Choosing a target for carding: traffic analysis, domain age, and payment form

[Good Carder]

From a carder to carders. You bought perfect non-3DS cards, set up anti-detection and proxies. But the payment still fails with Fraudulent. Why? Because you chose the wrong target. Modern anti-fraud isn't just about checking the card and IP address. It's a comprehensive assessment of a store's entire digital footprint: its age, traffic, change history, and, most importantly, payment form vulnerabilities. In this article, I'll teach you how to analyze carding targets — from finding stores with low fraud conversion rates to automatically detecting forms without 3DS. You'll learn how to use SimilarWeb, Whoxy, and Wayback Machine, how to find WordPress stores with older versions of WooCommerce Stripe where 3DS is disabled, and how to parse checkouts using automated scripts.

Part 1. Traffic and Domain Analysis: First Steps​

1.1 SimilarWeb: Traffic and Soliciency Assessment​

The first thing to assess is how "active" the store is. Stores with low traffic often have weak security, but their average order value is also lower. Stores with high traffic are more secure, but also more profitable.

How to use SimilarWeb in 2026:

• Estimate your monthly traffic (Monthly Visits). Targets of 10,000–50,000 visitors per month are the sweet spot. They have the money, but security is often subpar.
• Look at your traffic sources. If your store relies on direct traffic and referrals, rather than SEO or paid advertising, that's a good sign of a legitimate business.
• Evaluate the geography (Top Countries). The target must be from the same country as your cards (US Fullz → US website). A geolocation mismatch is a red flag.
• Analyze your audience's behavior (audience interests). If store visitors also visit cryptocurrency or gambling sites, this may indicate a "risky" audience, which banks more frequently screen.

According to SimilarWeb, the free version is sufficient for initial analysis. You get basic metrics: monthly traffic (around 5,000–50,000 for small stores), traffic sources (direct visits, referrals), top 5 countries, and engagement. A more in-depth analysis requires a paid subscription, but the free version is sufficient for carding.

1.2. Whoxy: Domain Age as a Trust Indicator​

The older the domain, the more trustworthy it is with payment systems. Stores with domains less than six months old are often blocked at the gateway level.

Whoxy is a powerful WHOIS system that allows you to retrieve a domain's registration history, creation date, owner, and even previous owners. You can check the domain's age without creating an account, as well as historical records to determine if the owner has recently changed. If the domain has been resold, this may be a sign of a "fly-by-night" company that has already been used for carding. The Whoxy API is available on a pay-as-you-go basis, but free requests are sufficient for occasional checks.

The ideal target is a domain age of 3-10 years. Stores older than 10 years usually have good security, while those less than six months old are too risky.

1.3. Wayback Machine: Revision History​

The Wayback Machine shows what a website looked like in the past. It archives millions of websites and allows you to view their historical copies. If a site hasn't been updated in the last two to three years, it's a sign of abandonment and possibly an outdated payment module. If there are drastic changes in the site's history (for example, a change in theme or payment gateway), it could be the result of a hack or change of ownership, which increases the risk.

Part 2: Finding Low-Converting Fraudulent Targets​

The ideal target is a store that has money but no money for security.

2.1. Stores with high traffic but low security budgets​

This category of stores earns enough to survive, but skimps on IT specialists and payment solutions. Their anti-fraud solutions are often limited to basic gateway settings.

How to search:

• Analyze niche stores (clothing, accessories, hobbies, gifts). They have high markups but little technical expertise.
• Look for stores that use cheap hosting (shared hosting on GoDaddy, Bluehost). This often correlates with a low security budget.
• Look for stores with outdated designs (2018–2020 themes). Owners who don't update their designs likely don't update their payment modules either.

2.2. Stores >3 years old​

Stores over three years old have "survived" their crisis and usually have a loyal customer base. However, they often use outdated versions of the CMS and plugins because owners are afraid of updates that "something will break."

Here's how to check:

• Whoxy will show the domain registration date.
• Indirectly, by content: if the store’s blog hasn’t been updated for 2–3 years, this is a bad sign.

2.3. Stores with poor mobile adaptation​

If a website looks bad on a mobile phone, it means the owner doesn't care about their customers. They likely don't care about security either.

Part 3. Technical Analysis of the Payment Form​

The main question: does the store have 3DS? If so, your non-3DS cards may still not work. You need to find forms where 3DS is disabled or poorly configured.

3.1. Direct signs of the absence of a 3DS in the checkout​

Open the payment page and look at:

• URL and iframe. If the card fields are in an iframe with the domain js.stripe.com or braintreegateway.com, it's Stripe or Braintree. 3DS is enabled by default for European cards, but may not be requested for US cards.
• Redirects. If entering a card results in a redirect to cardinalcommerce.com or mastercard.com/3ds, 3DS is required.
• Page behavior. If an incorrect CVV is entered and the page doesn't prompt for confirmation via SMS or in the bank app, 3DS may be disabled.

Manual verification technique: Take a Stripe test card 4000 0000 0000 0002. Try making a payment. If a 3DS window appears, 3DS is enabled. If the payment fails with "do_not_honor" and no window, 3DS is likely disabled.

3.2. Search for stores without 3DS using automatic parsing​

Manually checking thousands of websites is unrealistic. Use automated scripts to parse checkouts and analyze for 3DS.

