Backchannel’s "Notes from the Underground” series aims to provide a spotlight on the cybercriminal underground by featuring interesting research curated from the most interesting underground threat actors. The contents of this post are the words and intentions of the threat actor, not Backchannel.
“How I exploited this corporation for $100k in 7 days”
Jul 17, 2021
This article covers real ecommerce targets I exploited and how I bypassed their developers patches multiple times to continue my project
I apologize in advance for anyone having problems with English. I normally use a translator for private/business communications but since English is permitted here and there are some details in this article that I do not trust to be translated correctly I will provide this in English. My attempt to translate would only insult the language.
Please understand I am self taught in everything that I do and every field I pursue. I learn from Russian/German/English/Chinese forums and videos which I translate as needed. I usually end up using a combination of everything that works for me, borrowing from many cultures and many techniques. I do not claim that my way is the best or most efficient way and there are always ways to do things more efficiently. What I can show you is what I know and can prove actually works and what I still actively do that works right now today and is not some outdated repost somebody stole. If you have advice on something you see and how to improve then consider openly discussing your opinion in an adult manner with respect rather than make fake claims or live on assumptions because your world is so small.
Today I would like to share a project I developed at the end of last year with you. Anyone can follow along and I am happy to answer questions.
There are a lot of legitimate blogs, forums, and different websites I monitor daily to get inspired and find potential targets. One of these blogs is
🅳🅾🅲🆃🅾🆁🅾🅵🅲🆁🅴🅳🅸🆃.🅲🅾🅼
This post from that blog caught my eye last year.
The reason it got my attention is because in the past I have worked with 🅺🅼🅰🆁🆃 and 🆂🅴🅰🆁🆂 points balances and I know the company very well. Many people know that 🅺🅼🅰🆁🆃 and 🆂🅴🅰🆁🆂 are both owned by the same company transformco, and that you if you register at one website you can use the same credentials at the other and they work. But still many people did not know that those login credentials will also work at a third website owned by transformco which is a rewards portal called 🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈.
🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈 itself has never been impressive, and 🅺🅼🅰🆁🆃/🆂🅴🅰🆁🆂 cashout options using points had gotten worse and worse until eventually you could only use the balances for crap nobody wanted. But that post above was telling everyone that 🆁🅰🅸🆂🅴.🅲🅾🅼 would be partnering with 🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈.🅲🅾🅼 and that soon people would be able to cashout
their points for e-gift cards to hundreds of retailers. One user posted that they were currently running a pilot (trial) program and only certain targeted users would get an email to come try it and report back any issues they experienced. Since I had worked with 🅺🅼🅰🆁🆃/🆂🅴🅰🆁🆂 accounts before I had many thousands of old, spent accounts so I opened their emails and started searching to see if any of them got a trial invite from 🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈 to try to the new giftcard exchange and I did!
I followed the link to 🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈.🅲🅾🅼/🅶🅸🅵🆃🅲🅰🆁🅳🆂 logged in and saw the promotional $10 credit. I chose a gift card and checked out where it let me chooseto send to my own email or input someone elses to send the egift as a present. After checking out I instantly had to egift in my email.
At this point in the story I couldve never guessed where this would lead. So lets analyze where my head is at during this point.
There is a program being tested that a very small amount of people are invited to try and you are only allowed to convert the promo $10 balance they put in your account.
Even though one of my accounts got an invite and the system works there is never a guarantee it even goes live, or even if it does nobody knows when it will.
I always have multiple projects going and I'm more concerned with what is paying now.
I decide this project is not exciting to me at the moment but that I would still gather accounts with balances for another time. I used Openbullet 1.2.2 and also a python standalone to crack accounts.
This is outdated now and will no longer work but it might help someone to get an idea. These would email:pass combos and save accounts with $20+ balances into hits.txt. First is the OB config loli script, second is the standalone python and req's.
I collect many many accounts automatically for quite a while until I store them and forget about them.... Until one day I notice an update on the blog above I mentioned. Someone had posted to inform others that the giftcard exchange program had gone live and now all 🆂🅷🅾🅿🆈🅾🆄🆁🆆🅰🆈 customers could exchange their point balances for gift cards.
I immediately broke out of my stashed accounts and started cashing them out one by one and since they allowed you to input another email at the checkout page if you wanted to send it as a gift so I chose that since I didnt have email access to these accounts and wouldnt be able to retrieve the gift cards if they were sent only to there. Unfortunately this didnt last before they had to make some changes. One day I tried to begin cashing out again and found they had patched the checkout page so that you did not have the ability to send as a gift or alter the email address field. I tried going to the profile page on the account to change the email address there but they had already closed that possibility. Then I remembered these credentials work on 🅺🅼🅰🆁🆃 and 🆂🅴🅰🆁🆂 too so first I tried 🆂🅴🅰🆁🆂 but they had disabled it, and then I tried 🅺🅼🅰🆁🆃 which they had not fixed!
So I set about my project again cashing out but also adding an extra step now =( This lasted 1 day before they fixed that also. I was thinking of moving on until I decided to try and intercept the traffic at checkout, modify the email address being posted in the request and forwarding it to see if it would allow it. And it did!
At this point they had also introduced a new feature during checkout. Not only could you use your points to get giftcards but they now put in a payment processor so you could use your credit card to pay for your gift card if the total was more than your point balance. After some quick testing I quickly realized balances on the accounts would no longer be necessary......
At this point I understood the payment processor had little to no fraud security, I didn't even need to use different accounts. I could just one on account and keep purchasing egift cards, intercepting the traffic ith burp and changing email to any email, and it would be delivered there. then when cvv being used was empty I could simply use the next one on the same account and keep pushing out e gift cards to any email from one single account over and over.
I got tens of thousands of dollars $100k+ in Sephora, Walmart, Razer, Saks 5th avenue, Autozone, Nike, and so many more instantly delivered. What was a little side project to cashout some accounts with balances turned into me essentially being able to issue unlimited e gifts from 100s of different retailers from one one portal.
I instantly converted them all to bitcoin through paxful with the chinese who are very happy to find reliable bulk supplier and pay 80%+
Ive never written anything like this so hope its acceptable and hope someone gets an idea that helps them with their projects.
Backchannel’s "Notes from the Underground” series aims to provide a spotlight on the cybercriminal underground by featuring interesting research curated from the most interesting underground threat actors. The contents of this post are the words and intentions of the threat actor, not Backchannel.
![[optimize output image]](https://substackcdn.com/image/fetch/f_auto,q_auto:good,fl_progressive:steep/https%3A%2F%2Fbucketeer-e05bbc84-baa3-437e-9518-adb32be77984.s3.amazonaws.com%2Fpublic%2Fimages%2F523c281b-f41b-4793-ac60-9e89001fa613_640x327.gif "[optimize output image]")
