mobile too. Its a bit more involved and were not covering it today. Just know its possible and can be useful for sites with mobile-specific checks. 
 
Now that you're locked and loaded, lets dive into the real shit. Time to start poking around those juicy targets. 
 
<div align="center">Detecting AI Antifraud Analytics</div> 
Now that you've got Burp Suite locked and loaded, its time to put that shit to use. Before we dive in, make sure your Intercept is turned off in the Proxy tab. If its on, Burp will stop every request waiting for your input, and were not here to play 20 Questions with HTTP packets. 
 
With Intercept off, Burp will silently record all traffic in the HTTP History tab. This is where the magic happens. As you browse your target site, you'll see a flood of requests pile up here. Don't worry, well teach you how to make sense of this digital vomit. 
 
Now, lets talk about the sneaky fuckers you're really after: AI-powered antifraud systems. These digital bloodhounds are all over modern e-commerce sites, sniffing out any hint of suspicious activity. 
 
Modern e-commerce sites are filled with AI-powered antifraud systems. These fuckers work by injecting JavaScript into the page and monitoring everything from your mouse movements to your typing patterns. 
 
As you go through Burps HTTP History, keep an eye out for these JavaScript files loading on the page. They're the calling cards of different antifraud systems:<ul><li>Sift Science: "<a href="https://cdn.sift.com/s.js" target="_blank">https://cdn.sift.com/s.js</a>"</li>
<li>Signifyd: "<a href="https://cdn-scripts.signifyd.com/signifyd.js" target="_blank">https://cdn-scripts.signifyd.com/signifyd.js</a>"</li>
<li>Riskified: "<a href="https://beacon.riskified.com?shop=example.com" target="_blank">https://beacon.riskified.com?shop=example.com</a>"</li>
<li>Forter: The exact URL can vary, but it often looks like "<a href="https://scripts.forter.com/forter.js" target="_blank">https://scripts.forter.com/forter.js</a>" or "<a href="https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js" target="_blank">https://cdn.ftr-cdn.com/ftr/YOUR_SITE_ID.js</a>"</li>
<li>SEON: "<a href="https://cdn.seondf.com/js/v6/agent.js" target="_blank">https://cdn.seondf.com/js/v6/agent.js</a>"</li>
<li>Kount: "<a href="https://b.kount.net/collect/sdk" target="_blank">https://b.kount.net/collect/sdk</a>"</li>
<li>Ravelin: "<a href="https://cdn.ravelin.net/core/ravelin.js" target="_blank">https://cdn.ravelin.net/core/ravelin.js</a>"</li>
<li>ClearSale: "<a href="https://integration.clearsale.com.br/fp/check.js" target="_blank">https://integration.clearsale.com.br/fp/check.js</a>"</li>
<li>Bolt: "<a href="https://connect.bolt.com/connect.js" target="_blank">https://connect.bolt.com/connect.js</a>"</li>
<li>Accertify: "<a href="https://h.online-metrix.net/fp/tags.js" target="_blank">https://h.online-metrix.net/fp/tags.js</a>"</li>
<li>PerimeterX: "<a href="https://client.perimeterx.net/PX_CLIENT_ID/main.min.js" target="_blank">https://client.perimeterx.net/PX_CLIENT_ID/main.min.js</a>"</li>
<li>Feedzai: "<a href="https://cdn.feedzai.com/v1/feedzai-fingerprint.js" target="_blank">https://cdn.feedzai.com/v1/feedzai-fingerprint.js</a>"</li>
<li>Shape Security: "<a href="https://ds.shapesecurity.com/ds/client.js" target="_blank">https://ds.shapesecurity.com/ds/client.js</a>"</li>
</ul>Finding those JS files is like finding a needle in a haystack especially on sites with a million scripts. A better idea is to keep an eye out for POST requests. That's where the magic happens. 
 
Remember this list isn't exhaustive. Antifraud tech moves faster than fashion trends. Always be on the lookout for suspicious JS files and network requests especially those loading from 3rd party domains. If you see something that looks like antifraud but isn't on this list, dig deeper. 
 
These scripts collect a fuckton of data about your session. They're tracking:<ul><li>Device fingerprints</li>
<li>Mouse movements and clicks</li>
<li>Typing speed and patterns</li>
<li>Time spent on page</li>
<li>Browser plugins and settings</li>
</ul>Browse through your target site, keep an eye on Burps HTTP History tab. You'll see POST requests to endpoints like "/api/risk/assess" or "/fraud/check" with all this data. That's the antifraud system at work. 
 
