How Hackers Hack Debit and Credit Cards Details of Fraud Job Website - Case Study

Last year in December 2018, I created an account on Shine.com for the job. After creating an account I applied for the jobs to many recruiters.

After 2 Days I received a call from a recruiter. She tells me the job details and the 49₹  deposit amount that I have to pay by credit card.

I know these types of frauds so I tell her that recently I am out of town So can you please send the website details on my number. She said yes and after 2 minutes she sends the website on my number.

First of all, I opened that website and checked the functionality of the website. During checking, I know that the website is static and there are no Social media accounts linked that are given in contact us page.

After that, I searched for the website in the whois database. In the whois database, I found that the domain is created just before a month. I search other details and I found that the information given by the domain owner is fake because the name of registrant name, email and phone number all are different.

After that, I created a fake account on that website. The last step is to pay 49₹ by credit/debit card. When I clicked on the pay button the payment page is opened. You know what the payment page is also created in the website like www.xyz.com/payment.php. I checked the URL and the URL is not secure means, not HTTPS. So I know that the website is fraud. I entered wrong credit card details and Credit card owner name. I redirect me to another page of a website like www.xyz.com/otp.php. On this page, I have to enter an OTP that I received on my number. I enter the wrong OTP and click submit. Now I am redirected to another page called www.xyz.com/paymentfail.php. On this page, it shows your payment is failed and do the payment again.

So I tried to understand the detailed functionality of a website. Then I found that they are just collecting credit/debit card numbers. When they get credit/debit card number in their database, they do the huge amount of transactions on other websites. And also get and enter OTP from the database that entered by the user.

After that, I tried to find the admin panel of a website and succeeded to find it. Admin panel URL is like www.xyz.com/adminpanel.php. I tried so many username and password combinations like admin-admin, admin-password but it didn't work. Then I entered the SQL injection parameters combination and it worked.

When I entered into admin panel I found the bunch of users data, debit/credit numbers, netbanking usernames and passwords, and OTP.

After 2 Days, the site is down and the account is suspended 😉

This is the story of my first hacking. Hope you liked it and sorry for my English.