Cloaking Signals & Risk Indicators
This reference guide outlines the specific Red Flags and Signals that risk analysts look for when investigating potential Payment Cloaking.
🚨 1. Technical Signals (The "Fingerprint")
These signals are derived from the HTTP headers, IP addresses, and server configurations.
| Signal | Description | Risk Level |
|---|---|---|
| Referrer Mismatch | Transaction Referer does not match registered URL. | 🔴 Critical |
| Missing Referrer | High volume of traffic with no referrer data (Direct/Dark). | 🟠 High |
| Offshore Hosting | "Local" business hosted on bulletproof offshore servers. | 🟠 High |
| Mismatched SSL | SSL Certificate Common Name (CN) doesn't match domain. | 🟡 Medium |
| X-Frame Options Missing | Page allows framing, common in "Iframe Injection" attacks. | 🟡 Medium |
| Open Proxy Detection | High % of traffic from known VPN/Proxy IP ranges. | 🟠 High |
📝 2. Content Signals (The "Look & Feel")
These signals are found by analyzing the website's visual and text content.
The "Zombie Site"
A site that looks alive but functions like a shell.
- Broken Social Links: Icons for FB/Twitter link to
facebook.com(home) or return404. - Lorem Ipsum: Placeholder text left in "About Us" or "Terms" pages.
- Generic Assets: Stock photos of "Customer Support" people used on 1,000+ other sites.
- Empty Blog: A "News" section with one post titled "Hello World" from 3 years ago.
The "Impossible Business"
- Pricing Anomalies: Selling an iPhone 15 for $50. (Likely counterfeit or phishing).
- Vague Products: Selling "Consulting Package A", "Service Tier 1" with no detail.
- Copy-Paste Terms: T&C page references a different company name (leftover from template).
💳 3. Transactional Signals (The "Flow")
Derived from the actual payment data passing through the gateway.
Descriptor Mismatch
- Observation: Website says "Bob's Burgers".
- Statement Descriptor:
MKT-SVS-LTD-CYPRUS. - Why: High-risk merchants often use generic shell company names to obscure the purchase on the cardholder's statement.
Clean Invoice Obfuscation
- Observation: Customer buys "Premium IPTV Package".
- Level 3 Data: Invoice sends "Network Support Hours - Qty 1".
- Why: To prevent the Issuer (Bank) from flagging the MCC as "Digital Goods" or "Streaming".
Velocity Spikes
- Observation: A dormant merchant suddenly processes $50k in one hour.
- Why: "Busting out" a card testing run or a massive laundering dump before the account is banned.
🎭 4. Behavioral Signals (The "User")
Derived from how users interact with the checkout.
The "0-Second Shopper"
- Behavior: User lands on the homepage and completes checkout in < 5 seconds.
- Reality: Impossible for a human. Indicates programmatic traffic (bots) or a direct link from a hidden site (the user already shopped on the shadow site and was just redirected to pay).
Geo-IP Conflicts
- Claim: Merchant is US-based, shipping to US.
- Data: 90% of cardholders have BINs (Bank Identification Numbers) from Russia or China.
- Reality: The merchant is servicing a high-risk geography prohibited by their acquirer.