The web giants silently enrolled the creepiest deception techniques that we ever expected due protection...

#prologue

If you think you are smarter than the web gians, and you can mislead or hide anything from theirs, please DO NOT READ THIS ARTICLE! Thanks!

The spamming, scamming, fraud attempts are permanent problems. Not just in email services, across the social media services, the platforms want protect the users, that is fully okay. Nowadays, not just messages can be classified as fraudulent or suspicious, besides user interactions and entire users as well. In this case, the allegedly fraudulent messages, posts and users will didn't appear in another users timeline. An example, which can everybody understand easily: if a strange follower on LinkedIN, Instagram, etc. put a comment with a malicious URL, the service will filter out with a well sophisticated method. Nope, the platform will not delete or completely hide the comment with the URL, they will apply a more cruel, but efficient technique: the shadow-hiding. This is a deceptive, but very efficient way against the unwanted contents. And in worst case more than disruptive and dangerous.

Why? Because the machines - as like as humans - sometime take mistakes. This fact heavily impact also to our offline live.

What is the shadow-hiding? Similar than the shadow-banning.

(1) the user, who left the comment will see his/her comment, but he/she will not inform about the comment simply doesn't appear for others

(2) Yep, weird, but the social media services sometimes must to decepting some users silently to protect the community.

If you see an unwanted comment under your post, more-more effective to shadow-ban the annoying user than block his or her. Why? If you completely block a freak user, the comment still stay among other comments and a insane freak user might create a brand new account and with a brand new device, the suspect can continue the fraudulent behavior or bullying. Why the most abusive users use new device? In the most serious cases the social web services deny the registration based on the device fingerprint, unique identifiers and the users pattern.

See also [again]: device fingerprint, browser fingerprint, user behavior pattern as our unique fingerprint, for example the typical pattern of keystrokes on keyboard, the mouse scrolling, and clicking. On mobile devices where the users navigate on touchscreen, the logic the same.

The user behavior is really fully unique and almost impossible to fake it: the well-known social media services and the third-party anti-fraud providers collect our every touch and analyze with statistical methods. Time series, different statistical distributions, coefficients, etc.

The behavioral, psychological approach just briefly: classic blocking is a positive feedback to dangerous criminals who harass others.

Therefore I say many years ago to everybody, never block other users, with some rare exceptions! If you just restrict an user manually, they will believe that his or her annoying message delivered on your site and the comment is visible under the attacked users post, but you and others will not see it. An another example: you can explicitly deny the tagging, but more effective if you allow it and restrict a given user: he/or she can tagging in the future, but it will not affects you, only the abusive user will see it.

In this scenario - just briefly and based on my best psychological knowledge - the attacker will give up the bullying, harassments, and defamation because he or she will not get positive feedback. It's called habituation or similar in behavioral science.

#By the way: did you known, the Google and Bing allocated extreme amount of resources to HIDE a huge amount of content which non necessarily technically dangerous - such as phishing sites - they hide results which related to information warfare. Okay, I will write about it later.

The old fashioned spam/scam filtering techniques was based on Bayes-networks, became more complex against the classic email spam. But the most notable open-source based filtering techniques, tactics and implementations are accessible for scammers AND for sysadmins, that means, the cybercriminals can learn how to bypass the improved protection techniques. Notable example: the open-source SpamAssassin.

The Postini email solution chosen a completely different way from 1999: never disclosed the details about how their developed protection-as-a-service works. The Postini name not sounds familiar for you? Okay, the current name is Gmail :) The Google acquired the Postini with some steps, and the tailored email protection continuously develops by Google since the Gmail was born in 2004. Allegedly the Google simply didn't known how successful and popular will be the Gmail. The Hotmail had the cca. the 50% of global market share of the free email services until the mid 2000 years. Then developed the Google Mail solution for small organizations to governments as part of G Suite.

Doesn't matter that you use the free Gmail or the paid version, the filters in the background almost never mistake, the amount of false positive and the false negative results are minimal. Okay, the Microsoft Exchange also can be very effective in spam filtering, but not too easy the fine tuning. I also taught MS Exchange.

IMHO, just summarized:

The SpamAssissin and similar open-source, free software filtering logics are valued parts of the internet history - the classic email is older than the web - and somehow still alive. [The email as protocol can works without web, but the web made the email popular]. The Google and Microsoft learnt from classic spam filtering, but the logic behind the filtering is most highly classified secrets nowadays. The proprietary solutions won of this game against free and open-source solutions.

