Vast Network of Fake Web Shops Defrauds 850,000 & Counting

China-based cybercriminal group "BogusBazaar" created tens of thousands of fraudulent online stores based on expired domains to steal payment credentials.

Dark-haired woman in a white shirt sits at a desk in front of a laptop looking at a credit card in her hand
Source: Nako Photography via Alamy Stock Photo

A vast criminal network has stolen the payment credentials of more than 850,000 victims so far with tens of thousands of fake Web shops built on expired domains.

The group — dubbed BogusBazaar by the researchers at Germany-based Security Research Labs (SRLabs) who discovered it — operates out of China to manage an extensive network of more than 75,000 domains hosting fraudulent Web shops.

The group promises various online shopping deals with often high-end merchandise to Web shoppers. Instead of delivering on this promise, BogusBazaar steals payment card details and typically provides no merchandise, the researchers revealed in a blog post published May 8.

"BogusBazaar lures victims onto fake webshops, mainly offering shoes and apparel by well-known brands at low prices," researcher Matthias Marx and the SRLabs team wrote in the post. Instead of shipping legitimate goods, however, "BogusBazaar pursues two crime methods in parallel."

The first is to engage in payment card harvesting via fake payment pages, which collect victims' contact and card details. The second is to sell expensive merchandise on fake online shops that initiate payments via PayPal, Stripe, or credit card processors, then either not deliver any products to victims at all or "occasionally" send them cheap counterfeit merchandise.

Sometimes the group uses both criminal activities against the same victim in sequence, harvesting the payment card data through a spoofed payment interface and then presenting users with an error message that forwards to a functioning payment gateway to process a payment.

BogusBazaar has processed more than 1 million orders totaling more than $50 million in fraudulent payments since 2021; as of April, 225,000 of the domains were active. However, not every order results in successful payment, so the researchers estimate that the primary financial damage is lower than the numbers would imply. Meanwhile, the group inflicts secondary damages by using stolen credit card details in future crimes.

Franchise Operation

BogusBazaar operates on an "infrastructure-as-a-service" model to streamline its operations just like a legitimate franchise-based business might, and also has put in place automation tools to get new sites up running quickly and efficiently, the researchers discovered. One core group develops software, deploys back ends, and customizes various WordPress plug-ins to support the front-end shops, servicing a network of franchises that handle day-to-day operations for the various sites.

A typical BogusBazaar server is often associated with more than 100 IP addresses each and runs about 200 Web shops, with most of the servers hosted in the US. The group also has established "extensive orchestration capabilities" that "enable BogusBazaar to quickly deploy new webshops or rotate payment pages and domains in response to take-downs," according to SRLabs.

Most of the Web shops currently run on the WooCommerce WordPress plug-in, while past sites discovered by the researchers also used Zen Cart and OpenCart. The criminals also can rotate payment pages without changing the storefronts, giving them flexibility when a payment page is flagged for fraud, the researchers said.

One way the group helps to ensure that its sites have an effective reach is to build them using expired domains with high Google ratings, thus increasing the likelihood that shoppers will find them, the researchers said.

From a geographical standpoint, victims who have fallen prey to BogusBazaar are mostly from the US and Western Europe; as the main operating hub of the group is in China, there are almost no victims from that region.

Avoiding Web Shopping Scams

SRLabs has shared its findings with authorities and other stakeholders, who have been active in taking some of the fake shops offline. The team also is encouraging users to send info or questions related to the operation to them via email at [email protected].

"The criminal network has grown for years through low-key highly-scalable fraud," the researchers noted in the post. "Our insights enable network infrastructure operators, payment providers, and search engines to identify the crime nucleus and prevent future large-scale abuse."

To avoid being scammed, consumers should be suspicious of any deal that seems too good to be true, since it most likely is, they added.

There also are services available such as Fakeshop Finder in Germany to help consumers verify if a Web shop is legitimate. Similar US-based sites that cater to English-speaking consumers are ScamVoid and URL Void.

About the Author(s)

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights