Last year in December 2018, I created an account on Shine.com for the job. After creating an account I applied for jobs with many recruiters.

After 2 Days I received a call from a recruiter. She tells me the job details and the 49₹  deposit amount that I have to pay by credit card.

I know these types of frauds so I tell her that recently I am out of town So can you please send the website details on my number. She said yes and after 2 minutes she sends the website to my number.

First of all, I opened that website and checked its functionality of the website. During checking, I know that the website is static and there are no Social media accounts linked that are given on the contact us page.

After that, I searched for the website in the whois database. In the whois database, I found that the domain is created just before a month. I search for other details and I found that the information given by the domain owner is fake because the name of the registrant’s name, email, and phone number all are different.

After that, I created a fake account on that website. The last step is to pay 49₹ by credit/debit card. When I clicked on the pay button the payment page is opened. You know what the payment page is also created on the website like http://www.xyz.com/payment.php. I checked the URL and the URL is not secure means, not HTTPS. So I know that the website is a fraud. I entered the wrong credit card details and the Credit card owner’s name. I redirect myself to another page of a website like http://www.xyz.com/otp.php. On this page, I have to enter an OTP that I received on my number. I enter the wrong OTP and click submit. Now I am redirected to another page called http://www.xyz.com/paymentfail.php. On this page, it shows your payment is failed, and do the payment again.

So I tried to understand the detailed functionality of a website. Then I found that they are just collecting credit/debit card numbers. When they get credit/debit card numbers in their database, they do a huge amount of transactions on other websites. And also get and enter OTP from the database that is entered by the user.

After that, I tried to find the admin panel of a website and succeeded to find it. Admin panel URL is like http://www.xyz.com/adminpanel.php. I tried so many username and password combinations like admin-admin, and admin-password but it didn’t work. Then I entered the SQL injection parameters combination and it worked.

When I entered into the admin panel I found a bunch of users data, debit/credit numbers, net-banking usernames and passwords, and OTP.

After 2 Days, the site is down and the account is suspended 😉

This is the story of my first hacking. Hope you liked it and sorry for my English.