Pssst, wanna steal some credit cards online..

Apologies for the absence, busy with my other business NipperGrip – A Kids Ski Harness. Always takes a week or so to get it out of its summer slumber and into shape for the winter months.

Google Hacking which as wikkipedia says.. “involves using advanced operators in the Google search engine to locate specific strings of text within search results”.

There is a long history of using Google Hacking in Penetration tests this presentation from as long ago as 2005. This raw form of hacking is also used with the social engineering approach against users of sites likeLinkedIn and Facebook.

However raw Google Hacking is still worth the effort. An interesting blog post here. If you ignore the snappy title the article is about sites that leave credit card information on the internet.

The crux of the article is that when the issue of Googling for Credit Card Numbers became general knowledge they put in a quick and dirty solution.  The quick and dirty was a pre-filter to the search engines that recognized if you were trying to search for something bad.  If it did it prevented you and told you off a bit.  However filters (think firewalls as well) can be bypassed.  The best way to open a locked door is to go around it right!
So if you can get around the Google bad boy credit card filter then you can search for credit card details as before.  From the blog .. 

“You can usually trigger this type of behavior by providing your input in various encodings. For example: instead of using decimal numbers (0-9), how about converting them to hexadecimal or octal or binary? Well, guess what…

Search for this and Google will tell you that you’re a bad person: “4060000000000000..4060999999999999”

Search for this and Google will be happy to oblige: “0xe6c8c69c9c000..0xe6d753e6ecfff”.

The only thing you need to do is to convert from decimal to hexadecimal. That’s it.”

If you want to try this out, you can find encoders with a simple Google search e.g. here and then you’re good to go.

Criminals need to cash out stolen credit card details once they have them though, which actually isn’t as difficult as you may have assumed.

Probably best to stick with PayPal for online payments then!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.