Here are a bunch of URLs for POST requests that monitor your sessions risk:<ul><li>Sift Science: "<a href="https://api.sift.com/v205/events" target="_blank">https://api.sift.com/v205/events</a>"</li>
<li>Signifyd: "<a href="https://api.signifyd.com/v2/cases" target="_blank">https://api.signifyd.com/v2/cases</a>"</li>
<li>Riskified: "<a href="https://beacon.riskified.com/api/v2/beacon/collect" target="_blank">https://beacon.riskified.com/api/v2/beacon/collect</a>"</li>
<li>Forter: "<a href="https://api.forter-secure.com/v2/decisions" target="_blank">https://api.forter-secure.com/v2/decisions</a>"</li>
<li>SEON: "<a href="https://api.seon.io/" target="_blank">https://api.seon.io/</a>"</li>
<li>Kount: "<a href="https://risk.kount.net/order.json" target="_blank">https://risk.kount.net/order.json</a>"</li>
<li>Ravelin: "<a href="https://live.ravelin.com/v2/sdk/event" target="_blank">https://live.ravelin.com/v2/sdk/event</a>"</li>
<li>ClearSale: "<a href="https://integration.clearsale.com.br/api/v2/order/create" target="_blank">https://integration.clearsale.com.br...2/order/create</a>"</li>
<li>Bolt: "<a href="https://api.bolt.com/v1/merchant/transactions" target="_blank">https://api.bolt.com/v1/merchant/transactions</a>"</li>
<li>Accertify: "<a href="https://secure.accertify.com/CM/AccertifyMAWeb/OrderProcess" target="_blank">https://secure.accertify.com/CM/Acce...b/OrderProcess</a>"</li>
<li>PerimeterX: "<a href="https://collector-PX_CLIENT_ID.perimeterx.net/api/v1/collector" target="_blank">https://collector-PX_CLIENT_ID.perim...i/v1/collector</a>"</li>
<li>Feedzai: "<a href="https://api.feedzai.com/v2/labels" target="_blank">https://api.feedzai.com/v2/labels</a>"</li>
</ul>For example, if you're dealing with Sift Science, Burp will capture a request that looks something like this: 
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 498px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">{
"event": {
"$type": "$create_order",
"$user_id": "user123",
"$session_id": "abc123xyz",
"$order_id": "ORDER-123456",
"$amount": 10000,
"$currency_code": "USD",
"$billing_address": {
"$name": "John Doe",
"$address_1": "123 Main St",
"$city": "San Francisco",
"$region": "CA",
"$country": "US",
"$zipcode": "94111"
},
"$payment_methods": [
{
"$payment_type": "$credit_card",
"$payment_gateway": "$stripe",
"$card_bin": "424242",
"$card_last4": "4242"
}
],
"$shipping_address": {
"$name": "Jane Doe",
"$address_1": "456 Oak St",
"$city": "San Francisco",
"$region": "CA",
"$country": "US",
"$zipcode": "94110"
}
}
}</pre>
</div>This data is used to build a risk profile for your session. High risk scores trigger additional verification or straight-up rejections. 
 
For some systems like Forter, the requests not show up until you initiate the payment. For cases like this you can look at requests to the main site and look for cookies like ForterToken, etc. 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/PSRD4hM/image.png"/> 
 
Booking.com Showing Riskified Token: 
 
<img alt="" border="0" class="bbCodeImage" src="https://i.ibb.co/0j8Q9JS9/image.png"/> 
 
<div align="center">Identifying Payment Gateways</div> 
Finding the payment gateway is key to finding the right cards and methods. Here's how to expose these bastards: 
 