Back to the social media! Every platform wants to spend more time their users on their service and the messaging implemented everywhere - which is very annoying for me, but nobody cares it :)

If somebody send a message to an other user in Instragram, LinkedIN, Facebook, Whatsapp, X, the destiny of message is similar than traditional email messages. In the background, the machine learning evaluate at least hundred factors and decide about the message:

(1) perhaps the filter silently put it to quarantine

(2) the message will delivered to recipients Message requests/Hidden request/Spam folder in Instagram and Facebook Messenger, depending the invisible risk score of message and the individual privacy settings. These similar as the quarantine and spam in the email mailboxes: an average user never will read these messages.

(3) The recipient will be noticed about message request or delivered directly.

I mentioned at least hundred factors, but we don't know, perhaps thousand factors evaluate and classify the messages behind the scenes.

Just figure out this scenario: an user with a recently created Instagram account send me a message from New Zealand, meanwhile I live and use the Instagram in the middle area of Europe. The user never contacted me before, we don't have any common followers, followed users, groups conversations, broadcast channels. We feel same as the machine: the message is unwanted with very high probability. The LinkedIn and Facebook checks the common attributes among the users, common group memberships, wide-range of common OR similar interactions. If the machine doesn't find any relation between the sender and recipient, the verdict is the same: the message is unwanted with very high probability. The content of the message is irrelevant.

I remember, the Facebook many-many years ago tested a beta feature: everybody can send message directly to anyone else without restrictions, for example to a celebrity. The sender and the recipient don't need to know each other personally, the Facebook offered a price for delivery. If I could have sent message directly to Shakira, it was possible after I pay more than 100 EUR for it. The Facebook removed this feature - my thought provoking question to readers, guess why? Write me in comment!

In other case which you might never thought. Figure it out, my friend begin to use a social web service, he add me as contact and follow me, I accept the connection request and follow he back and chatting day by day. If a web giant identified the senders account as hijacked, hacked or compromised account, him messages will not delivered to my inbox.

The web giants work with third-party anti-fraud data processors, and they sometimes exchange their data warehouses between each other at least partially. In addition, they often improve the solution with crowd sourced methods.

Therefore more difficult to fake an instant message or email and send successfully than a decade ago, but never impossible.

The tech giants know everything about us, but not just for personalized, targeted marketing purposes.

It is not not just about users and messages, it is also about user interactions.

In the past time I used the Instagram more frequent than earlier, and I accidentally noticed some awkward thing. I posted a story at morning, and I checked the viewers at the evening. The Instagram informed me which user viewed the story, liked or commented it. And informed me about some visitors simply hided, but I can check all of visitors manually.

In the hided users list was users who I know personally, but the Meta detected as suspicious, as false positive result. The incorrectly classified interaction based multiple factors: some users just recently registered to Instagram or closed the previous account and created a new - the really fraudulent users do it same frequently. Or simply the visitor lives far from me, based on his/her profile never interested in cybersecurity and privacy-related topics before, while my story contains privacy-related picture, link, hashtag, AND the correlation among these pieces of information and associated metadata. Probability and math again: the users don't check contents if they is not interested in topics.

In this case, suspicious for example if a 50 years old woman who works in a farm in the latin American region and check my story.

But why MIGHT be this suspicious? I mean an user interaction.

To summarize it is almost impossible, but I try. If I check the fully stranger users profile for a moment, that will also appears as an interaction under the hood. The machine learning remember this interaction and modify the scoring, if I check multiple times the same users profile, perhaps the ML will more likely assume the 50 yo woman far from me is a remote acquaintance or similar. If the user like or comment one of my picture, this might be an early warning, red flag - false positive or not. The more interactions might result re-classification between the strange user and me. If the 50 yo woman from latin American region - who is real person or midjourney-AI generated, realistic fake character - send me a comment with a malicious URL or a message with an URL which points a phishing site and I click on the link, this may cause something very-very unwanted... Exploitation of the device based on zero day vulnerability, undetectable malware or a site which part of global information warfare based on website content behind the URL.

Okay, I almost never click to unfamiliar URLs, but most of users do it in similar case.

Keep in mind: if you want elevate the chance of the successful message delivery, send email, InMail and try to reach the recipient in other channels if is really important and somewhy urgent. ONE MORE TIME: the Whatsapp, Instagram, Facebook Messenger is not designed to messaging, and doesn't matter what they lies about privacy focused communication, please never send me any piece of evidences for example pictures of a physical injury, seized weapons or similar sensitive information. In addition, if you send a video footage or photo about harm or someone abusive behavior, the Meta and others reserve the right to restrict or terminate the sender or the recipient account.

