1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

ADVANCED Black Hat Public Proxy Technique

Discussion in 'Black Hat SEO' started by bartosimpsonio, Jan 4, 2015.

  1. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,476
    Likes Received:
    11,180
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    With this technique you can get infinite social signals and basically add javascript code so client browsers using your proxy do anything you want. This is probably as black hat as it gets and it's 100% legal since the proxy is being used for free.


    The idea is pretty simple:



    1. [Server] Install Squid on a linux server
    2. [Payload] Modify the server so all transmitted javascript files will get one extra piece of code that does things like send all data entered in forms to your server
    3. [Cache] Set the caching time of the modified .js files as high as possible

    Source : https://blog.haschek.at/post/fd9bc


    What can you do with this?

    Set up free proxies on VPS's and then post the proxies to black hat forums. People start using your proxies. Every javascript file that passes through the proxy, you program de proxy to add code to them, code like
    Code:
    function add_some_likes()
    or
    Code:
    function substitute_ads_for_my_ads
    or maybe
    Code:
    function popunder_traffic_send()
    .

    Be creative!

    Since the "client" is using your proxy, paid with your money, from your resources, there is nothing illegal in this. The "extra" javascript is simply the toll fee.

    Enjoy the best walk you ever had laughing your way to the bank ;)
     
    • Thanks Thanks x 9
    Last edited: Jan 4, 2015
  2. tony_d

    tony_d Elite Member

    Joined:
    Jun 22, 2013
    Messages:
    2,583
    Likes Received:
    3,179
    Location:
    1600 Amphitheatre Parkway, Mountain View CA
    Good share bartosimpsonio! I'm sure some will have a field day with this...
     
    • Thanks Thanks x 1
  3. TheSnowman

    TheSnowman Newbie

    Joined:
    Jun 10, 2014
    Messages:
    14
    Likes Received:
    1
    That's basically man-in-the middle attack... I'm not sure if this is really completely legal.
     
  4. qrazy

    qrazy Senior Member

    Joined:
    Mar 19, 2012
    Messages:
    1,115
    Likes Received:
    1,725
    Location:
    Banana Republic
    It's more like a basic botnet technique which has been used for years, I don't think it is legal..
     
  5. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,476
    Likes Received:
    11,180
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    The proxy belongs to you and is paid by you...the person is using your proxy for free....if they don't wish to have that code, then they should pay for their proxies.

    This is completely different from hacking and installing malware on random people's computers. This is more like seeing ads in exchange for using a service.
     
    • Thanks Thanks x 3
  6. StaceyJ

    StaceyJ Registered Member

    Joined:
    Dec 30, 2014
    Messages:
    81
    Likes Received:
    5
    Well using this kind of technique is not worth. So i would also don't say it as legal.
     
  7. tony_d

    tony_d Elite Member

    Joined:
    Jun 22, 2013
    Messages:
    2,583
    Likes Received:
    3,179
    Location:
    1600 Amphitheatre Parkway, Mountain View CA
    Indeed - and a simple TOS page that reserves your right to 'modify content before retransmitting to the user' would mean the user aquiesces and therefore (tacitly at least) gives permission.
     
    • Thanks Thanks x 1
  8. laowai

    laowai Power Member

    Joined:
    Feb 27, 2011
    Messages:
    522
    Likes Received:
    185
    I guess that legality would also depend on what the injected script would do.

    What comes to monetizing this method maybe I cannot think enough outside of the box, but wouldn't every like/ad click/whatever has always same IP, your proxy IP, so it wouldn't fly too long.
     
  9. ficfroc

    ficfroc Regular Member

    Joined:
    Feb 14, 2010
    Messages:
    476
    Likes Received:
    268
    Location:
    Sous Les Etoiles
    Lol barto, I just read this on reddit and was alredy thiking about the same technique.
    Notz that some online free proxies are already exploiting this legally to serve some adsense ads .
     
  10. CyHead

    CyHead Regular Member

    Joined:
    Apr 6, 2009
    Messages:
    235
    Likes Received:
    67
    Gender:
    Female
    Occupation:
    Student
    Location:
    Fiji
    The legality is questionable, but not in the way most are bringing up.

    The OP has a point that he's running a service and as part of the terms of usage, you agree that your information might be logged and that it might modify the data. All of that is pretty legal (assumes that users have seen a privacy policy disclosure or terms of service - that could be done by injecting in a header on to the page).

    The part where it gets legally grey is between the service and websites - many big sites have a disclaimer or terms of use that forbids bots or third-party services from accessing them or modifying the site's code. I'm pretty sure FB would have something like this saying "you can't scrape or edit or republish or modify the publication of our site/code" - basically means you can display the site or 'proxy' it , but not modify the output they push out to users.

    Still it's a blackhat method and I'm sure this would really work - lots of users around the world, and best of all these would be legit users - so real followers and friends.

    Biggest con to me is that you're basically running a proxy and people can misuse it for spam and malware and just about anything else, so you have to balance that out.
     
  11. fistor

    fistor Regular Member

    Joined:
    Feb 29, 2012
    Messages:
    256
    Likes Received:
    315
    Location:
    A mind needs books as a sword needs a whetstone, i
    This is illegal. Just because you own something does not mean you can infest people without their knowledge.
    If you own a website, do you really think you can inject people with a bank keylogger, and that's fine, because "they should just not have used your website"?

    The second point being the proxy you are providing. You have the VPS, the IP in question is under your control. Everything that passes the proxy is under your responsibility. And don't you even start to think it would only be spam. You'll be happy for spam, people use fast public proxies for worse stuff, far worse.
     
  12. accelerator_dd

    accelerator_dd Jr. VIP Jr. VIP

    Joined:
    May 14, 2010
    Messages:
    2,448
    Likes Received:
    1,010
    Occupation:
    SEO
    Location:
    IM Wonderland
    While that may be true, if you have a website where you give away the proxy for free, and put a disclaimer saying that you will be injecting that Javascript, you are not doing anything illegal or even unethical. Now, if someone scraping sites via google finds your proxy and uses it, it's their fault, not yours. If someone posts it on a forum and other people use it, same applies.

    What I would assume to be an issue is 100s of FB/Twitter/whatever accounts liking the same thing or even logging in from the same IP.
     
  13. snarky

    snarky Junior Member

    Joined:
    Nov 21, 2009
    Messages:
    104
    Likes Received:
    58
  14. playerb

    playerb Junior Member

    Joined:
    Aug 25, 2010
    Messages:
    116
    Likes Received:
    54
    some of you seem to be missing the point; when you set the cache of the js at some random date in the future, when the user disconnects from your proxy, and goes back to their normal internet connection, they still have that cached version of the js. so whenever they visit the site it's from, their browser loads the cached version ( including your code injection ) and it comes from their IP

    old method
     
    • Thanks Thanks x 1
  15. Nitros

    Nitros Power Member

    Joined:
    Jan 30, 2009
    Messages:
    580
    Likes Received:
    298
    Exactly my thoughts. The point of this method is to use their browser cache to load your js.
     
  16. bartosimpsonio

    bartosimpsonio Jr. VIP Jr. VIP Premium Member

    Joined:
    Mar 21, 2013
    Messages:
    12,476
    Likes Received:
    11,180
    Occupation:
    CHEAP
    Location:
    DATASETS
    Home Page:
    Of course if you damage the client PC then yes it probably is illegal but that would be illegal without a proxy as well.

    There's nothing illegal in this method if you use it for harmless marketing purposes.
     
  17. mrblackjack

    mrblackjack Jr. VIP Jr. VIP Premium Member

    Joined:
    Dec 6, 2011
    Messages:
    964
    Likes Received:
    560
    Occupation:
    I live alone, I work alone, I make money alone
    Location:
    G00gle LaNd
    Come one guys, dont act like pussies. Using a clickjacking script to hijack users' likes is even more "illegal" than this, and yet all of us do it. So, take it or leave it.
     
    • Thanks Thanks x 3