Traffic Analysis & Forensics

Traffic Analysis is the process of examining the metadata of web traffic—rather than just the content—to identify anomalies that suggest cloaking or aggregation.

🚦 Flow Disguising Patterns

High-risk merchants often try to "clean" their traffic before it hits the payment page.

1. The "Traffic Wash" (Referrer Scrubbing)

Merchants use intermediate pages to strip the "Referer" header so the PSP cannot see the origin of the traffic.

mermaid

flowchart TD
    Origin[Illegal Gambling Site] -->|User Action| WashPage["Loading..." Page<br/>Meta Refresh / Double Redirect]
    WashPage -->|Clean Traffic| Merchant[Clean Merchant Page]
    
    style Origin fill:#b91c1c,stroke:#7f1d1d,color:#fff
    style Merchant fill:#15803d,stroke:#14532d,color:#fff

Detection:

Direct Traffic Spikes: A sudden 100% spike in "Direct" traffic (no referrer) is highly suspicious for a new e-commerce store. Real stores rely on SEO/Ads.

2. Affiliate Stuffing (UTM Manipulation)

Merchants use misleading UTM parameters to make traffic look like paid ads.

Url: myshop.com/pay?utm_source=google_ads&utm_campaign=summer_sale
Reality: The traffic is not from Google. It is hard-coded links from a shadow site.
Detection: Cross-referencing with ad platform APIs. If utm_source=google_ads but no clicks are recorded in the Merchant's Google Ads account, it's fake.

🕸 Graph & Network Analysis

Cloakers rarely operate a single site. They operate networks.

Shared Identity Clusters

Risk engines build graph databases to link entities.

Node A: Merchant 1 (Banned)
Node B: Merchant 2 (Active)

Linkages:

Shared Google Analytics ID (UA-XXXXX)
Shared Facebook Pixel ID
Shared Intercom App ID
Shared CSS/JS Hash (Using the exact same custom theme file)
Shared Support Email pattern (support@domain1.com, support@domain2.com)

Action: If Node A is banned for fraud, the graph allows the PSP to proactively block Node B before it processes a single dollar.

PSPs drop "Device Fingerprint" cookies. If a user visits the banned "Casino A" and then visits "T-Shirt Shop B", the PSP can see the same cookie ID.

Inference: If the customer base overlaps 90% between a known gambling site and a "T-Shirt Shop", the T-Shirt Shop is likely a front.

Traffic Analysis & Forensics ​

🚦 Flow Disguising Patterns ​

1. The "Traffic Wash" (Referrer Scrubbing) ​

2. Affiliate Stuffing (UTM Manipulation) ​

🕸 Graph & Network Analysis ​

Shared Identity Clusters ​

Cookie Syncing ​