Algorithm:

1. Collect a list of stores (from Google Dorks, databases, Google Maps).
2. Write a Python script that visits the /checkout page and parses the HTML for:
   • iframe with domains Stripe, Braintree, Adyen.
   • скриптов 3ds.js, cardinal.js, adyen.encrypt.
   • authentication_required error code.
3. Mimic browser behavior using Playwright or Selenium to bypass simple bot protection.

Example of a simplified script:

import requests
from bs4 import BeautifulSoup

def has_3ds(url):
response = requests.get(url)
soup = BeautifulSoup(response.text, 'html.parser')
scripts = [script.get('src') for script in soup.find_all('script')]
iframes = [iframe.get('src') for iframe in soup.find_all('iframe')]
for src in iframes + scripts:
if src and any(x in src for x in ['3ds', 'cardinal', 'adyen']):
return True
return False

However, this is a basic level. Modern payment forms often load 3DS scripts asynchronously, after card entry. Detection requires emulating the full payment cycle: card entry, form submission, and request interception. This requires a browser engine (Playwright) and network traffic analysis.

3.3. Examples: WordPress stores with the old WooCommerce Stripe plugin​

The biggest source of vulnerable stores is WordPress running older versions of the WooCommerce Stripe plugin.

In older versions of the plugin (prior to 5.8.0), 3D Secure could be disabled if the "Force 3D Secure" option was selected. In some versions of the plugin, "Force 3D Secure" was enabled by default but didn't function correctly, and 3D Secure wouldn't be triggered. After updating the plugin, 3D Secure could start working again, leaving stores that hadn't updated in years with vulnerable security.

How to search:

• Google Dorks: inurl:/checkout "WooCommerce" "Version 3"
• Scanning websites for wp-content/plugins/woocommerce-gateway-stripe/readme.txt files, which indicate the plugin version.
• Using Wappalyzer to determine your WooCommerce version.

Why it works: In older versions of the Stripe plugin for WooCommerce, the 3DS setting was optional and often disabled by store owners. When updating the plugin to the latest version, 3DS is automatically enabled, but many stores running older versions remain vulnerable.

In version 5.8.0 (2021), the plugin already supported the new payment integration (UPE) with mandatory 3DS for European cards. However, for US cards, it might not be requested.

CVE-2024-43315 is a vulnerability in the Stripe Payments For WooCommerce plugin (from a third-party developer, Checkout), which allowed bypassing authorization and accessing the payment form.

Look for stores with plugin versions earlier than 6.0 — they are highly likely to have outdated 3DS settings.

Part 4. Search Automation and the Final Checklist​

4.1. Tools and Resources​

• Wappalyzer (browser extension) — detects CMS and plugin versions on a website.
• Burp Suite — for query analysis and parameter substitution.
• Python + Playwright — for automatic parsing of checkouts.
• Google Dorks — for searching stores on outdated CMS.
• Shodan — for searching open databases and RDP on store servers.

4.2. Pipeline analysis goals​

1. Collection. Parsing stores from Google Maps, Google Dorks, and local directories.
2. Filtering. Weeding out uninteresting traffic: too much traffic (poor security is not a criterion), too little, not in the target country.
3. Technical analysis. Checking domain age, CMS and plugin versions, and 3DS availability.
4. Test transaction. A $1 purchase with a test card to check the transaction's performance.
5. Adding to the database. Adding a target to a list with a priority rating (from 1 to 5).

4.3. Carder Checklist​

• Estimate your store's traffic using SimilarWeb. Monthly traffic is 10,000–50,000, sourced from direct visits and referrals, and targeted by country.
• Check your domain age using Whoxy. Ideally, 3–10 years.
• View the revision history via the Wayback Machine. Drastic changes may result in resale.
• Analyze the payment form. Determine the gateway and the presence of 3DS (test with card 4000 0000 0000 0002).
• If you're using Shopify or WooCommerce, check your Stripe plugin version. If it's below 6.0, there's a high probability of a vulnerability.
• A test transaction of $1 on the target website. If it passes, the target is ready.

4.4. Typical mistakes​

Mistake #1. Selecting targets based solely on the lowest price. This doesn't reduce the risk of card blocking.
Mistake #2. Ignoring the plugin version. Modern plugins almost always include 3DS.
Mistake #3. Not checking the domain age. New domains are often blocked even before a request to the bank.
Mistake #4. Trusting one tool. Use a combination of SimilarWeb, Whoxy, and Wayback Machine for cross-checking.

Summary​

Choosing a target is no less important than preparing cards and proxies. Stores with low fraud conversion rates are WordPress sites with outdated plugins, low traffic, but domain ages greater than 3 years. Analyze traffic through SimilarWeb, domain age through Whoxy, and domain history through Wayback Machine. Look for targets with disabled 3DS through automatic checkout parsing using the Stripe test card 4000 0000 0000 0002. Always make a test transaction of $1 before committing to a large transaction hit. Good luck.

A quick one-line reminder:
"Choose a store with 10,000–50,000 traffic, a domain older than 3 years, but with an outdated Stripe plugin. SimilarWeb for traffic, Whoxy for domain age, Wayback Machine for history." "3DS, check with a test card 4000 0000 0000 0002. WordPress with WooCommerce Stripe versions below 6.0 is a gold mine. A $1 test transaction is your best friend."