Why is it relevant to carding from mobile devices?
For the simple reason that classic carding is slowly becoming obsolete. More and more mobile traffic in shops, an increasing percentage of fraud in purchases from a PC, and, accordingly, a decreasing ratio of fraud in purchases from mobile devices. In other words, there are more honest purchases from mobile devices, less attention.
More carding with pc - more attention to them, and more checks. [And therefore, you need to catch the wave, after all, 2019 is the year, and you need to be in trend and card from mobile devices. So that's it. You do not need to use your own phones for carding, and working with PayPal. And there is no need to buy the left. There are emulators for this, such as
Nox and
Genymotion.
Let's take a closer look at these two emulators:
The first emulator -
Nox
Pros: Fast, free, convenient.
Disadvantages: Only one device is available.
After each drive, it is recommended to reinstall.
The second emulator -
Genymotion.
Pluses: the sea of devices. You can make at least a Samsung Galaxy 7, at least an htc desire, at least a tablet, in general, any device. Fast, you can make one phone, and copy it, then launching it through virtual boxing. Comfortable. Disadvantages: to get it for free, you need to work hard. You need to download previous versions from third-party resources, then update them, register on the site of this genimoushen. In general, everything is pretty quick. Everything is quite simple in fact, but for a beginner, it is awkward.
If you are into trouble with emulators, you can, in principle, use any mobile phone
bought on the radio market . It is already a matter of personal taste for everyone. The presented software will allow you to do this. But in this case, I cannot be responsible for the result. By the way, it's better to use it without a SIM card.
Whatever emulator we have, it still needs to be prepared. That is, put the software on it! Mobile software means (apk files), well, just tweak the system.
Let's take a look at everything point by point:
Point 1. First of all, go to the settings, and set the language and time zone of our phone for the country that you are working on. Remember this as our father. This is the foundation.
Point 2. Making a browser. Download firefox from the playmarket (or trashbox) (just write "firefox trashbox" in Google and download apk to our emulator). Install. We open. Then we write "
about: config" in the address bar (without quotes, of course). The settings have opened to us. There is a search field. We enter "
media.peerconnection.enabled" there (also without quotes). We are exposed to this garbage, and we turn on the "
false" mode. What it is? This is disabling WebRtc. In short, so that our real IP address is not fired via webrts.
Point 3. We write in Google "
SSH Tunnel trashbox" (kpn tunnel is also good). We switch from the issue to the trashbox, and download this software from there. This software is for enabling tunnels to be turned on specifically on the phone.
Point 4. We write "
Phone id changer trashbox" in Google. It will allow us to change the phone data that are hardwired into the firmware (the presence of root rights is required). It is relevant if you use nox, and you will need to reinstall it. But I suppose I do not 100% believe in these data changes, as for me -It will be safer to reinstall the emulator. And you already do whatever you want.
Point 5. We write in Google "
Fake GPS trashbox". Also download the software from the trashbox. It will allow us to transfer fake gps data. That is, we roughly * fuck the shop with fake gps coordinates. Like we are with a show-off where we are.
Point 6. We write again in Google "
ProxyDroid trashbox" This garbage will allow us to pull the socks on our emulator. Of course it would be easier to pull on the computer right away, but here it is more convenient for someone. I’ll say I pull it on the computer, through the proxy. But there it can float, and therefore it’s better on the mobile right away In general, as anyone.
Point 7. Disable Google services. All that we can disable . So that they do not exist at all, not a single one. Recently, it has been good for eBay through a bunch of android + tunnel correctly built with dns + and application eBay minimal salary.
I warn you right away that in order to drive through Android, we will need at least some knowledge and basics in the field of carding.
So, in addition to carding using a PC, we can drive using an Android device.
The main advantages of driving through Android, relative to a PC, are:
- The ability to score fewer anti-fraud points;
- Fast and convenient
There are many varieties and descriptions of Android system settings, but I will describe the personally tested method. For this we need:
- Device on Android
- Get root rights to the device. It is very easy. To do this, we need to download the apk application to the device itself from the browser, and then install it.
Here is a list of the top programs we can download to get root rights:
Baidu Root; Framaroot; SuperSU; z4root; Superuser
Important: not all devices can be rooted, and not with the help of every program. I had 2 tablets of a little-known manufacturer with the current version of Android and average technical characteristics, installed many applications on them to obtain root rights, to no avail. Then I purchased a Sony Xperia Z smartphone and successfully rooted, so google rooted compatibility with your device.
In applications for obtaining root rights, everything is intuitive, anyone can figure it out, and if not, then I advise you to watch the video on YouTube on using the application you have chosen.
Got root rights? Moving on!
We need two programs to connect to SSH tunnels:
- ConnectBot - you can download it from Playmarket. It serves directly for connecting to tunnels.
- ProxyDroid SSH traffic sharing.
Configure SSH connection using ConnectBot:
- On the left side of the screen, select the "SSH" connection type, on the right, enter the SSH data in this form: [email protected] : 22, where 111.222.333.444 is the IP of the tunnel, and 22 is the standard port. And press enter on the keyboard. Next, a window will open. to enter the SSH password.
