Father
Professional
- Messages
- 2,602
- Reaction score
- 752
- Points
- 113
Today I would like to talk with you about modern anti-fraud systems and give an example of one of the major shops, the purpose of the article is not to select a solution to bypass a particular shop, therefore, without specifics in the name. All information in the article is the opinion of the author and constitutes his empirical experience of knowledge, does not claim to be true and does not constitute a call to action, is posted for informational purposes. The author is missing out on an explanation of the basics, as he assumes that the reader is familiar with the terms of the basic constituent of carding. Also, at the end of the article, I will address the readers with information regarding system configuration and, in general, touch on the topic of antidetects.
Foreword:
A beginner or a close-minded person in the world of carding, namely the clothing one, knows little about antifraud, as I believe most consider a valid cc and the correct sox to be a guarantee of sending goods by a shop, but I do not think this is true. Naturally, I want to say that without a valid CC, all the previous manipulations will be performed in vain, and also if the socks is too dirty, the situation will be the same, also, from well-known articles, I think everyone already understands and everyone knows about a certain "Counter" that counts points / fines and for a certain amount leads to an unsatisfactory result for us.
SUBJECT OF THE ARTICLE: "Behavioral patterns"
1. "Good old GOOGLE"
At the moment, large shops can analyze large amounts of information received from a client, I will immediately miss everything that you might know and what is described in the articles posted on the forums and get down to business. So, this information starts from scanning your Google requests and morphological parsing of requests and ending with behavior analysis.
Let's move on to Google requests, which the shop actually receives from you and builds up possible requests that are suggested in its opinion and scans them to verify the results. This information is not so private and in the trend of modern technologies - to exchange it, that is, the shop gets access to your browser history, though it works for a certain period of time, that is, by and large, the one that was recently or somehow refers to the order, not the whole.
Example: you are trying to buy a laptop, before confirming your order, the shop sends a request where Google sends it a response, before that you entered "MSI G63 review" for example. The shop
receives data in the "MSI G63 REVIEW" array; "MSI G63 BUY"; "MSI G63 CHEAP BUY", i.e. in addition to your request, it also takes similar requests for analysis. And based on this information, from the analysis of visited pages, he already builds his own theory as to whether you are a real buyer or not. Also, I want to note that the shop does not directly use such technologies, but transfers this information to its "agents" where all this "magic" happens on their large-scale servers and then we smoothly flow to another section.
2. Pings and information exchange with third-party resources
Here, the "manufacturers" of antidetects will understand me more, tk. we will mainly talk about browser settings and their influence on the reaction of the shop - pings are the forced disabling of the ability to track user actions on the site - in most cases it is punishable by an unsatisfactory result for us.
The exchange of information with third-party resources is something about how you send a request, and all the "magic" (such a "Chain of responsibility") from the first section happens, with the only difference that some scripts are already built into your shop and are executed on the side user, and if you prohibit the exchange of information in addition to the site on which you are, in most cases you will get an unsatisfactory result of actions. These functions or similar can be sewn in after the fact.
3. Patterns of behavior A
shop or any website according to your wishes and technical capabilities can fully track your behavior on the website, on other resources. Therefore, the actions when you hit the link you need immediately after entering the site have a bad "rating" and your orders will be scanned or placed for additional verification, further in the article I will return to the review and description of additional checks.
The site can track:
1. the time spent on it by the visitor;
2. using search;
3. the number of pages visited by the visitor;
4. different scrolling of the page;
5. the amount of time of guidance on the texts;
6. whether the product photos have been viewed or not;
7. the quantity of similarly reviewed goods;
8. have you looked for this product cheaper and is it cheaper on the Internet;
9. the activity of the browser tab;
10. activity of the browser window;
11. mouse cursor, as well as its behavior;
12. copy / paste text;
13. selection of text.
Most of this data is collected to "tick" the exchange of information with third-party resources to compile these very templates that will match the attacker, but there are also those among them that completely block the further possibility of a positive result for the attacker.
Copying and pasting text is determined and from personal experience I can say what is used in anti-fraud systems, when you use ctr + c, ctr + v to enter the fields of name, address, card - all this is seen by the AF and already gives you points for such actions.
The amount of time spent on the site is also very important, and it is the active use, when you are looking for a product and a similar product or product for a product (headphones for a phone, silicone cases, etc.), that you emulate a real buyer. Lack of time on the site is almost always punishable by high scores in AF systems.
The activity of the browser window and tab, the site can understand when you are on it, and when you peep at another site / notebook / browser, especially when this happens when you enter a card, and can score points for this, but the level of the penalty is not as big as when copying and the time spent on the site, but it also grows, let's say if you enter 2-4 digits of the card and go from the tab, i.e. perform actions that are not typical of a real buyer.
