Lets Talk: Device and IP Identities

Th3_MAD_HATTER

Junior Member
Jr. VIP
Joined
Oct 19, 2018
Messages
186
Reaction score
50
Changing your online identity back and forth is an important skill BHatters obtain through
1)Trial and Error
2)Research
3)Mentorship and Peer Reviews

I wanted to create this thread so we can all share exactly what is detected, ways around it, and what we've all learned from trial and error.

So from my years of experience pertaining to the topic, I will provide my own 2 cents on it, my own method, and periodically update on the topic upon new discovery.

:My 2 Cents:

Although it is a much needed skill, it is strongly dependent on which platform you are trying to bypass as they have different security measures in place.

In this thread, I will be targetting Paypal as from my own experience, they have proven to have one of the strongest if not THE strongest security measures.

The identifiers that Paypal look at is way more detailed than platforms such as Google, Microsoft, and even some Banking Providers.

When it comes to IP, this in my opinion, is the easiest to evaluate and produce. To skip most of the intro to IP and its correlation to online identity, it is quite simple, just get a residential proxy (it does not need to always be static as IPs nowadays are dynamic as long as you're using residential proxies from the same city).

The more important parts of IP is making sure it does not leak as there are many leakable sources on your browser. Java, Flash, Canvas, WebRTC, even your Browser's version. This can all be fixed with a few changes in your browser and plugins or add-ons.

Paypal uses all this to evaluate the risk, including cookied IP and DNS.


:My Method:

This method may not be usable for many because of the resources needed, but because Paypal looks at your HDD #, it becomes extremely difficult to maintain a sustainable account.

Which is why I create Windows 10 VMs that only connect to residential proxies of the city I need. This method is simple and allows bypass of Device Identitifers, IP Identifiers, and Browser Identifiers.

Another method is to get a new phone just to hold accounts and use your service provider, never connecting to wifi. Although this is full proof, I would only recommend doing this if you have multiple accounts to manage, such as Paypal, Adwords, Ebay, etc.


:To be Continued:

My next update will hopefully be within this week or the next, as I will list all the Device Identifiers that I currently know of and how to bypass them all.

I hope this helps you and inspires you to contribute to the thread where I have lacked.
 
I'm surprised there isn't an interest here, maybe i should have created a better title that included [method] as i did provide one :(. Even so, I will continue this thread for my personal development and any future ongoers.

So currently I am testing a method that allows me to create my own static residential IP which is perfect for VM integration, but it is also perfect for many other things as well :devil:.

Gonna test it further to see if there is a way to scale it as cheap as possible, will post results hopefully soon as I have gotten swamped with other projects.
 
First of all, I like your username.

But I deal with a lot of browser fingerprinting and of the top of my head (to be fair I haven't had my morning coffee yet) I don't think the browser can see your hard drive ID. If it could there'd be easier ways to spoof the response with a plugin rather than bother with a virtual device.
 
First of all, I like your username.

But I deal with a lot of browser fingerprinting and of the top of my head (to be fair I haven't had my morning coffee yet) I don't think the browser can see your hard drive ID. If it could there'd be easier ways to spoof the response with a plugin rather than bother with a virtual device.
Thanks , for PP i am 100% sure of it, after years of testing, i can guarantee it.

I am also starting to think Adwords can see it because after some testing(using same device + the usual, cc cleaner, manually cleaning dnses, different residential IP, MAC address spoofer, normal plugins on firefox, and aged gmails) it gets suspsneded on same devices,

BUT when i use a completely different device with same VCC provider, different IP, campaigns start under a hour.

I may be wrong on that, i am still doing testing on adwords, although not my priority when it comes to method creation

Also i would love love love to know what HDD spoofer works, i have always been told and research has always shown me that its impossible, is this a new method?
 
Have you looked at the fingerprinting code on the PP site? I've picked through a couple of them from different libs and providers. The provider's ones are obfuscated messes but I've never seen anything fingerprinting a hard drive.

Swapping device just shows you've got a leak - it doesn't show that it's the hard drive. Correlation does not mean causation. You also don't need to bother with the MAC address - they can't see that either.

Avoiding a fingerprint is about changing the things they can see. You can look at libs like this to see what they're looking for and most of them tend to work the same way creating a hash of your browser before sending it back. They can see some hardware info but your HDD isn't one of them.

And I wasn't talking about spoofing the actual hardware. If a browser was able to see that information you could spoof the response with a plugin - which you can also do with a lot of the stuff this fingerprinting looks for.

For example, if you really wanted to pretend to be an iPad for a site which is really paying attention then just changing the UA won't do it. In fact, it's a big red flag that you're up to something. navigator.platform will still read as a Windows/Linux/Apple computer and you've no plausible deniability there. So you'd need something like:

Object.defineProperty(navigator, "platform", {
get: function() {
return "iOS";
}
});
 
Last edited:
I completely agree that correlation does not mean causation but hdd # tracking on PP is actually something that is almost well known in the dark web community.

But if my experience and an entire communities’ opinion is wrong, I am open to all fact checked info/advices.

If PP does not track the HDD # but they still track something regarding hard drive then what is it?

Also aside from residential IPs what else would be considered a suitable replacement?

I myself cannot read code but have been slowly getting into it, my info is mostly from experience and wide agreed upon “opinion” in certain communities.

Would LOVE to pick each others’ brains to help each other, I’m sure we both have useful info that can assist in our future endeavors!
 
https://browserleaks.com/ shows what info your browser can leak. I am sure there is nothing as looking up hdd as browser don't provide api for this. they can know about your cpu, cores, gpu, webgl capability, os, fonts, plugins many more.
 
I completely agree that correlation does not mean causation but hdd # tracking on PP is actually something that is almost well known in the dark web community.

But if my experience and an entire communities’ opinion is wrong, I am open to all fact checked info/advices.

I'm sorry but - yes. This is what I'm saying. Your experience doesn't mean much if you're not actually able to look at the fingerprinting and you're just jumping through virtual machines.

And as for the 'entire community'... I don't agree. Skirting PayPal detection isn't exactly underground and loads of people do it without virtual machines. Even if an entire community did think that - entire communities are wrong all the time. People just parrot shit they've read until it becomes 'common knowledge'.

See my previous post for fact-checking. I included the kind of things browser fingerprinting can look for. Every site from PayPal to social media networks deal with the same limitations.

Also aside from residential IPs what else would be considered a suitable replacement?

I myself cannot read code but have been slowly getting into it, my info is mostly from experience and wide agreed upon “opinion” in certain communities.

Would LOVE to pick each others’ brains to help each other, I’m sure we both have useful info that can assist in our future endeavors!

Not really into talking about skirting PayPal detection specifically, sorry. Some dodgy shit goes on there and that's not my game.
 
Back
Top