- Enter the SSH password in the connection window.
- Clamp the connection and select "Edit Redirection"
We set values for such parameters:
- Alias: 127.0.0.1
- Forwarding type: Dynamic (SOCKS)
- From port: 56001
- We press to change.
- ConnectBox settings complete!
Configuring traffic sharing in ProxyDroid:
Set the values:
- Address: 127.0.0.1
- Port: 56001
- Proxy type: SOCKS5
- We put a tick on "For applications (global mode)"
- DNS Proxy - check the box to use the dns of our tunnel.
- If it doesn't work, just remove it.
- ProxyDroid setup complete!
To work on Android, I advise you to download Mozilla, where you must disable WebRTC.
For driving in, SSH itself, in principle, must be absolutely clean in terms of blackouts, have a proxy closer to 0, no more than 2.
Before driving in, we go from Mozilla to whoer.net and look at the following indicators: IP purity by blackouts and whether IP matches IP our SSH. DNS must be under the SSH country, or not visible. The browser's time zone is the same as the IP zone. Languages in all meanings of eng. Also, check with ip-score.com. If something is wrong, then you have made some kind of error in the setup.
That's all. I described the setup and preparation of the Android system for driving.
Carding from the phone
This option is quite suitable for driving into large shops. Certainly not for eBay or amazon. For shops just below the rank.
For many, it is no secret that every year more and more orders of large online retailers are processed through mobile versions and through applications. Carders don't have this analogy. The lion's share of the staffers hits from XP virtual machines or sevens with disabled webrts and / or flash, which immediately comes under close scrutiny from the shop.
Our goal is to be like an ordinary holder (card holder), without special knowledge in the IT sphere, trying to buy socks, fotiki or anything else for himself or a friend.
Knowing the maximum that how to download an application from the market, climb in social networks, make a call.
What is needed for this?
A. Phone / tablet with root rights.
B. Straight arms.
C. Valid CC, socks, vpn.
The first thing we need to do is prepare the phone. If there is or once was a SIM card, be sure to pull it out. Reset to factory settings. The phone of the brand that people know about in Yus is not a Chinese brand name.
Next, you need the required minimum package of applications, everything is on the market.
Namely ccleaner, xposed installer, fake my gps, rootcloak, morelangs, proxydroid, root checker.
In general, let's start setting up.
1. Install the morelangs application and select the en_US setting in it. Requires root. This application will completely bring the language and regional settings to the one we need.
2. We translate the clock format to 1:00 pm. This lies in the android settings, usually the general tab.
3. We put the xposed installer application. More details about the xposed framework module can be found here w3bsit3-dns.com/forum/index.php?showtopic=425052
4. Install the xprivacy module, then upgrade the version to xprivacy pro. How to do it is described here w3bsit3-dns.com/forum/index.php?showtopic=483684 Briefly. This application helps to completely replace all kinds of phone data. Which is exactly what we need.
5. Install the rootcloak application. From the name it is clear that the application hides the root rights for certain applications. It is the only one that works fine, of all the tests. Checking the application. First, install the rootchecker, check the rights. There should be a green check mark that the rights are available. After opening the rootcloak, add the rootchecker to the rootcloak list (add / remove apps-button "+" on the top right - look for rootchecker in the list). If everything is done correctly, then after checking the rights, a red cross should appear, that there are no rights. This action helps to hide the root of the rights from the application into which we will drive.
6. Next, install the fake my gps application. I did not find a topic about him on w3bsit3-dns.com. Here is a link to the off site xposed
http://repo.xposed.info/module/com.fakemygps.android This application is good because it replaces location data without using the "Allow mock location" function, which is also fired by shops (myth or truth - xs). Checking the application. We turn on the gps on the bucket, select a random location in the application, then launch google maps. Should show the new location. If so, everything is good. Let's continue.
7. Proxydroid. Well this app is for socks use. Everything is clear here. I take socks on the suites. The quality seems to be quite good. Perhaps someone is using ssh. I still haven't figured out how to do it on a bucket. Who will tell - I will be grateful.
8. Any vpn application. If someone thinks that they will put you on the federal wanted list for a drop / mid-list, you can use paid vpn. Openvpn application is also present on the market. In fact, the machine is ready for carding. Someone may want to be more sophisticated (like me) and proxy the router so that it can immediately issue ip / dns USA or Eu - please.
Another minus N is the number of fraud points, which is important.
One VERY important point. Do not surf on android ip. It is noticed that Google, when searching from ip, transfers the domain. And it allows you to download applications focused on Russia. Which is not very good for us. And of course, I forgot to say only English keyboard. No ru.
Further. Now what to do with all this. It's simple. First, we clean the google market, chrome using force stop (standard procedure, google).
Then we start up ccleaner. We also clean everything.
There is one more subtlety. There is such a thing as adverting ID from Google. She's firing too. It also needs to be changed - we are changing. Then we start up the sock + vpn under the billing address. the closer the better. Get under the zip-finally beauty. Rebuild e-mail on Gmail. Here you need to pay attention.
