API-Driven Two-Site Cloaking
API Cloaking is an evolution of the Two-Site model. Instead of a simple redirect, the High-Risk Site A communicates with Low-Risk Site B via a backend API to generate unique, pre-filled checkout sessions.
📝 Summary
- Technique: Server-to-Server (S2S) Checkout Generation.
- Goal: Eliminate frontend referrer leaks and create a seamless "White Label" payment experience.
- Risk Score: Severe.
🏗 Technical Architecture
mermaid
sequenceDiagram
participant User as User Browser
participant ServerA as High-Risk Server A
participant ServerB as Low-Risk Server B
participant PSP as PSP API
User->>ServerA: Click "Buy"
ServerA->>ServerB: POST /api/create-order
Note right of ServerA: { amount: 100, item: "X" }
ServerB->>PSP: Create Session
PSP-->>ServerB: Session Created
ServerB-->>ServerA: Return checkout_url
ServerA->>User: Redirect to PSP
User->>PSP: Complete PaymentBackend Logic (Pseudocode)
python
# Site A (High Risk)
def process_payment():
response = requests.post("https://site-b.com/api/generate-link", json={
"price": 100.00,
"product_name": "Consulting Hours" # Obfuscated
})
return redirect(response.url)🕵️♂️ Detection & Risk Signals
1. IP Mismatch
- Signal: The API request to create the session comes from Server A's IP, but the user executes the payment from a residential IP.
- Detection: PSPs compare
Client-IP(User) vsInitiator-IP(Server). If the Initiator IP is a known hosting provider (e.g., DigitalOcean) different from Site B's server, it's suspicious.
2. Generic Line Items
- Signal: All products are mapped to generic descriptors like "Service Fee" to match Site B's business model.
3. Timing Anomalies
- Signal: The "Session Creation" timestamp matches exactly with traffic spikes on known high-risk affiliate networks.
🏦 PSP Detection Probability
| Provider | Probability | Detection Analysis |
|---|---|---|
| Stripe | 85% | Strong. Matches client_ip (browser) vs created_ip (API). Flags accounts where checkout sessions are created by external servers. |
| Adyen | 88% | Strong. Fingerprints the "Initiator" server. If specific hosting IPs create sessions across multiple merchants, they are flagged. |
| PayPal/Braintree | 75% | Medium/Strong. Detects mismatched velocity. Site B has low web traffic but high API checkout creation volume. |
| Checkout.com | 82% | Strong. Analyzes the "Time-to-Pay". API-generated links often have different latency patterns than native user checkouts. |
| Shopify Payments | 60% | Medium. If used Headless, detection is harder. Relies on fraud signals (CVV mismatch) rather than topology. |
| Authorize.net | 30% | Weak. Legacy API integrations often don't require strict IP matching between creator and payer. |
| Nuvei | 70% | Medium. Good at detecting high-risk verticals (crypto/gaming) but harder to spot generic API cloaking without manual review. |
| Revolut Business | 80% | Strong. Monitors for "Passthrough" funds. If Site B immediately forwards funds to another entity, it triggers AML alerts. |
| Payoneer Checkout | 75% | Medium. Focuses on cross-border flows. May flag if Site A traffic is from a sanctioned region masked by Site B. |
⚠️ Analyst Notes
This is the industry standard for professional cloaking. It requires technical sophistication. Analysts should look for Site B having an exposed API endpoint (e.g., /api/v1/checkout) that is receiving high traffic volume relative to the site's frontend visits.