SusScam Logo
← Back to Whitepapers

SSWP-02

From Screenshot to Shutdown:
The Architecture of Modern Scam Intelligence

Published

March 2026

Author

SusScam Core Engineering

Abstract

Threat intelligence in the modern era is fundamentally a data processing pipeline problem. Hackers spin up highly distributed, ephemeral infrastructure (Vercel, Cloudflare Pages, decentralized hosting) that exists for mere hours before rotating. Legacy detection systems relying on static heuristic analysis and manual human review are mathematically incapable of keeping pace.

SusScam was engineered from the ground up as a high-velocity algorithmic framework designed to execute one goal perfectly: ingest raw visual data from a mobile device and convert it into structured, machine-readable Indicators of Compromise (IOCs) distributed globally, in under 60 seconds.

Core Metric

SusScam reduces the traditional threat ingestion-to-deployment timeline from 72 hours down to 45 seconds.

Phase 1: Edge Ingestion & Rate Nullification

The ingestion pipeline is the most vulnerable point in any crowdsourced application. Without rigorous mathematical controls, malicious actors will execute Denial of Service (DoS) attacks or pollute the dataset with fabricated telemetry to poison the AI models.

SusScam solves this by routing all inbound data through a heavily fortified Next.js Serverless architecture. Before a payload even reaches parsing, it must clear a three-stage gauntlet:

  • Cloudflare Turnstile Verification: An invisible, cryptographic proof-of-work challenge that mathematically separates human endpoints from server-farm botnets.
  • Global PostgreSQL Throttling: Traditional in-memory limiters fail under highly concurrent serverless scaling. SusScam operates a centralized `api_rate_limits` table indexed for hyper-fast IP tracking, guaranteeing hard ceilings on submission volume regardless of horizontal scaling.
  • Client-Side Canvas Compression: To optimize ingress bandwidth and lower storage overhead, highly dense 4K mobile screenshots are seamlessly compressed to 65% HTTP JPEG quality within the browser via a native Canvas API before transit.

Phase 2: Ripping & Cryptographic Hashing

Processing images computationally is expensive and slow. The core objective is to avoid processing identical spam campaigns hundreds of times perfectly.

Dual-Hashing Mechanisms

To ensure computational efficiency, the system utilizes two forms of hashing:

  1. Raw Binary Hashing: The uploaded image buffer is hashed using SHA-256. If `image_hash` exists in the database, the system instantly increments the campaign counter and aborts further processing.
  2. Normalized Text Hashing: The Tesseract.js OCR engine extracts the textual corpus from the visual payload. SusScam then runs a normalizer function (stripping whitespaces, lowercasing, and removing symbols) before creating a `text_hash`. This identifies identical spam campaigns even if the screenshot was cropped differently or sent via a different operating system.

Phase 3: Deep AI Semantic Analysis

Once a payload clears deduplication, the raw parsed text is injected into an advanced OpenAI Language Model pipeline. The AI is specifically prompted via a strict JSON schema architecture to act as a Tier-3 Cyber Threat Hunter.

The AI isolates the semantic intent of the text, entirely bypassing obfuscation techniques created to trick legacy systems (e.g., swapping O for 0, or utilizing Cyrillic character injections). The neural net returns a structured JSON payload encompassing:

  • Confidence Score (0-100): Probability that the payload is actively malicious.
  • Attack Vector: (e.g., Phishing, Advance Fee, Smishing, Credential Harvesting).
  • Impersonated Brand: The legal entity being spoofed (e.g., Bank of America, PayPal).
  • Categorized IOCs: The engine strips out malicious URLs, attacker phone numbers, and illicit Cryptocurrency wallet addresses routing the fraud.

Phase 4: Autonomous Campaign Clustering

Threat intelligence is relatively useless if it exists as 50,000 isolated spreadsheet rows. Enterprise defense mechanisms require pattern recognition to update WAF (Web Application Firewall) policies effectively.

SusScam features an autonomous clustering engine. When a report is approved, it is mathematically grouped into a larger `Scam Campaign` entity based on the `target_brand` and `malicious_url`. This allows defenders to see not just single anomalies, but entirely mapped infrastructural attacks targeting their customers across hundreds of endpoints.

This campaign data is immediately syndicated via the public feed and the B2B `/api/external/v1/intelligence/feed` REST route, allowing automated ingestion by SIEM tools globally.

Phase 5: Automated Extermination Protocols

The final step in the architecture is closing the loop on the attacker. Once a campaign is fully clustered and the `confidence_score` breaches the enterprise threshold, SusScam initiates the execution phase.

The system performs automatic DNS lookups on the malicious URL to isolate the authoritative nameservers and hosting autonomous system numbers (ASNs). It dynamically generates legally binding Abuse Reports packed with full forensic proof (the original screenshot, the extracted text, the AI classification data, and the cryptographic hashes) and dispatches them directly via API to the host provider's abuse endpoint.

By removing human latency from the ingestion, classification, and reporting pipeline, SusScam collapses the lifespan of malicious infrastructure from weeks to minutes.