Device & Geo Cloaking
Device/Geo Cloaking (or "Smart Filtering") is a defensive technique where the merchant shows compliant content only to users who match specific "Safe" criteria (e.g., specific locations, devices, or IP ranges).
📝 Summary
- Technique: User-Agent & IP Filtering.
- Goal: Show the "Safe Page" to PSP crawlers/auditors (who use US/EU Corporate IPs) and the "Money Page" to real customers.
- Risk Score: Severe.
🏗 Technical Architecture
mermaid
flowchart TD
Req([Incoming Request]) --> Filter{Cloaking Filter<br/>Middleware}
Filter -->|IP = AWS/Google?| Safe[Show Safe Page]
Filter -->|UA = Stripe-Bot?| Safe
Filter -->|IP = Residential?| Risk[Show Money Page]
style Safe fill:#15803d,stroke:#14532d,color:#fff
style Risk fill:#b91c1c,stroke:#7f1d1d,color:#fffBackend Logic (Pseudocode)
javascript
function handleRequest(req) {
const userAgent = req.headers['user-agent'];
const ipInfo = geoip.lookup(req.ip);
if (userAgent.includes("Bot") || ipInfo.org === "Amazon Data Services") {
return render("safe_electronics_store");
} else {
return render("iptv_landing");
}
}🕵️♂️ Detection & Risk Signals
1. Shadow Crawling (Residential Proxies)
- Counter-Measure: PSPs crawl the site using residential proxies (e.g., a Verizon home IP) to see what a "real user" sees.
- Signal: "Safe Page" returned to AWS IP != "Money Page" returned to Verizon IP.
2. Bounce Rate Anomalies
- Signal: Corporate/Datacenter traffic has a 100% bounce rate (bots checking and leaving), while Residential traffic has deep engagement.
3. Search Engine Indexing
- Signal: Google caches the "Money Page" (because the merchant wants customers to find it via SEO), while the merchant shows the "Safe Page" to the PSP.
- Detection: Searching
site:merchant.comreveals "IPTV" keywords despite the site looking like a "Electronics Store".
🏦 PSP Detection Probability
| Provider | Probability | Detection Analysis |
|---|---|---|
| LegitScript | 99% | Very Strong. Specialized service used by Visa/Mastercard. Uses sophisticated residential networks to bypass cloaking. |
| G2 Risk | 98% | Very Strong. Persistent monitoring of SERP (Search Results) to find pages the merchant tries to hide. |
| Stripe | 85% | Strong. Radar utilizes proprietary crawling data and User-Agent rotation, but sophisticated cloakers can sometimes evade basic bots. |
| Adyen | 88% | Strong. Uses 3rd party partners (like WebShield) for enhanced content verification. |
| PayPal | 80% | Strong. Relies heavily on buyer disputes ("Item Not As Described") rather than just crawling. |
| Shopify Payments | 75% | Medium. Can see the backend, but if the cloaking happens on a Headless frontend, they rely on transaction data. |
| Authorize.net | 40% | Weak. Rarely performs active crawling. Relies on static screenshots provided during onboarding. |
| Worldpay | 70% | Medium. Strong manual review, but automated detection of dynamic cloaking is slower. |
| Klarna | 90% | Strong. Since they finance the specific item, they require precise SKU data, making it hard to swap content dynamically. |
⚠️ Analyst Notes
This is the most dangerous form of cloaking because it directly targets the detection mechanism itself. Analysts must never audit a site from their corporate network; always use a pristine, non-attributed environment (e.g., a 4G mobile hotspot).