Bob September 19, 2014 15:37

Block Distil Networks

Sites such as www.doctor.com and www.yellowbook.com use their fingerprinting technology.

From their website:
"Only Distil leverages a bot detection methodology that incorporates over 40 bits of information when developing a fingerprint for each user connecting to your website. Delving far deeper than user agents and IP addresses, Distil looks into all connection properties from the first time a user engages your site. Our technology then inserts JavaScript into the connection stream to capture even more detailed characteristics of the user. Once a complete fingerprint is developed and a bot is detected, the bot has no way of escaping our detection ever again."

However looking at their javascript, it's clear that they are no different than the others. Excerpt from de-obfuscated code:

var _0x146bxd = _0x146bx6();
var v_environment = {};
try {
v_environment["appName"] = navigator["appName"];
} catch (e) {
v_environment["appName"] = 0;
};
try {
v_environment["platform"] = navigator["platform"];
} catch (e) {
v_environment["platform"] = 0;
};
try {
v_environment["cookies"] = (navigator["cookieEnabled"]) ? 1 : 0;
} catch (e) {
v_environment["cookies"] = 0;
};
try {
v_environment["syslang"] = (navigator["systemLanguage"]) ? navigator["systemLanguage"] : navigator["language"];
} catch (e) {
v_environment["syslang"] = "";
};
try {
v_environment["userlang"] = (navigator["userLanguage"]) ? navigator["userLanguage"] : navigator["language"];
} catch (e) {
v_environment["userlang"] = "";
};
try {
v_environment["cpu"] = (navigator["oscpu"]) ? navigator["oscpu"] : navigator["cpuClass"];
} catch (e) {
v_environment["cpu"] = "";
};
try {
v_environment["productSub"] = (navigator["productSub"]) ? navigator["productSub"] : 0;
} catch (e) {
v_environment["productSub"] = 0;
};
3 people like
this idea +1
Reply
  • EMPLOYEE
    I’m Thankful
    Pete (Senior Communications Manager) September 19, 2014 15:43
    Thanks for using Ghostery Bob!

    We'll take a look.
    Comment
    good point! good point! (undo)
  • (some HTML allowed)
    How does this make you feel?     Add Image
    I'm

    e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned

    Cancel
  • CHAMP
    Eric P. Scott September 22, 2014 04:31
    As invasive tracking technologies go, this one's pretty darn evil. Think "DRM meets phishing attack," and this is their unholy offspring. Yeah, it's that twisted. Their business model revolves around preying upon the gullible. (OK, that part's not exactly novel.) The best response is to convince it you're a threat, and overwhelm them with false positives. ("I am Spartacus!") And if they try to trick you into giving up your e-mail address or other personal information, don't fall for it. ("It's a trap!")

    Their "service" most often modifies HTML by (among other things) inserting <script> calls to /aaa.nnnnn...nnn.js?PID=UUID, where aaa is usually ga (but not always!), and nnnnn...nnn is typically 11-15 decimal digits. UUID tends to be fairly constant, although exceptions exist there as well. The most common naming convention was presumably chosen to provoke confusion with Google Analytics. The numeric value changes over time, and does not appear to have anything to do with the site it appears on.

    If you compare snapshots of [the HTML source of] the same page on different occasions, it should be fairly obvious what else they're doing, although it isn't particularly interesting to Ghostery. (Hint: look for random crap with style="display: none;" and strange <OBJECT> tags that are toxic catnip for Internet Explorer — which every smart person knows to avoid, right?)

    I have a suspicion we're going to end up playing cat-and-mouse with these jokers.

    Distil Networks

    Website: www.distilnetworks.com

    Examples:
    www.britishhorseracing.com
    www.couponcabin.com
    www.fiercewireless.com
    www.gopenske.com
    www.mesaazcorruptionreport.com
    www.nearer.com
    www.sellyourmac.com
    www.wholesalesolar.com

    Pattern: /\\/(ga|xhr)\\.[0-9]+\\.js/
    (Classification 4)
    Comment
    good point! good point! (undo)
  • (some HTML allowed)
    How does this make you feel?     Add Image
    I'm

    e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned

    Cancel
  • EMPLOYEE
    Pete (Senior Communications Manager) December 22, 2014 21:50
    added thanks!
    Comment
    good point! good point! (undo)
  • (some HTML allowed)
    How does this make you feel?     Add Image
    I'm

    e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned

    Cancel
  • ChrisL February 02, 2015 03:07
    Pete, Distil should NOT be blocked, it is used by legitimate websites, like ours, to prevent screen scrapers from doing real damage by stealing website data. It is not a ad network or anything like that, and contrary to what Bob said, the only time you are presented with a form to get unblocked is if the "browser" you are using is a known bad screen scraping bot, otherwise you receive a simple CAPTCHA, and that's only if Javascript is disabled (or blocked). Thanks.
    Comment
    good point! good point! (undo)
    • view 2 more comments
    • Cancel
    • Cancel
    • Pete (Senior Communications Manager) February 03, 2015 14:52
      We do research ourselves. I'll forward to our product and dev team for review.
    • Cancel
    • ChrisL February 03, 2015 17:54
      Thank you Pete.
    • Cancel
    • Cancel
  • (some HTML allowed)
    How does this make you feel?     Add Image
    I'm

    e.g. sad, anxious, confused, frustrated happy, confident, thankful, excited kidding, amused, unsure, silly indifferent, undecided, unconcerned

    Cancel