Shopper using laptop showing fraudsters committing fraud with fake webshops

Massive Scam Ring of China-Based Fraudsters Stole $50 Million via Tens of Thousands of Fake Webshops

Fraudsters operating tens of thousands of fake webshops stole credit card details of hundreds of thousands while also earning tens of millions of dollars in fake orders.

The fake online shops called ‘BogusBazaar’ tricked over 850,000 people, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders.

German cybersecurity firm Security Research Labs (SRLabs) estimated that over 1 million orders have been processed since 2021.

At the start of the campaign, a massive network of 75,000 fake online shops existed, although only about 22,500 remain as of April 2024.

China-based fraudsters target Western shoppers via fake webshops

SRLabs discovered that the massive webshop fraud ring steals credit cards from individuals in the United States and Western Europe and rarely from China, their primary operating base.

The fraudsters harvest credit card details from spoofed payment interfaces before redirecting victims to legitimate payment gateways and initiating transactions. The payment pages usually feature PayPal, Stripe, and credit card processors.

The fraudsters typically sell shoes and apparel from well-known brands at irresistibly low prices. The victims rarely receive their orders but sometimes receive cheap counterfeits. SRLabs discovered that the fraudsters usually run both scams on the same victim.

While SRLabs did not explain the fate of the stolen credit cards, they usually end up on underground hacking forums where they are sold and used for fraud.

Scam ring runs a decentralized Fraud-as-a-Service operation

The fraudsters operate a “Fraud-as-a-Service” operation consisting of a core team that manages infrastructure and affiliates who operate the webshops.

The core team develops software and backend systems, and customizes WordPress and eCommerce plugins while also running a few fake webshops, likely for testing purposes. In turn, the affiliates oversee the daily operations of most fake webshops while paying the core team to utilize their infrastructure.

“The group has adopted an ‘infrastructure-as-a-service’ model: A core team is responsible for infrastructure management, while a decentralized network of franchisees operates fraudulent shops,” the report stated.

The criminal ring also decentralizes infrastructure by running fake webshops, payment gateways, and management applications on separate servers. This strategy allows them to rotate checkout pages rapidly without changing storefronts when payment pages are taken down for fraud.

Additionally, the fraudsters have invented ingenious methods of semi-automatically launching fake webshops using WordPress and various eCommerce plugins, primarily WooCommerce but also Zen Cart and OpenCart.

The webshops feature customized names and logos and have established quality assurance processes to minimize inconsistencies that would raise alarm.

Although the fake webshops operate from China, a typical BogusBazaar server is hosted in the United States. Each server runs about 200 fake webshops and is associated with over one hundred IP addresses exposed via CloudFlare.

The fraudsters host the fake shops on previously expired domains with a good reputation on Google, allowing them to appear high on web search results. Some customers have reported landing on fake webshops after clicking on Google search results featuring a variation of the official domain.

SRLabs has shared its findings, including a list of domains involved in the massive fraud ring, with authorities and relevant entities. It remains to be seen if the Chinese government would participate in shutting down the scam ring without allowing geopolitics to get in the way.

The cybersecurity firm has also shared a Fakeshop Finder tool for German buyers to identify dubious online stores involved in the massive fraud campaign.

Many inattentive buyers might overlook obvious red flags since many fake webshops copy reputable sellers’ designs.

To avoid falling victim to online scams, buyers should confirm the store’s authenticity by checking the seller’s contact information, social media pages, online reviews, and return and refund policy.

Similarly, browsing the whole online store could reveal sobering inconsistencies such as pixelated images, poorly designed or incomplete sections, and typographical errors rarely found on most reputable online stores. Buyers should also be wary of small and unknown online shops offering huge discounts on exclusive luxury items.

“These sorts of social engineering scams are very difficult to detect,” warned Roger Grimes, Data-Driven Defense Evangelist at KnowBe4. “Defenses include educating potential buyers that deals that seem too good to be true usually are and to recommend that people only give their credit card information to known, reputable vendors and sites.”