A complete breakdown of spyware: offense and defense.

Hello all, Yellow at the machine! It's been a long time since I've had any good information, right?

We all use Spy-services, and we all want two things:

1. To see the whole bundle we found in the sleepers: punch in clo and check the procla
2. Make sure that our creo is not found in the sleepersand if they did, they couldn't penetrate ours. clo and see the procla

Вы не замечаете тут некоторого противоречия?? Ну да и бог бы с ним, давайте посмотрим, что можно сделать с этими пунктами по очереди. Все примеры будут приведены с использованием популярного в СНГ Spy-Facebook service: AdHeart. But I'll also show you a little bit of the Facebook ad library.

Attack

Regarding the search for bundles in sleepers and the penetration clo It has been written in the Internet more than once and more than twice, reports have been made at conferences, etc., so let's just briefly go through the points:

Searching for bundles

General points

To begin with, obviously, choose one or two or three GEOs that interest you. Put a 1 in the box to the right of the GEO selection - "Countries before:", arbitrageurs rarely pour multiple GEOs into the same campaign at the same time.

The second point is to choose the type of Call to action buttons - arbitrageurs usually use only two: LEARN_MORE and SHOP_NOW.

If you want to see only fresh creos, you choose a date interval, but I usually screw that up:

How to watch only good creatives? Set the "Been running for two or three days or more:

It is unlikely that the web, which pours the creo for more than three days, pours it in the minus, right? Another thing is that AdHeart is not always accurate in determining this indicator, so use at your own risk - you can accidentally cut quite a large layer of normal creos.

Of course, remove ads with a lead form, who the hell needs them?

And you can remove Messenger and Audience Network from the playlist:

С общими настройками ВСЁ, далее начинаем, собственно, поиск! Здесь возможны следующие варианты:

Search by words

The easiest and most unreliable way to search: write down in a notebook all the words that you assume arbitrageurs may use in the text or the title of the ad. Words are all combined with a vertical line, such as:
loss of weight loss|kilograms|diet
Then we translate our string with Google Translate in the language of your GEO, put it into a text search and see the results:

Well, speaking of text, you know very well that many people pour in without text at all, so immediately after you've searched for words, put this switch to "No text" and flip through the feed.

Search by domain zones

Следующий способ — поиск по доменным зонам. Тут можно найти всех тех, например, кто лил с бесплатных доменов Freenom-a (RIP):

Также сюда относится поиск по дешёвым доменнам зонам, которые обожают закупать арибтражники: .xyz|.icu|.top|.cyou|.club|.work|.site|.space|.fun|.ru.com|.website

Search by Designers

All the same - looking in the same field on the link amateurs pouring through JS-integration:

mystrikingly|bookmark|myshopify|webflow|tumblr|ucraft|mozello|webnode|mybigcommerce|ucoz|weebly|squarespace|yolasite|bandzoogle|snappages|jumpseller|bitrix24|canva|convertri|hipolink|tilda.ws|turbo.site|creatium|hipolink|sites.google|wixsite

Search by Tag

Здесь мы палим всех тех, кто передаёт в ссылке пиксель и называет его каким-то понятным сокращением, а также тех, кто подтягивает расходы через FbTool или Dolphin. Для этого всё в том же поле со ссылкой пишем:

fb_pixel|pixid|fbpixel|pixel|fbpx|px|pix|fbpix{{adset.id}}|{{ad.id}}

Further action

After you have found a suitable creativedon't be in a hurry to run out and try to punch it. clo, for starters, look at all the ads that are pouring in from the same fp:

Also use IP search: if the arbitrator doesn't use CloudFlare or something similar, you'll see all his creatives as clear as the palm of your hand:

Save collected IP addresses directly in AdHeart, so you can conveniently monitor trackers of other teams.

Cloaking Breakthrough

So you've found one that's good for you. creative and now it would be nice to get a gasket, right? So what do we need for that?

• First and foremost, these are. proxy the right geo. You can use the tollsor you can use Some kind of Proxy Grabber
  

• Next, you will need to emulate the mobile device in some way: you can use this for example, antidetect-браузер Indigo — у него есть возможность создавать профили под Android. Если же Indigo у вас нет, то возьмите себе плагин UserAgentSwitcher и подберите там подходящий юзерагент. Учтите, что внутренние браузеры фб и инсты ставят в конец строки юзерагента свои метки, по которым вполне можно настроить фильтры clo! So we add them to the end of the substituted useragent string.
  

• Sometimes arbitrageurs use in clo strainer clo by referer: i.e. they look at where the link to their site came from. I do not recommend you to do this, but it nevertheless occurs. In any case, this filter is passed by adding the following construction to the beginning of the link from the spay: https://l.facebook.com/l.php?u=
  So. encode your link here firstbefore adding this initial part to her.
• Sometimes the filter is used by the presence of the parameter fbclid in the address, which fb automatically sets to each link. That's why it's worth adding a type just in case: ?fbclid=123412341234432143241

That way you'll hit 70 percent clo of the ones we found. The rest of them will be a pain, if not a total waste. Why? I will explain in the corresponding section on defense.

Protection

Now let's figure out how we can keep our creatives and procles safe. Let's start with the spays.