The site easily determines whether you have viewed the product's photos and can score points for this, but this also does not play a decisive role, but it is better to do it.
According to the general opinion, the sites have a bad attitude towards cheaper analogs, i.e. The shop makes a request, looks if there is a cheaper product in the first links and gives you points for taking a product at a higher price than it is, yes, I know it sounds crazy, but I could not find another explanation for such requests to Google. But the number of these points is scanty and also does not affect the final decision of the AF of the tangential precedent.
A large number of various hidden elements are hidden in shops that can determine the cursor hovering over them, thus analyzing your behavior, whether you read the texts, how much time from the site's traffic was active, how much inactive, if the cursor does not move - the time is inactive. Except for the touchscreen, but in this case, the browser transmits the value responsible for the presence of the touchscreen and possible simultaneous touches, I'm not sure that such a function is emulated in antidetects, namely in the touch equipment configs, there are no whoer methods that allow you to check this.
4. Cookies, sessions, prints
Based on your data, the site server, in its own algorithm, can assign you a unique identifier, ranging from ordinary identifiers to more complex ones, deleting such an identifier (clearing cookies) and then receiving it from the same IP address does not add to you chances for positive result. Your cookies are your fingerprint, because are used to track actions on the site.
5. Using multiple IP addresses on one config / session of browsers
The fact is that most sites use to one degree or another the Google api, and if you go from one IP, say Germany, and then the US IP, you will see ads in German, i.e. to the target audience of Germany, because initially, you initialized yourself as a visitor to this category, this is not always solved by simply deleting cookies, depending on which sites you visited. Can also play a role in shaping AF opinion.
Further, I want to consider with you as an example that small part of the parameters and metrics that the shop reads during sambit, some parameters are clear, some can only be guessed at.
When ordering, the "profileId" parameter is passed, which constitutes the previous generated user snapshot, while when you place an order, this data is checked against the existing ones in the passed variable. Many other values are also passed, for example, if you issue a pickup with a different name, then the "isGifPurchase" variable becomes true. However, the "isHighRisk" variable remains with a negative value (false). But then you can observe the variable "isCsiEnabled" - true (which can mean "Crime Scene Investigation"). Based on this, I can assume that my order was not marked as high-risk, but the investigation was connected and somewhere I could not pass the check to obtain a positive status for me.
Afterword:
Undoubtedly, what we are so accustomed to plays an important role, but the protection systems do not stand still and will only tighten the nuts tighter as for large shops. The carder's goal is to find an approach to a large shop, because you can take out much more resources from it than from others. Why are the drives successful (well, or with a large%) if you hit with VNC, or with bots (fortunately, the Genesis service appeared, thanks to which an ordinary mortal without a botnet can test his strength / but there are also disadvantages, such as the lack of a diligent level system antidetect so that you can use it, that is, in fact, for now, the project is damp and you buy only cookies and data, fingerprints are not included in most bots, it is suitable for combined work with importing cookies into your antidetect browser).
Because there is a history, confirmation that the user is real, antidetects at the moment only emulate some things, but cannot emulate a behavioral pattern, because this data just needs to be "stuffed", you can generate certain visits through JS, deceiving the site by winding up visits, maybe it will work for a while, but the creators of antidetects will not bother with it, because will have to "sew" a tablet under each shop. And the correct promotion should have relevant links, so as not to wind up visits to non-existent pages. The shops in the armament have enough different features, Super Cookie, where you can identify the user after changing the configs, changing the IP. WebGL which generates 3D images based on your hardware, because to specify other hardware and it is this parameter that you need to physically have the necessary video card and processor, i.e. it is not enough just to write random values, these values must correspond to reality and this is another stumbling block.
Audio Fingerprint - sending low-frequency sounds very effectively helps in identifying users, in principle, you can emulate this method with your hands using the usual sound settings in Windows, but the number of combinations is limited, which does not allow you to put emulation on the stream, which will work for the time being.
Fonts Fingerprint - reads the available fonts of the user, at the moment the creators of antidetects assure that they are working on emulation, but I would not pay attention to this, because now most of the fonts are standard and few people install others, not including designers and those who work with printing. Therefore, the identification of the user and the cancellation of orders in my opinion through Fonts Fingerprint looks unconvincing and unreasonable.
An explanation of the importance of a behavioral pattern can be deduced from the following, we can divide fraud into two camps:
Everything that concerns clothes - they use methods of identifying a behavioral pattern to a greater extent, due to the fact that shopping should be available to everyone and adopting the model of the second, they will just die.
All that concerns payment systems - they focus on various kinds of verification due to the complexity of putting together a behavioral pattern, which is why many payment systems have such a complex verification, a lot of confirmations (documents, reporting, SMS, video communication, authentication). Because they have no possible identification methods, historically there was a high level of fraud and the only reasonable solution was to complicate verification.
