Rule: Behavioural anomalies (premium)
Rule key: behavior_heuristics · Default weight: 0.7 · Tier: Business / Enterprise
Requires the behavioural collector to be enabled under Settings → Privacy & API keys. The collector is a small JS bundle that runs on the checkout page and reports a structured payload back to the server as the customer interacts with the form.
Signals captured
| Signal | Score contribution | What it catches |
|---|---|---|
| Card pasted, not typed | 35 | Carder workflow — paste from a stolen list |
| Email pasted, not typed | 10 | Weaker — could be a password manager |
| Card field autofilled | 20 | Browser autofill from an unexpected profile |
| Checkout completed in <5s | 30 | Automation / bot behaviour |
| No mouse movement | 25 | Headless browser, no human cursor |
| Superhuman typing rate | 15 | >25 cps email entry — bots typing literals |
| 3+ submission attempts | 10 | Trying different stolen cards |
| 5+ tab switches | 5 | Toggling to a stolen-cards spreadsheet |
Privacy & consent
The collector is off by default. Enabling it requires either the customer\’s explicit consent (the recommended GDPR-compatible mode) or a legitimate-interest assessment in your privacy policy. The plugin\’s Privacy → Data Export and Data Erasure hooks return the collector payload alongside other personal data when a customer requests it.
The payload is stored in wfg_rule_hits.metadata as JSON for the lifetime configured under Privacy → Data retention (default 365 days), after which it\’s purged by the daily cron.