Carding Forum
Professional
1. Segmentation of messenger traffic and mirroring into separate data storages
Using DPI (Deep Packet Inspection) and filters (for example, server address), providers can detect the user's target network traffic and apply special mirroring rules.
2. Linking a user account to a pool of devices and user IP addresses
With the help of bots, including functional ones, such as antispam bots, statistics bots, which many administrators add to channels, or modified messenger clients, the owners of these services can receive and log messages, user actions and technical information of users (for example, user_id, online status) of the target pool (for example, with a selection by country) in real time.
Then, using packet signatures and timestamps with the message delivery time coefficient, it is quite easy to correlate the activity of the traffic segmented for the messenger and the pool of devices and IP addresses of the user.
In a similar way, it is possible to link the user through other activities in group chats and the messenger channel (using reactions under messages, comments, viewing messages).
For users who do not use group chats and messenger channels, the following method can be used:
Selecting a pool of users (for example, by phone number, username databases, bio parsing by keywords or language), and then, using a modified client, via a mailing bot or even a live person, sending personal messages to the user and, according to the above example, linking his pool of devices and IP addresses to an account in the messenger (reply to a message, reading, deleting a dialogue, blocking the interlocutor, etc.).
Additional signatures can be obtained by tracking user activity in the messenger, for example, changes in public online status, changes in avatar or metadata, such as bio.
3. Linking user conversations or calls
After messenger users are identified with a pool of their devices and IP addresses, it is enough to analyze segmented traffic using message signatures, filtering only events associated with the payload: p2p connections, messages, calls.
After this, selections are possible for both the activity of specific users and devices in messengers: by location of associated devices, by full names of specific users (and associated IP addresses at providers), etc. As well as categorization by other parameters, for example, by common contacts, contacts identified as foreign users or users of a specific country or region.
User solutions:
Using DPI (Deep Packet Inspection) and filters (for example, server address), providers can detect the user's target network traffic and apply special mirroring rules.
2. Linking a user account to a pool of devices and user IP addresses
With the help of bots, including functional ones, such as antispam bots, statistics bots, which many administrators add to channels, or modified messenger clients, the owners of these services can receive and log messages, user actions and technical information of users (for example, user_id, online status) of the target pool (for example, with a selection by country) in real time.
Then, using packet signatures and timestamps with the message delivery time coefficient, it is quite easy to correlate the activity of the traffic segmented for the messenger and the pool of devices and IP addresses of the user.
In a similar way, it is possible to link the user through other activities in group chats and the messenger channel (using reactions under messages, comments, viewing messages).
For users who do not use group chats and messenger channels, the following method can be used:
Selecting a pool of users (for example, by phone number, username databases, bio parsing by keywords or language), and then, using a modified client, via a mailing bot or even a live person, sending personal messages to the user and, according to the above example, linking his pool of devices and IP addresses to an account in the messenger (reply to a message, reading, deleting a dialogue, blocking the interlocutor, etc.).
Additional signatures can be obtained by tracking user activity in the messenger, for example, changes in public online status, changes in avatar or metadata, such as bio.
3. Linking user conversations or calls
After messenger users are identified with a pool of their devices and IP addresses, it is enough to analyze segmented traffic using message signatures, filtering only events associated with the payload: p2p connections, messages, calls.
After this, selections are possible for both the activity of specific users and devices in messengers: by location of associated devices, by full names of specific users (and associated IP addresses at providers), etc. As well as categorization by other parameters, for example, by common contacts, contacts identified as foreign users or users of a specific country or region.
Possible solutions to counter illegal surveillance
Solutions from messengers:- Generating a large amount of additional “junk” traffic disguised as useful traffic at random times.
- Changing the server architecture, eliminating the end-to-end user identifier for chats, dialogues and other messenger options, by proxying the user_id or using derivative user_ids, for example, generated according to the principle of generating ECDSA hierarchical keys.
User solutions:
- Registering a new account (if authorization parameters are changed, user_id remains the same).
- Refusal to use a mobile phone number for authorization in instant messengers, especially if the SIM card was previously purchased using the owner's documents.
- When using an email address, use a new one that has not been used anywhere before.
- Using a private VPN on a personal server with traffic loading the channel.
