Affiliate marketing stream. AEZAKMI interview

AEZAKMI_EN
6 min readOct 20, 2020

--

Dear friends!

Recently we had a stream with NPPR TEAM (arbitration team with useful services) and dr.cash (maybe the best CPA network), about affiliate marketing.

In this article, you can find some interesting Q&A about working antidetect browser AEZAKMI.

You can see the recording of the stream here: www.youtube.com/watch?v=nqOSeXn-qFY.

Enjoy!

  1. How was it determined that FB checked a camera/sound speakers/microphone and speech synthesizers?

The research was conducted with the help of JS script injection, which redefined WebApi methods, due to which — when calling the corresponding methods — this call is logged — indicating the function which called the method and arguments passed to the method.

Therefore, in real time, while performing various actions on FB — I was able to track which methods and from where they are called to analyze the obfuscated code step by step.

The code for the fingerprint collection detector of installed speech synthesizers:

const original_speechSynthesis = speechSynthesis.getVoices;
speechSynthesis.getVoices = function getVoices() {
let detector = {};
detector.type = “speechSynthesis”;
detector.func = “getVoices”;
detector.arguments = Array.from(arguments);
console.table(detector);
return original_speechSynthesis.apply(this, arguments);
};

You can check what the function gives out on any tab in the console — speechSynthesis.getVoices();

Code for the fingerprint detection of existing cameras, speakers and microphones:

const original_enumerateDevices =
navigator.mediaDevices.enumerateDevices;
navigator.mediaDevices.enumerateDevices = function () {
let detector = {};
detector.type = “navigator”;
detector.func = “mediaDevices”;
detector.arguments = Array.from(arguments);
console.table(detector);
return original_enumerateDevices.apply(this, arguments);
};

You can check what the function gives on any tab in the console — navigator.mediaDevices();

2. What is the difference between browser plugins for Chrome and Chromium?

Chromium plugins:

Plugin {0: MimeType, application/x-google-chrome-pdf: MimeType, name: “Chromium PDF Plugin”, filename: “internal-pdf-viewer”, description: “Portable Document Format”, length: 1}Plugin {0: MimeType, application/pdf: MimeType, name: “Chromium PDF Viewer”, filename: “mhjfbmdgcfjbbpaeojofohoefgiehjai”, description: “”, length: 1}

Chrome plugins:

Plugin {0: MimeType, application/x-google-chrome-pdf: MimeType, name: “Chrome PDF Plugin”, filename: “internal-pdf-viewer”, description: “Portable Document Format”, length: 1}Plugin {0: MimeType, application/pdf: MimeType, name: “Chrome PDF Viewer”, filename: “mhjfbmdgcfjbbpaeojofohoefgiehjai”, description: “”, length: 1}Plugin {0: MimeType, 1: MimeType, application/x-nacl: MimeType, application/x-pnacl: MimeType, name: “Native Client”, filename: “internal-nacl-plugin”, description: “”, …}

You can check by typing in the console: navigator.plugins

3. Where is the information that FB uses Passive OS Fingerprint from? Proofs, pls.

There will be no proofs — because TCP packet analysis is done by listening to the network interface on the FB infrastructure side. This is the part of the AF system whose work will always be hidden from the eyes of researchers. The only possible proof is if the FB itself publicly announces it.

Taking into account the economics of these data and connecting deduction — the following conclusion is asked.

Any large system has some kind of DLP solution that listens to the interface and collects cap log files for further analysis.

As I’ve said — fingerprints cannot be obtained from a third-party database or from the user’s computing resources — are considered expensive and this method certainly applies to them.

To understand how it is most likely to happen — the system needs to turn to the search engine (fb uses elasticsearch) to get a pointer to the corresponding user cap file (they probably do not have them in the caps) and bang it for a string like “4:120+8:0:1452:65535,0:mss,nop,nop,sok:df,id+:0”.

If scoring is controversial and the AF system needs to make a decision — it makes a decision based on the commercial value of the user — to throw on selfies or request admission from the available data. On the fly such data to parry from the package and put in the database is certainly pointless and FB will never allow it. But there are no laws to collect this data because it is in the public domain inside every TCP packet.

If we compare this to the fact that FB uses more expensive methods of checking and that GDRP has significantly reduced their ability to collect data, it seems obvious that their antifraud will analyze this data if necessary.

4. How does FB sees that I have two monitors?

If the browser window is not extended on the leftmost screen, the Screen.availLeft value will show the width of the left screen in pixels.

If the screen is left-sided and there are no screens to the left — the value of this parameter will be zero.

It is the same with AvailTop if measured in the Y axis.

This is the surest and cheapest way to detect 2 monitors.

5. And most importantly: where does the FB have a base of Beeline plans with paid Internet distribution?

This data is available in Mobile Data Plan Sharing API from Google.

It can also be detected indirectly by analyzing the ttl and ip ranges. Having a set of historical data on clients of a certain operator it is easy to find out that mobile clients of beeline are much more than tele2.

These FB data are necessary first of all to estimate the solvency of the user.

6. Timur, send that Javascript, where you saw right in the frontend of the fb lists of keyboard and mouse models, please.

All methods to analyze the keyboard and mouse work with the EventListener.

On the BM creation page and on the advertising campaign settings page — you can put a debar on keydown and keyup events in the console. Or already after loading the page to collect them with the help of:
https://gist.github.com/chelovekula/73d82152cabe1724a5962e5d572ea227

Pointers to start functions will be like:

https://gist.github.com/chelovekula/ffdffd4faf1bbc0be77550dfa4a10e82

Next — you need to put a stop point on these functions and use the “Step over the next function call” to get through this hell. There will be obfuscated json which we are talking about.

But because of the large number of recursions in the obfuscated code — it’s not fast and last time it took me a few hours before I got to this point.

Next week I was planning to take the time and climb into that swamp again to get a closer look at everything and at the same time serd you this json.

7. Port Scanning

4 years ago FB could really cooperate with this company and scan ports with web sockets.

But later, the GDPR and subsequent leak proceedings forced FB to abandon this method.

Since the method is related to the use of web sockets — scanning can’t be done secretly — in the networks tab you will immediately see requests like wss://127.0.0.1:5900/.

Recently, a study of this office was conducted with which FB previously collaborated and a list of their current clients was identified with the help of CNAME analysis — https://docs.google.com/spreadsheets/d/1Nu4lpyZ5PQUIpiLJBddXnr67t5-1y0u40dzyzSYj1gc/edit#gid=0 — according to these data FB is no longer there. And I have never seen networks requests to localhost on FB.

As for the high cost of the method — I meant that FB can not afford it because of the reputation and legal costs in connection with GDPR.

I want to return to the first question once again.

On the strip, I announced that I use my own WebApi method call detector to investigate the antifraud of the FB system. In the near future I will release a special version of Aezakmi, which will have this tool, its code will be fully open and you will be able to independently monitor what and when FB collects — getting a report on the accounts.

Also — you will be able to join the voluntary program of collecting impersonal data, which will analyze all your actions on FB and log everything that the detector found.

Since their antifraud system is Dynamic, this approach will allow us to analyze the most accurate way possible the variable behavior of FB — showing us the regularities. All data will be available for analysis by any researcher who participates in the program.

NPPR has recently announced a popular cloak and I think that such cooperative solutions and self-organizations will improve our overall efficiency.

This initiative — if supported by the community, it could become a public watchdog for FB

--

--