Solder protection

For the most part, the advice given here will be the opposite of that given in the section on offense. I will give them as a list, it is not necessary (and practically impossible) to use them all. So:

• We do narrow targeting, such as: age 30-32. Due to a not particularly wide reach, the likelihood of your creo "catching the eye" of the spy bot is greatly reduced. But how do you scale?
• We use un-assembled GEOs. Everything is clear here. Few people can find good offers for, say, Africa. That's why no one will really need your link.
• We cast without text. Who needs it when you have it on your Creativity? А найти вас становится сложнее (но не для использующих библиотеку рекламы Facebook, поскольку она отлично ищет по тексту на изображениях и видео!)
• Не льём бесплатные/дешёвые домены. Используйте .com, .org и .net! Либо NameCheap, либо дропы. Дропы не прокинешь через клауд, да ну и хрен бы с ним!
• Don't pour through constructors or find one that is not particularly well known. In fact, why do you need it? Traffic is lost, pour it on the direct link.
• Do it through the cloud. If one of your creos gets burned, at least they won't see that the whole team is leaking by IP-address.
• MOST IMPORTANTLY: DON'T PUT THE TAGS IN THE LINK!!!

The last point requires clarification. What to do if you need to pass tags and pixel? Easy, use a special field for this when setting up your ad: "URL Parameters".

Почему так? Всё дело в том, что СПАИ НЕ ПАЛЯТ ТЕКСТ, КОТОРЫЙ ЕСТЬ В ЭТОМ ПОЛЕ. Соответственно, вас не смогут найти по словам типа fbpixel, {{adset.id}} и т.п.

The great thing here is that even if we click and move to fp:

And there we get into the library of advertising:

Select all countries, all ads, go to the search box and press Enter and see the original of our ads, then even there when you hover your mouse we will not see the URL parameters!

And enough about sleuthslet's go defend our punctures!

Puncture protection clo

Again, in many ways this section will be the opposite of what is written in the offense, but not all, hehe) So:

• Obviously, we will use filters to weed out unnecessary GEOs
• Also, obviously, if you're only pouring on mobile devices, you need to screen out the desktop
• Using the web filterproxy/VPN

This is the base, almost everyone has it. And now let's start by looking at how popular teams cloach. Of course, they protect themselves primarily from bots, but nevertheless.

Nothing unusual, except that the fb guys get a playset in the sub_id_1 tag and for some reason they consider all traffic that comes from the right column (Facebook_Right_Column playset) as bot traffic!

Another example from which we can deduce 3 things:

• occasionally (но ТОЛЬКО ИНОГДА) можно смело резать весь IPv6 траф
• it is possible to check what language is in the user's browser! Often those who want to penetrate your clo only put proxyand the language забывают☝️
• Look at the UserAgent - this is when we check that the user came from fb/insta/messenger, because he has a corresponding line in the usergent

But still, it's quite easy for a particularly shrewd piercer to tamper with all of this. What should we do? Remember those URL Parameters I mentioned above? That's the tricky part. Since they are not exposed anywhere, let's filter users exactly by PARAMETERS. How should we do it? Let me tell you how.

Method 1

Условно назовём его «по суб-метке Кейтаро». Мы же практически всегда передаём пиксель из фб, верно? И передаём его в URL parameters. We store it (as an example tracker Кейтаро) в какой-нибудь суб-метке, в примере это sub_id_10. Мы обозвали этот sub_id_10 как fbpxl.

It is enough to filter on the blackstream by this tag and let it go to black ONLY if this tag is not empty.

If you do this in addition to White and blacka third, closing the flow, where you insert some PP procla, then the puncher will have the full illusion that he has punched through clo and sees real black!

Unfortunately, this method can be bypassed. I show you how.

Достаточно добавить к ссылке ВСЕ сабы Кейтаро через & и вписать им в качестве значению любую фигню, типа:

https://xxx.com?sub_id_1=1234&sub_id_2=4341&sub_id_3=wqrew и так далее. Всего в Кейтаро 16 суб-меток. Строка будет длинной, но clo you'll get through.

Method 2

Назовём этот способ «практически пуленепробиваемый«. Достаточно фильтровать не по суб-метке Кейтаро, а просто по параметру! Итак, выбираем фильтр «Параметры» и ставим:

Всё! Никто не знает, как у вас называется параметр пикселя, но если хотите, используйте любой другой. Вы же, наверняка, подтягиваете расходы из фб и для этого тянете либо id адсета, либо id объявы. Берёте параметр, который отвечает у вас за эти данные и фильтруете по нему. Типа: adsetid пустой? Нахер. В замыкающий поток на проклу от ПП!

Conclusion

As you can see, in this battle of shield and sword, the shield wins! And the situation is unlikely to change until Facebook starts giving away information about URL parameters, which is highly unlikely. Therefore, I can say that at the moment to protect against penetration clo вполне реально, пользуйтесь, если вам это действительно важно, и лейте в плюс!

P.S. This article uses materials from the "Approaches for every day«

UPD 08.06.2023: Я немного удивлён, что многим данная статья дала ложное чувство защищённости, которое я просто обязан здесь развеять. Если вам не очевидно, что любую защиту можно сломать, то я вас разочарую — сломать можно. Достаточно сделать подходящий под таргетинг вашей рекламы аккаунт, настроить его, чтобы он показывал нужную нам рекламу, и ваша связка, как на ладони. This point is explained in more detail in the video.