Epilogue:
I hope the article will be useful for you, you can get something new, perhaps after reading your personal thoughts on this matter. I was not an adherent of "OpenSource" projects, but recently for some reason I wanted to share these considerations in order to sow thoughts about this topic and together we will come to ready-made solutions necessary for our business.
Foreword:
A beginner or a close-minded person in the world of carding, namely the clothing one, knows little about antifraud, as I believe most consider a valid cc and the correct sox to be a guarantee of sending goods by a shop, but I do not think this is true. Naturally, I want to say that without a valid CC, all the previous manipulations will be performed in vain, and also if the socks is too dirty, the situation will be the same, also, from well-known articles, I think everyone already understands and everyone knows about a certain "Counter" that counts points / fines and for a certain amount leads to an unsatisfactory result for us.
SUBJECT OF THE ARTICLE: "Behavioral patterns"
1. "Good old GOOGLE"
At the moment, large shops can analyze large amounts of information received from a client, I will immediately miss everything that you might know and what is described in the articles posted on the forums and get down to business. So, this information starts from scanning your Google requests and morphological parsing of requests and ending with behavior analysis.
Let's move on to Google requests, which the shop actually receives from you and builds up possible requests that are suggested in its opinion and scans them to verify the results. This information is not so private and in the trend of modern technologies - to exchange it, that is, the shop gets access to your browser history, though it works for a certain period of time, that is, by and large, the one that was recently or somehow refers to the order, not the whole.
Example: you are trying to buy a laptop, before confirming your order, the shop sends a request where Google sends it a response, before that you entered "MSI G63 review" for example. The shop
receives data in the "MSI G63 REVIEW" array; "MSI G63 BUY"; "MSI G63 CHEAP BUY", i.e. in addition to your request, it also takes similar requests for analysis. And based on this information, from the analysis of visited pages, he already builds his own theory as to whether you are a real buyer or not. Also, I want to note that the shop does not directly use such technologies, but transfers this information to its "agents" where all this "magic" happens on their large-scale servers and then we smoothly flow to another section.
2. Pings and information exchange with third-party resources
Here, the "manufacturers" of antidetects will understand me more, tk. we will mainly talk about browser settings and their influence on the reaction of the shop - pings are the forced disabling of the ability to track user actions on the site - in most cases it is punishable by an unsatisfactory result for us.
The exchange of information with third-party resources is something about how you send a request, and all the "magic" (such a "Chain of responsibility") from the first section happens, with the only difference that some scripts are already built into your shop and are executed on the side user, and if you prohibit the exchange of information in addition to the site on which you are, in most cases you will get an unsatisfactory result of actions. These functions or similar can be sewn in after the fact.
3. Patterns of behavior A
shop or any website according to your wishes and technical capabilities can fully track your behavior on the website, on other resources. Therefore, the actions when you hit the link you need immediately after entering the site have a bad "rating" and your orders will be scanned or placed for additional verification, further in the article I will return to the review and description of additional checks.
The site can track:
1. the time spent on it by the visitor;
2. using search;
3. the number of pages visited by the visitor;
4. different scrolling of the page;
5. the amount of time of guidance on the texts;
6. whether the product photos have been viewed or not;
7. the quantity of similarly reviewed goods;
8. have you looked for this product cheaper and is it cheaper on the Internet;
9. the activity of the browser tab;
10. activity of the browser window;
11. mouse cursor, as well as its behavior;
12. copy / paste text;
13. selection of text.
Most of this data is collected to "tick" the exchange of information with third-party resources to compile these very templates that will match the attacker, but there are also those among them that completely block the further possibility of a positive result for the attacker.
Copying and pasting text is determined and from personal experience I can say what is used in anti-fraud systems, when you use ctr + c, ctr + v to enter the fields of name, address, card - all this is seen by the AF and already gives you points for such actions.
The amount of time spent on the site is also very important, and it is the active use, when you are looking for a product and a similar product or product for a product (headphones for a phone, silicone cases, etc.), that you emulate a real buyer. Lack of time on the site is almost always punishable by high scores in AF systems.
The activity of the browser window and tab, the site can understand when you are on it, and when you peep at another site / notebook / browser, especially when this happens when you enter a card, and can score points for this, but the level of the penalty is not as big as when copying and the time spent on the site, but it also grows, let's say if you enter 2-4 digits of the card and go from the tab, i.e. perform actions that are not typical of a real buyer.
The site easily determines whether you have viewed the product's photos and can score points for this, but this also does not play a decisive role, but it is better to do it.
According to the general opinion, the sites have a bad attitude towards cheaper analogs, i.e. The shop makes a request, looks if there is a cheaper product in the first links and gives you points for taking a product at a higher price than it is, yes, I know it sounds crazy, but I could not find another explanation for such requests to Google. But the number of these points is scanty and also does not affect the final decision of the AF of the tangential precedent.