Always start with a test card. Some popular test cards are:<ul><li>Stripe: 4242 4242 4242 4242</li>
<li>Braintree: 4111 1111 1111 1111</li>
<li>Adyen: 5555 4444 3333 1111</li>
</ul>When you submit the test card, keep an eye on the network traffic. You'll see requests to the payment gateways domain. Look for:<ul><li>Stripe: <a href="https://api.stripe.com/v1/payment_intents" target="_blank">https://api.stripe.com/v1/payment_intents</a></li>
<li>Braintree: <a href="https://api.braintreegateway.com/merchants/" target="_blank">https://api.braintreegateway.com/merchants/</a></li>
<li>Adyen: <a href="https://checkoutshopper-live.adyen.com/checkoutshopper/" target="_blank">https://checkoutshopper-live.adyen.com/checkoutshopper/</a></li>
<li>CyberSource: <a href="https://secureacceptance.cybersource.com" target="_blank">https://secureacceptance.cybersource.com</a></li>
<li>Authorize.Net: <a href="https://api.authorize.net/xml/v1/request.api" target="_blank">https://api.authorize.net/xml/v1/request.api</a></li>
<li>WorldPay: <a href="https://secure.worldpay.com/jsp/merchant/xml/paymentService.jsp" target="_blank">https://secure.worldpay.com/jsp/merc...entService.jsp</a></li>
</ul>Here's what a Braintree request might look like: 
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 178px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">POST <a href="https://api.braintreegateway.com/merchants/merchantid/client_api/v1/payment_methods/credit_cards" target="_blank">https://api.braintreegateway.com/mer...s/credit_cards</a>
{
"credit_card": {
"number": "4111111111111111",
"expiration_month": "12",
"expiration_year": "2025",
"cvv": "123"
},
"share": true
}</pre>
</div> And here's what a Stripe request looks like: 
<div style="margin:20px; margin-top:5px">
<div class="smallfont" style="margin-bottom:2px">Code:</div>
<pre class="alt2" dir="ltr" style="
margin: 0px;
padding: 6px;
border: 1px solid rgb(0, 0, 0);
width: 640px;
height: 130px;
text-align: left;
overflow: auto;
background: rgb(37, 37, 37) none repeat scroll 0% 0%;
border-radius: 5px;
font-size: 11px;
text-shadow: none;">POST <a href="https://api.stripe.com/v1/payment_intents" target="_blank">https://api.stripe.com/v1/payment_intents</a>
{
"amount": 2000,
"currency": "usd",
"payment_method_types[]": "card",
"payment_method": "pm_card_visa"
}</pre>
</div> Some sites process payments on their own domain first. If you don't see direct calls to a known payment gateway, look for requests to the sites own API endpoints like "/api/process-payment" or "/checkout/finalize". 
 
In these cases you'll need to dig deeper. Look for telltale signs in the request parameters:<ul><li>"stripe_token" or "stripe_source" suggests Stripe</li>
<li>"braintree_nonce" points to Braintree</li>
<li>"adyen_encrypted_data" indicates Adyen</li>
<li>"cybersource_token" implies CyberSource</li>
<li>"authorize_transaction_key" hints at Authorize.Net</li>
<li>"worldpay_order_code" suggests WorldPay</li>
</ul>Remember, some sites use multiple payment gateways or route through intermediary services. Keep an eye out for services like:<ul><li>Spreedly: <a href="https://core.spreedly.com/v1/payment_methods" target="_blank">https://core.spreedly.com/v1/payment_methods</a></li>
<li> Checkout.com: <a href="https://api.checkout.com/payments" target="_blank">https://api.checkout.com/payments</a></li>
<li> BlueSnap: <a href="https://ws.bluesnap.com/services/2/payment" target="_blank">https://ws.bluesnap.com/services/2/payment</a></li>
</ul>Finding the payment gateway is just step one. Each gateway has its own quirks and potential vulnerabilities. Now you know which ones you're up against, you can fine-tune your approach and increase your chances of success. 
 
<div align="center">Closing Thoughts</div> 
From setting up Burp Suite to spotting antifraud systems and unmasking payment gateways, you now have the tools to crack your targets like a pro. 
 
Remember the more you know about a sites defenses the better you can tailor your attack. Don't just throw cards at a wall and hope something sticks. Use these techniques to craft a strategy that maximizes your chances of success. 
But were not done yet. In our next guide well be diving into mobile recon. Well show you how to apply these same principles to mobile apps, a whole new playground for carding. 
 
And well get our hands dirty with Burps Tamper tool. You'll learn how to modify requests on the fly, lower your fraud score by editing the values sent to the antifraud systems and slip past those AI dogs. 
 
Until next time, keep your OPSEC tight and your skills sharp. Stay frosty.
</div>