Two-Site Redirect Cloaking

Two-Site Cloaking (or Redirect Masking) physically separates the high-risk content from the payment processing domain to prevent the PSP from seeing the "dirty" site.

📝 Summary

Technique: Frontend Redirects & Iframe Injection.
Goal: Hide the traffic source (High-Risk Site A) from the PSP (hosted on Low-Risk Site B).
Risk Score: High.

🏗 Technical Architecture

mermaid

flowchart TD
    subgraph HighRisk[High-Risk Site A]
        SiteA[cheap-iptv-streams.com]
    end
    
    subgraph LowRisk[Low-Risk Site B]
        SiteB[tech-support-hub.com]
        Page[Payment Page]
    end
    
    User([User]) -->|Browses| SiteA
    SiteA -->|Clicks Buy<br/>302 Redirect| SiteB
    SiteB -->|Render| Page
    Page -->|Submit| PSP[PSP Gateway]
    
    style HighRisk fill:#b91c1c,stroke:#7f1d1d,color:#fff,fill-opacity:0.1
    style LowRisk fill:#15803d,stroke:#14532d,color:#fff,fill-opacity:0.1

The Flow

Browsing: Customer shops on Site A.
Checkout: Clicking "Pay" triggers a redirect to Site B.
Payment: The PSP sees the transaction originating from tech-support-hub.com.
Return: User is redirected back to Site A.

🕵️‍♂️ Detection & Risk Signals

1. Referrer Leaks

Signal: The Referer HTTP header on the payment page shows cheap-iptv-streams.com.
Counter-Measure: Merchants use rel="noreferrer" or meta refresh tags to strip this.
Detection: Missing Referrer is itself a high-risk signal (Dark Traffic).

2. "0-Second Shopper"

Signal: User lands on Site B and pays immediately without browsing.
Behavior: A legitimate user would browse Site B before paying.

3. Session Metadata

Signal: Site B has no "Add to Cart" events in its own analytics, only "Checkout" events.

🏦 PSP Detection Probability

Provider	Probability	Detection Analysis
Stripe	90%	Very Strong. `stripe.js` telemetry captures referrer data even if stripped from headers. Flags "Direct" traffic anomalies.
Adyen	92%	Very Strong. "Shopper DNA" tracks redirect chains. Flags high volume of "0-second" sessions on checkout pages.
PayPal	85%	Strong. Detects "Dark Traffic" (no referrer) combined with high dispute rates typical of redirect schemes.
Checkout.com	88%	Strong. Uses traffic analysis to identify checkout pages with no upstream navigation history.
Shopify Payments	95%	Very Strong. If Site B is Shopify, they see full navigation logs. Impossible to hide the redirect within their ecosystem.
Braintree	80%	Strong. Leverages PayPal's network data. Good at detecting "clean" sites with suspiciously high velocity.
Worldpay	75%	Medium/Strong. Effective at detecting missing referrers, but legacy integrations (Direct Post) can be harder to trace.
Nuvei	80%	Strong. Manual risk teams investigate sites with high "Direct Entry" traffic sources.
Authorize.net	50%	Medium. Older integration methods (SIM/AIM) often lack full visibility into the browser's navigation history.
Apple/Google Pay	40%	Weak. Rely on the underlying processor. The wallet tokenization process obscures some web session data.

⚠️ Analyst Notes

Look for "Generic" Site B templates (e.g., "Consulting", "Hosting") that have high payment volume but low site engagement metrics (Time on Site < 10s).

Two-Site Redirect Cloaking ​

📝 Summary ​

🏗 Technical Architecture ​

The Flow ​

🕵️‍♂️ Detection & Risk Signals ​

1. Referrer Leaks ​

2. "0-Second Shopper" ​

3. Session Metadata ​

🏦 PSP Detection Probability ​

⚠️ Analyst Notes ​