A large number of various hidden elements are hidden in shops that can determine the cursor hovering over them, thus analyzing your behavior, whether you read the texts, how much time from the site's traffic was active, how much inactive, if the cursor does not move - the time is inactive. Except for the touchscreen, but in this case, the browser transmits the value responsible for the presence of the touchscreen and possible simultaneous touches, I'm not sure that such a function is emulated in antidetects, namely in the touch equipment configs, there are no whoer methods that allow you to check this.
4. Cookies, sessions, prints
Based on your data, the site server, in its own algorithm, can assign you a unique identifier, ranging from ordinary identifiers to more complex ones, deleting such an identifier (clearing cookies) and then receiving it from the same IP address does not add to you chances for positive result. Your cookies are your fingerprint, because are used to track actions on the site.
5. Using multiple IP addresses on one config / session of browsers
The fact is that most sites use to one degree or another the Google api, and if you go from one IP, say Germany, and then the US IP, you will see ads in German, i.e. to the target audience of Germany, because initially, you initialized yourself as a visitor to this category, this is not always solved by simply deleting cookies, depending on which sites you visited. Can also play a role in shaping AF opinion.
Further, I want to consider with you as an example that small part of the parameters and metrics that the shop reads during sambit, some parameters are clear, some can only be guessed at.
When ordering, the "profileId" parameter is passed, which constitutes the previous generated user snapshot, while when you place an order, this data is checked against the existing ones in the passed variable. Many other values are also passed, for example, if you issue a pickup with a different name, then the "isGifPurchase" variable becomes true. However, the "isHighRisk" variable remains with a negative value (false). But then you can observe the variable "isCsiEnabled" - true (which can mean "Crime Scene Investigation"). Based on this, I can assume that my order was not marked as high-risk, but the investigation was connected and somewhere I could not pass the check to obtain a positive status for me.
Afterword:
Undoubtedly, what we are so accustomed to plays an important role, but the protection systems do not stand still and will only tighten the nuts tighter as for large shops. The carder's goal is to find an approach to a large shop, because you can take out much more resources from it than from others. Why are the drives successful (well, or with a large%) if you hit with VNC, or with bots (fortunately, the Genesis service appeared, thanks to which an ordinary mortal without a botnet can test his strength / but there are also disadvantages, such as the lack of a diligent level system antidetect so that you can use it, that is, in fact, for now, the project is damp and you buy only cookies and data, fingerprints are not included in most bots, it is suitable for combined work with importing cookies into your antidetect browser).
Because there is a history, confirmation that the user is real, antidetects at the moment only emulate some things, but cannot emulate a behavioral pattern, because this data just needs to be "stuffed", you can generate certain visits through JS, deceiving the site by winding up visits, maybe it will work for a while, but the creators of antidetects will not bother with it, because will have to "sew" a tablet under each shop. And the correct promotion should have relevant links, so as not to wind up visits to non-existent pages. The shops in the armament have enough different features, Super Cookie, where you can identify the user after changing the configs, changing the IP. WebGL which generates 3D images based on your hardware, because to specify other hardware and it is this parameter that you need to physically have the necessary video card and processor, i.e. it is not enough just to write random values, these values must correspond to reality and this is another stumbling block.
Audio Fingerprint - sending low-frequency sounds very effectively helps in identifying users, in principle, you can emulate this method with your hands using the usual sound settings in Windows, but the number of combinations is limited, which does not allow you to put emulation on the stream, which will work for the time being.
Fonts Fingerprint - reads the available fonts of the user, at the moment the creators of antidetects assure that they are working on emulation, but I would not pay attention to this, because now most of the fonts are standard and few people install others, not including designers and those who work with printing. Therefore, the identification of the user and the cancellation of orders in my opinion through Fonts Fingerprint looks unconvincing and unreasonable.
An explanation of the importance of a behavioral pattern can be deduced from the following, we can divide fraud into two camps:
Everything that concerns clothes - they use methods of identifying a behavioral pattern to a greater extent, due to the fact that shopping should be available to everyone and adopting the model of the second, they will just die.
All that concerns payment systems - they focus on various kinds of verification due to the complexity of putting together a behavioral pattern, which is why many payment systems have such a complex verification, a lot of confirmations (documents, reporting, SMS, video communication, authentication). Because they have no possible identification methods, historically there was a high level of fraud and the only reasonable solution was to complicate verification.
Epilogue:
I hope the article will be useful for you, you can get something new, perhaps after reading your personal thoughts on this matter. I was not an adherent of "OpenSource" projects, but recently for some reason I wanted to share these considerations in order to sow thoughts about this topic and together we will come to ready-made solutions necessary for our business.
