A complete breakdown of spyware: offense and defense.

Hello all, Yellow at the machine! It's been a long time since I've had any good information, right?

We all use Spy-services, and we all want two things:

1. To see the whole bundle we found in the sleepers: to punch the clo and check the proclu
2. Make sure that our creo is not found in the sleepersand if they did, they would not be able to penetrate our clo and see the proclu

Don't you notice some contradiction here? Well, what the hell with it, let's see what we can do with these items one by one. All examples will be given using the most popular in the CIS Spy-Facebook service: AdHeart. But I'll also show you a little bit of the Facebook ad library.

Attack

Regarding the search for bundles in sleepers and on the breakthrough of the clo in the Internet have written more than once or twice, made reports at conferences, etc., so let's just briefly go over the points:

Searching for bundles

General points

To begin with, obviously, choose one or two or three GEOs that interest you. Put a 1 in the box to the right of the GEO selection - "Countries before:", arbitrageurs rarely pour multiple GEOs into the same campaign at the same time.

The second point is to choose the type of Call to action buttons - arbitrageurs usually use only two: LEARN_MORE and SHOP_NOW.

If you want to see only fresh creos, you choose a date interval, but I usually screw that up:

How to watch only good creatives? Set the "Been running for two or three days or more:

It is unlikely that the web, which pours the creo for more than three days, pours it in the minus, right? Another thing is that AdHeart is not always accurate in determining this indicator, so use at your own risk - you can accidentally cut quite a large layer of normal creos.

Of course, remove ads with a lead form, who the hell needs them?

And you can remove Messenger and Audience Network from the playlist:

With the general settings ALL, then begin the actual search! The following options are possible here ?

Search by words

The easiest and most unreliable way to search: write down in a notebook all the words that you assume arbitrageurs may use in the text or the title of the ad. Words are all combined with a vertical line, such as:
loss of weight loss|kilograms|diet
Then we translate our string with Google Translate in the language of your GEO, put it into a text search and see the results:

Well, speaking of text, you know very well that many people pour in without text at all, so immediately after you've searched for words, put this switch to "No text" and flip through the feed.

Search by domain zones

The next way - search by domain zones. Here you can find all those, for example, who pours from free domains Freenom-a:

It also includes searches for cheap domain zones that aribtrangers love to buy: .icu|.top|.cyou|.club|.work|.site|.ru.com|.website

Search by Designers

All the same - looking in the same field on the link amateurs pouring through JS-integration:

mystrikingly|bookmark|myshopify|webflow|tumblr|ucraft|mozello|webnode|mybigcommerce|ucoz|weebly|squarespace|yolasite|bandzoogle|snappages|jumpseller|bitrix24|canva|convertri|hipolink|tilda.ws|turbo.site|creatium|hipolink|sites.google

Search by Tag

Here we are scorching all those who pass a pixel in the link and call it some understandable abbreviation, as well as those who pull up costs through FbTool or Dolphin. To do this, write in the same field with the link:

fb_pixel|pixid|fbpixel|pixel|fbpx|px||{{adset.id}}|{{ad.id}}

Further action

After you have found a suitable creative, don't rush to run and try to punch a clo, first look at all the ads that are pouring from the same fp:

Also use IP search: if the arbitrator doesn't use CloudFlare or something similar, you'll see all his creatives as clear as the palm of your hand:

Save collected IP addresses directly in AdHeart, so you can conveniently monitor trackers of other teams.

Cloaking Breakthrough

So you've found one that's good for you. creative and now it would be nice to get a gasket, right? So what do we need for that?

• First and foremost, these are. proxy the right geo. You can use the tollsor you can use Some kind of Proxy Grabber
  

• Next, you will need to emulate the mobile device in some way: you can use this for example, antidetect-browser Indigo - it has the ability to create profiles for Android. If, on the other hand Indigo If you don't have one, get yourself the UserAgentSwitcher plugin and find the right username there. Note that internal fb and insta browsers put their labels at the end of the user agent string, which can be used to adjust the clo filters! So, add them to the end of the user agent line to be substituted.
  

• Sometimes arbitrageurs use the referrer-based clo filter in clo: i.e. they look at where their site was visited from. I do not recommend you to do this, but it is nevertheless common. In any case, this filter is passed by adding the following construction to the beginning of the link from the spay: https://l.facebook.com/l.php?u=
  So. encode your link here firstbefore adding this initial part to her.
• Sometimes the filter is used by the presence of the parameter fbclid in the address, which fb automatically sets to each link. That's why it's worth adding a type just in case: ?fbclid=123412341234432143241

This way you'll get through about 70 percent of the clones you find. With the rest you will have to struggle, if not spit. Why? I'll explain in the corresponding section on protection.

Protection

Now let's figure out how we can keep our creatives and procles safe. Let's start with the spays.

