Advanced Detection Methods

This section details the specific technical methodologies used by PSPs to uncover hidden high-risk merchants.

1. Web Crawling & Content Analysis

The first line of defense is automated inspection of the merchant's digital storefront.

HTML & DOM Analysis

Crawlers parse the document.body to find:

Keyword Density: Analyzing the frequency of high-risk terms (e.g., "replica", "streaming", "bet", "odds").
Link Graph: Checking outgoing links. Does a "Consulting" site link to an offshore gambling portal?
Hidden Elements: Detecting content hidden via display: none or visibility: hidden that might contain the real product list for specific users.

Image Recognition (OCR)

Cloakers often put prohibited text inside images to evade text-based crawlers.

Technique: Risk engines use OCR (Optical Character Recognition) to read text embedded in banners and product images.
Example: A banner image saying "100% Bonus on First Deposit" detected on a generic "Gaming Blog".

2. Traffic & Network Fingerprinting

When content is cloaked, the network traffic often reveals the truth.

Referrer Leaks

Concept: When a user moves from Page A to Page B, the browser sends a Referer header.
Detection: If the payment gateway sees Referer: https://illegal-casino.com for a merchant registered as https://my-bakery.com, it's a confirmed cloak.
Counter-Measure: Cloakers use rel="noreferrer" or meta tags to strip this header. PSPs counter this by analyzing traffic patterns (missing referrers are suspicious in themselves).

Hosting & ASN Reputation

Concept: Legitimate merchants use standard hosting (AWS, Shopify, GoDaddy).
Detection: High-risk merchants often use "Bulletproof Hosting" or offshore ASNs (Autonomous System Numbers) known for ignoring abuse reports.
Signal: A "Local Flower Shop" hosted on a known high-risk ASN in Seychelles is an anomaly.

DNS History

Concept: Checking the historical records of a domain.
Detection:
- Domain Age: A domain registered 2 days ago processing $100k volume is high risk.
- A-Record Swaps: Frequent changes in IP resolution can indicate "Fast Flux" techniques used to evade IP bans.

3. Payment Flow Simulation

Risk engines employ "Mystery Shopper" bots to validate the customer journey.

Redirect Chain Analysis

The bot traces every hop in the HTTP request chain.

mermaid

flowchart TD
    Bot([Bot / Crawler]) -->|Request| SiteA[merchant.com]
    SiteA -->|301 Redirect| Tracker[tracker.com]
    Tracker -->|302 Redirect| LP[landing-page-B.com]
    LP -->|JS Redirect| Final[final-payment-page.com]

Flag: Any redirect chain involving > 2 hops or domains not declared during onboarding is flagged for manual review.

Iframe & Form Hijacking

Detection: The bot inspects the <form> action URL on the checkout page.
Cloaking: Submitting data to api.offshore-payment.com instead of the PSP's direct API.

4. Behavioral Anomaly Scoring

Risk is often defined by what doesn't happen.

The "Zero-Traffic" Paradox

Scenario: A merchant claims to process $1M/month.
Detection: SimilarWeb/Alexa rank shows the domain has < 500 visitors/month.
Conclusion: The traffic is not happening on the claimed domain. It is happening on a hidden "Shadow Site" and being tunneled through.

Inconsistent Cart Value

Scenario: A merchant sells "E-Books" priced at $5.00.
Data: Transactions are consistently for $100, $200, $500.
Conclusion: The product being sold is not the E-Book. It is likely a "wallet top-up" for gambling or a high-ticket prohibited item.

Next: Cloaking Signals

Advanced Detection Methods ​

1. Web Crawling & Content Analysis ​

HTML & DOM Analysis ​

Image Recognition (OCR) ​

2. Traffic & Network Fingerprinting ​

Referrer Leaks ​

Hosting & ASN Reputation ​

DNS History ​

3. Payment Flow Simulation ​

Redirect Chain Analysis ​

Iframe & Form Hijacking ​

4. Behavioral Anomaly Scoring ​

The "Zero-Traffic" Paradox ​

Inconsistent Cart Value ​