I register the soap under the name of the drop. And I enter the name of the drop. If you plan to spike the bill not = spike, the mail should be sent to the holder. Applications are scorching. We registered the mail, added it to the Google account on the bucket. We launched fake my gps under the billing address, launched the gps. We start downloading the app from the shop. Downloaded. We launch the rootcloak. We add this application to the list so as not to fire the root of the law. All is ready.
We launch the application. Windows begin to pop up. This xprivacy shows what the application is accessing and what information it wants to know about you.
At this stage, it is better to screen and parse each request (google, etc.) in order to correctly replace the data afterwards. Red requests are critical, without which the application will not be able to function normally. They are always
The rest are at your discretion. Therefore, it is better to initially specify deny for all of them, then change everything in xpricacy (give the info closest to the holder / billing), which will not give you away, and then give the application the right to read this data (by setting it in xprivacy, or by reinstalling the application).
Also, large applications request data from the Facebook application. Therefore, if your shop is interested in this (xprivacy will show it), then it is better to register a fb account in the name of the holder. One very important point. When an application requests the connected function, it can receive the ssid data of the rest of the Wi-Fi networks.
Why do we need android if there are emulators, for example
Nox or the same
sphera, which is excellent at work and increases the chance of successful driving several times over? Firstly, emulators are fired in serious shops and offices, and secondly, the fraud when driving from mobile devices is much lower. So let's get down to the setup itself!
First, we need an Android with a
MediaTek chip, because you can easily change the IMEI with regular software and you don't have to flash anything several times. We get root-rights, how to do it - you can find it on the Internet. We configure it for the country you need (time zone and language) and register a google account under the holder. After that, download
Chamelephon from the play store and
Device ID Changer, install software and generate device configs. We reboot it and proceed to the next step.
Raising Wi-Fi hotspot:
Here we either buy a ready-made Wi-Fi router with socks5 support or take our laptop and make a Wi-Fi hotspot out of it.
To raise your point, you need a laptop with two network cards and an ubuntu (both LAN, Wi-Fi and two Wi-Fi cards are suitable, there is no difference). We configure the point so that you can connect to it on your android device, detailed here ubuntuhandbook.org/index.php/2014/09/3-ways-create-wifi-hotspot-ubuntu/. Then we configure the socks or ssh tunnel - abidmujtaba.blogspot.com/2016/07/ubuntu-create-wifi-hotspot-access-point.html. In order to prevent WebRTC from firing on our android, we write the following code in ubuntu:
Code:
sudo iptables -t raw -I PREROUTING -p udp -m multiport --dports 3478,19302 -j DROP
To prevent DNS from burning, we put on the router (not on the virtual one, but on the hardware itself) the dns of the country with which we will work. At this point, the setup is ready - let's get down to the driving process!
Scheme of work:
We connect from our android device to the virtual SSID and check our IP on whoer.net or whatleaks.com (must match the ip of our socks / ssh tunnel), and also see that WebRTC is turned on, but ours is not lit real IP + check dns. If everything is in order, we fly into the play store and download the application with which we will work, be it amazon or PayPal, etc. We log in by login / password from logs or create a self-registration to our mail, it all depends on what you are working with.
You can also use
GPS Spoofing if necessary to change the geolocation under the holder / drop address.
If something interests write a comment, if you like the theme and was helpful for you then put Like and I soon will release the second part where more detail.
Nox is an android emulator that will allow us to install a shop / bank / office application and make a drive. Why bother with this and why beat from the emulator? In order to reduce the fraud shop, since from mobile applications + if you are logged in via Facebook or a Google account - fraud is much weaker than from a desktop browser.
First of all, download and install NOX on the virtual VirtualBox, then go to the settings.
Click on the gear and in the "main" tab set root rights and change the device language to the language of the country with which we will work. Then open the "advanced" tab and specify the number of cores and ram for Nox to work, as well as select the type of device and screen extension. Go to the "properties" tab and select the phone model (you can choose the default model or self-defined, where you yourself specify the information you need), IMEI, and also enter the KX or drop number, since applications burn this information.
After that, you need to select a launcher for the model of the device that we chose before, this is necessary, since the default is NOX and this is pale. After it has been installed, click on the "home" button. We select our launcher, which will be used as the main one. Now we need to download and install Titanium Backup. After starting, a window will pop up where we need to give root rights to this application. After that, we look for the NOX launcher from the list and delete it, since we do not need it. Then we search and delete the following google services that are burning our system. The output should look like this:
Check or you definitely demolished these services, as this is important! Also put your wallpaper on your desktop, as it burns too. Now we set up the system language, the time zone for the CH and be sure to turn off the geolocation.
Output:
It is possible and quite acceptable to do carding from an emulator, but not desirable, since some anti-fraud systems can detect it, and therefore the order can be canceled.
It is much better to buy a cheap regular phone, configure it correctly and work with it, without using an emulator for a computer. Much will depend on the anti-fraud settings of the system, but you can try.
I advise you to check out this topic for more details: