A China-based criminal network operating tens of thousands of fake online stores has netted up to $75.6 million through fraudulent e-commerce purchases over the past three years.
The wide-reaching scam was uncovered by researchers at German cyber security consultancy Security Research Labs (SR Labs) – targeting victims across multiple nations by setting up false online stores and coaxing shoppers into a plethora of false purchases.
Named “BogusBazaar”, the criminal network runs bogus store fronts which advertise goods such as shoes and apparel to lure victims into providing their credit card details.
At best, victims receive a cheap counterfeit not matching their intended purchase, or at worst, they wind up having their credit card details stolen outright.
In some cases, the fake stores harvest credit cards and sell counterfeit goods in parallel, likely to distract victims from the theft of their card details.
“Both methods are sometimes used against the same victim in sequence,” explained SR Labs.
“First, credit card data is harvested through a spoofed payment interface.
“The victim is then shown an error message and forwarded to a functioning payment gateway, which initiates a payment.”
Often claiming to sell well-known brands at discount prices, the scheme has reportedly processed more than one million orders with an aggregated volume exceeding $75.6 million dollars ($US50 million) over the past three years.
Not every order placed through the e-commerce scheme has resulted in successful payment, meaning the precise financial damages are likely lower than what the amount of orders would otherwise represent, but SR Labs notes “secondary damages” caused by credit card theft have further contributed to the overall damage.
Victims across the globe
SR Labs notes over 850,000 customers have fallen victim to BogusBazaar fraudsters with the majority of those being in the US and Western Europe.
Of 50 countries, Australians ranked the 12th most victimised at 15,077 fraud orders netting up to $1.7 million (US$1.1 million) in damages – among these orders were such notable brand names as Reebok, