Tri-Site Instant Delivery Cloaking Funnel (A → B → C)

This advanced scenario describes a specialized funnel architecture often used by small high-risk merchants selling digital goods like IPTV subscriptions, premium accounts, or software keys.

The architecture decouples the High-Risk Landing (Site A) from the Low-Risk Payment Interface (Site C) using an intelligent Bridge Layer (Site B).

📝 Summary

Technique: Tri-Site Bridge with Referral Cleaning & Instant Delivery.
Goal: Allow high-risk sales (Site A) while presenting a clean, low-risk business (Site C) to the Payment Service Provider (PSP).
Risk Score: High (Fragile if disputes occur).

Site A openly advertises high-risk products (IPTV, accounts, bundles). Site B acts as a smart filter, scrubbing referral data and analyzing visitor intent. Site C is a compliant storefront selling generic digital tools (PDF templates, guides), serving as the Merchant of Record.

🏢 Business Behavior

1. The High-Risk Offer (Site A)

Market: IPTV, digital accounts (Adobe, Office, Netflix), eBook bundles.
Marketing: SEO, Telegram groups, forums, social media ads.
User Expectation: Buying a specific high-value digital service.

2. The Low-Risk Front (Site C)

Catalog: "Digital Productivity Tools", "PDF Guides", "Generic Templates".
Language: Professional, compliant, generic.
No Keywords: Absolutely no mention of IPTV, streaming, or brand names.

3. The Seller's Strategy

The merchant uses Site B to enforce a strict separation. When a buyer clicks "Buy Now" on Site A, they pass through Site B. Site B cleans the tracking data and redirects to Site C for checkout.

4. Customer Communication

To prevent chargebacks that would expose the scheme, the seller emphasizes:

"If you have any issue, contact us on WhatsApp/Telegram immediately. Do NOT open a PayPal/Stripe dispute. We offer instant fixes or refunds via support."

"In case of any problem, please describe it as a ‘digital access issue’. Do not mention specific service names in the payment platform."

🏗 Technical Architecture

mermaid

flowchart TD
    %% ------------- FRONTEND FLOW -------------
    User[Buyer] --> A[Site A - High Risk]

    %% Pixel installed in Site A
    A --> Pixel[Pixel JS<br/>Tracking Script]

    %% Pixel sends data to Site B backend
    Pixel --> B_API[(Site B API<br/>Collect User Signals)]

    A -->|Buy Now| B[Site B - Bridge Layer]

    %% Decision Engine
    B -->|Normal User| C[Site C - Low Risk Checkout]
    B -->|Suspicious User| Manual[Manual Payment Page]

    C --> PSP[Payment Gateway]
    PSP --> C

    C -->|Instant Delivery| Delivery[External Delivery]

    %% ------------- BACKEND LOGIC IN SITE B -------------
    subgraph BackendB[Site B - Decision Engine]
        B_API --> Geo[Geo-IP Lookup]
        B_API --> ASN[ASN Check<br/>Hosting/VPN?]
        B_API --> FP[Fingerprint Matching<br/>Cookies / Headers / Device ID]
        B_API --> Velocity[Velocity Check<br/>Visits, Clicks, Time Spent]

        Geo --> Decision[Decision Logic]
        ASN --> Decision
        FP --> Decision
        Velocity --> Decision

        Decision -->|Allow| C
        Decision -->|Block/Manual| Manual
    end

    %% ------------- STYLES -------------
    style A fill:#b91c1c,stroke:#7f1d1d,color:#fff
    style B fill:#0369a1,stroke:#0c4a6e,color:#fff
    style C fill:#15803d,stroke:#14532d,color:#fff
    style Manual fill:#eab308,stroke:#a16207,color:#000
    style Delivery fill:#0f766e,stroke:#115e59,color:#fff
    style Pixel fill:#6b21a8,stroke:#4c1d95,color:#fff
    style BackendB fill:#1e293b,stroke:#0f172a,color:#fff
    style B_API fill:#475569,stroke:#334155,color:#fff
    style Decision fill:#0c4a6e,stroke:#082f49,color:#fff

The Request Flow

User Lands on Site A: Views high-risk product.
Click "Buy Now": Request sent to Site B (the Bridge).
Site B Analysis:
- Checks IP reputation (Datacenter vs Residential).
- Analyzes User-Agent and device fingerprint.
- Scrubs Referer header and tracking pixels.
Decision:
- Safe: Redirect to Site C with clean UTM parameters.
- Unsafe: Redirect to Manual Payment (Offline flow).
Payment (Site C): User pays for "Digital Template Pack".
Fulfillment: Backend system delivers the real product (IPTV/Account) via email or chat bot, totally separate from the PSP receipt.

🛡️ Site B Detection Logic (Advanced Filter Rules)

Site B is the brain of the operation. It applies a "Risk Scoring" model to every visitor.

🚩 Detection Signals

✔️ IP Datacenter: Hosting providers, cloud VPNs, or known PSP/Bank ASNs.
✔️ Desktop-Only: High correlation with manual reviewers (real buyers often use mobile).
✔️ Direct Traffic: No referrer or "cleaned" referrer suggests a test visit.
✔️ Clean Browser: Lack of cookies/history often indicates a fresh reviewer profile.
✔️ Rapid Navigation: Moving unrealistically fast between pages.
✔️ Legal Page Focus: Visitors immediately opening Terms/Privacy/FAQ are often compliance officers.

Decision Engine (Pseudocode)

typescript

function shouldRouteToSiteC(visitor) {
  // 1. Check Infrastructure
  if (isDatacenterIP(visitor.ip)) return false;
  if (isKnownPSP_ASN(visitor.asn)) return false;

  // 2. Behavioral Analysis
  if (looksLikePSPAgent(visitor)) return false; // e.g., strictly English, desktop, Linux
  if (visitor.navigationSpeed > THRESHOLD_FAST) return false;

  // 3. Fingerprint Check
  if (isReviewFingerprint(visitor.deviceId)) return false;

  return true;
}

function handleClickFromSiteA(req, res) {
  const visitor = extractVisitorSignals(req);

  if (!shouldRouteToSiteC(visitor)) {
    // Suspicious – divert to offline/manual payment
    return res.redirect("/manual-payment");
  }

  // Safe – proceed to clean checkout
  const safeCheckoutUrl = cleanIncomingRequest(req);
  return res.redirect(302, safeCheckoutUrl);
}

🧼 Referral & UTM Cleaning Policy

The merchant must ensure Site C never sees traffic coming directly from Site A.

The Cleaning Process

Strip Referer: Remove the HTTP Referrer header so Site C sees "Direct Traffic" or a generic source.
Sanitize Params: Remove ?iptv=true or ?ref=siteA from the URL.
Inject Safe UTMs: Rewrite marketing tags to match Site C's low-risk narrative.

Example Code (Referral Scrubbing)

typescript

function cleanIncomingRequest(req) {
  const safeUrl = new URL("https://site-c.com/checkout");

  // Only keep allowed params
  const allowedParams = ["utm_source", "utm_medium", "utm_campaign"];
  
  // Map or Copy existing params if they are safe
  for (const key of allowedParams) {
    if (req.query[key]) {
      safeUrl.searchParams.set(key, String(req.query[key]));
    }
  }

  // Force safe values if missing
  if (!safeUrl.searchParams.get("utm_source")) {
    safeUrl.searchParams.set("utm_source", "google_ads"); // Fake source
    safeUrl.searchParams.set("utm_medium", "cpc");
    safeUrl.searchParams.set("utm_campaign", "productivity_bundle");
  }

  // Explicitly remove any high-risk tokens
  safeUrl.searchParams.delete("ref");
  safeUrl.searchParams.delete("iptv");
  safeUrl.searchParams.delete("account");

  return safeUrl.toString();
}

Policy Summary:

“Never pass raw referrer from Site A to Site C.”
“Always override UTM with generic, low-risk marketing labels.”
“Strip any parameter that reveals IPTV, accounts, or sensitive funnels.”

🏦 PSP Risk & Mitigation

Despite these layers, PSPs have effective detection methods.

How PSPs Detect This

Dispute Analysis: Even if the site is clean, if 5% of buyers dispute "IPTV Not Working" on a "PDF Template" site, the mismatch is obvious.
Product Mismatch: Manual review of invoices vs. customer complaints.
Mystery Shopping: A persistent investigator might use a residential proxy and mobile device to pass Site B's filter and document the real flow.

Mitigation Strategies (Merchant Perspective)

Aggressive Support: "We fix it or refund it instantly." (Keeps dispute ratio low).
Volume Spreading: Using multiple PSP accounts to dilute risk.
Catalog Hygiene: Ensuring Site C is a fully functional, high-quality store, not just a landing page.

PSP Detection Probability

PSP	Probability	Reason
Stripe	40%	High behavioral visibility; catches referrer leaks.
PayPal	30%	Slower detection, but account linking is strong.
Adyen	50%	Strong graph analysis and shopper DNA tracking.
Manual (Wise/Bank)	10%	Very low visibility into the actual web traffic.

⚠️ Educational Disclaimer

This documentation is for educational, compliance, and risk-engineering study only.
It is not intended to encourage or promote policy evasion, fraud, or illegal activity. The focus is on understanding detection signals and architectural patterns to improve risk systems.

Tri-Site Instant Delivery Cloaking Funnel (A → B → C) ​

📝 Summary ​

🏢 Business Behavior ​

1. The High-Risk Offer (Site A) ​

2. The Low-Risk Front (Site C) ​

3. The Seller's Strategy ​

4. Customer Communication ​

🏗 Technical Architecture ​

The Request Flow ​

🛡️ Site B Detection Logic (Advanced Filter Rules) ​

🚩 Detection Signals ​

Decision Engine (Pseudocode) ​

🧼 Referral & UTM Cleaning Policy ​

The Cleaning Process ​

Example Code (Referral Scrubbing) ​

🏦 PSP Risk & Mitigation ​

How PSPs Detect This ​

Mitigation Strategies (Merchant Perspective) ​

PSP Detection Probability ​

⚠️ Educational Disclaimer ​