Solder protection

For the most part, the advice given here will be the opposite of that given in the section on offense. I will give them as a list, it is not necessary (and practically impossible) to use them all. So:

• We do narrow targeting, such as: age 30-32. Due to a not particularly wide reach, the likelihood of your creo "catching the eye" of the spy bot is greatly reduced. But how do you scale?
• We use un-assembled GEOs. Everything is clear here. Few people can find good offers for, say, Africa. That's why no one will really need your link.
• We cast without text. Who needs it when you have it on your Creativity? And it's getting harder to find you (but not for those using Facebook's ad library, as it does a great job searching by text on images and videos!)
• Don't pour over free/cheap domains. Use .com,.org, and .net! Either NameCheap or drops. Drops can't get through the Cloud, so fuck it!
• Don't pour through constructors or find one that is not particularly well known. In fact, why do you need it? Traffic is lost, pour it on the direct link.
• Do it through the cloud. If one of your creos gets burned, at least they won't see that the whole team is leaking by IP-address.
• MOST IMPORTANTLY: DON'T PUT THE TAGS IN THE LINK!!!

The last point requires clarification. What to do if you need to pass tags and pixel? Easy, use a special field for this when setting up your ad: "URL Parameters".

Why is this so? It's all because SPAI DO NOT STAIN THE TEXT THAT IS IN THIS FIELD. Accordingly, they can't find you using words like fbpixel, {{adset.id}}, etc.

The great thing here is that even if we click and move to fp:

And there we get into the library of advertising:

Select all countries, all ads, go to the search box and press Enter and see the original of our ads, then even there when you hover your mouse we will not see the URL parameters!

And enough about sleuthslet's go defend our punctures!

Protection against puncture clo

Again, in many ways this section will be the opposite of what is written in the offense, but not all, hehe) So:

• Obviously, we will use filters to weed out unnecessary GEOs
• Also, obviously, if you're only pouring on mobile devices, you need to screen out the desktop
• Using the web filterproxy/VPN

This is the base, almost everyone has it. And now let's start by looking at how popular teams cloach. Of course, they protect themselves primarily from bots, but nevertheless.

Nothing unusual, except that the fb guys get a playset in the sub_id_1 tag and for some reason they consider all traffic that comes from the right column (Facebook_Right_Column playset) as bot traffic!

Another example from which we can deduce 3 things:

• occasionally you can cut all IPv6 traffic.
• you can check what language is in the user's browser! Often those who want to break through your clo only put proxyand the language забывают☝️
• Look at the UserAgent - this is when we check that the user came from fb/insta/messenger, because he has a corresponding line in the usergent

But still, it's quite easy for a particularly shrewd piercer to tamper with all of this. What should we do? Remember those URL Parameters I mentioned above? That's the tricky part. Since they are not exposed anywhere, let's filter users exactly by PARAMETERS. How should we do it? Let me tell you how.

Method 1

Let's nominally call it "by sub-tag Keitaro". We almost always transfer a pixel from fb, right? And we transfer it to URL parameters. We store it (as an example tracker Keitaro) in some sub-label, in the example it is sub_id_10. We call this sub_id_10 as fbpxl.

It is enough to filter on the blackstream by this tag and let it go to black ONLY if this tag is not empty.

If you do this in addition to White and black third, closing stream, where you put some proclu from PP, then the puncher will have a complete illusion that he broke through the clo and sees the real black!

Unfortunately, this method can be bypassed. I show you how.

Just add ALL satins to the link Keitaro with an & and put any crap in it as a value, like:

https://xxx.com?sub_id_1=1234&sub_id_2=4341&sub_id_3=wqrew and so on. In total in Keitaro 16 sub-tags. The line will be long, but you will get through the clo.

Method 2

Let's call this method "bulletproof. It is enough to filter not by sub-tag Keitarobut just by the parameter! So, select the filter "Parameters" and put:

That's it! No one knows what your pixel parameter is called, but if you want, use any other one. You are probably pulling costs from fb and for this purpose you pull either adset id or ad id. You take the parameter that is responsible for this data and filter by it. Like: adsetid is empty? Fuck that. Into the closing thread on the proclu from PP!

Conclusion

As you can see, in this battle of the shield and the sword, the shield wins! And the situation is unlikely to change until Facebook starts handing over information about URL parameters, which is highly unlikely. So I can say that, at the moment, it is realistic to protect yourself from breaking through the clo on 100%, so use it if it really matters to you, and get on the plus side!

P.S. This article uses materials from the "Approaches for every day«

UPD 08.06.2023: I'm a little surprised that this article has given many people a false sense of security, which I am simply obliged to dispel here. If it's not obvious to you that any protection can be broken, then I'll disappoint you - it can be broken. All you have to do is make an account that fits the targeting of your ads, and your bundle is in the palm of your hand. This point is explained in more detail in the video.