Back to the technical background

I have multiple smart devices, but I don't really like them. I almost every time use the Instagram in browser, I continuously connected to VPN, etc. I usually read and click faster than others on mobile device. Recently accidentally I liked too fastly of a Instagram creators posts, pics one by one. The Instagram learned about me, I'm not an average user, therefore the Insta didn't detected me as robot. But silently deleted a lot of likes. Yes! The Instagram after I liked the posts, silently eliminated my given likes.

Just figure it out, I found a creator Instagram user who has 20 K followers and 150 post which contains nonfigurative images, and I liked 20 images within 15 seconds. Somewhy the Insta eliminated 18 likes of 20. And the service identified my activity as automated or semi-automated activity or didn't.

The second one: allegedly the millenials generation use smarter the recent fancy services than the older generation. It's partially true. Many years ago I commented some funny thing under my acquaintance FB-post. He didn't found that funny and blocked me, LOL. The result: everybody laugh on my comment which was still visible, except the guy, who blocked me instead of delete my comment. Nothing special, he block the whole world. What does it mean? We want believe that we have control under our web activity and partially others activity, in fact, the best what we can do, thinking, learning and understand not just the fundamentals of the recent services.

Like you this era or don't? Doesn't matter!

Try continuously up-to date your knowledge about the proper tools, it's definitely crucial. I read an article about a professional photographer who taken a lot of photos in schools and in kindergartens as part of his business in the United States. Not surprisingly taken photos in school classes and groups with teachers and children. He stored all of the photos a well-known cloud storage service. The ML in the background classified some photos as child pornography or similar, a not highly educated human moderator checked the photos and followed the internal playbook, after this escalated the case to higher level. The result: the cloud storage company terminated the entire account and forwarded the information to local law enforcement. The photographer was victim of a swatting attack a bit later.

If someone want to store and preserve evidences for further investigation, that might be itself crime in a given country according the law, therefore for example a journalist or OSINT investigator must choose the proper cloud storage provider which independently audited and the provider really cannot scan the uploaded contents.

The social media platforms seems easy to use - in facts, the behavior of social media services more than chaotic and unpredictable now than ever before. I talked about the importance of verification checkmark, some of privacy amateurs say they never will request verification. I don't care the idiotism, I'm just sayin' cca. 2-3 years and the verification will be mandatory somehow in every usable social web services. The web3 is a different topic, but if you take a look into the history of internet, in every place required sooner or later some type of information which linked to the user. Every systems collapses without controls and regulations, just briefly these are essential parts in communities: the trustworthiness and predictability.

The verification checkmark also protects you: enhance your credibility and reduce the risk of identity thief.

Just imagine an average user, who uses the same devices for personal purposes, without isolated browser containers, virtual machines and heavily hardened environment. If you use Whatsapp account with a disposable number, and an Instagram account with default privacy settings on an another machine , but in the same building, the Meta knows that both tied to your identity. And not just the Meta-services. Across Europe you can partially prohibit the PII-exchange, but it has smaller impact that you thing. For example, you simply cannot control many-many unique information which need to use the application due compliance purpose, legal regulations and declared in the application terms and conditions, community standards. These mandatory information reduce different kind of risks, threats and try to protect the community. And try to protect the user who might use an infected device which may be a tools for criminals. In addition, impossible or not recommended to deny anything which related to you. In 2018, the telcos, the Facebook, Google, among others informed me about a sophisticated government-backed attack and they immediately locked my accounts, and forced me to change my login credentials and take a security checkup.

Anyone can use different adblockers and privacy enhancing tools to self-protection, the result will less related advertisements and more irrelevant information.

Everyone should try to fine-tune his/her privacy settings regarding the online and offline activity. The OPSEC methods during the research is completely different way. Just imagine an actress who acts as Ophelia in Hamlet in a theater from 19:00 to 22:00 timeframe. The actress is not Ophelia herself! The operation security during a social engineering project or during an open-source investigation research is fully similar: the researcher is not same as the fictive character, if needed.

Your identity is NOT an user, your identity is a PERSON. It's not just about tracking cookies. I will explain in the next article what does it mean exactly: I intentionally used in same browser my personal LinkedIN, Instagram and OnlyFans, doesn't really matter that these services are linked manually or not, as I expected, I have some new followers on Instagram from the adult film industry and the web 2 services suggest to connect as friend them.

If your identity represents a PERSON and not just a USER across the web - which important part of our real life and impacts to your offline live - it's time to rethink almost everything that we thought about ICT.

Stay tuned, I will continue with an another article.

Xcuse me for poor grammar, the language stylizer confused the entire article, therefore I rewritten the entire text.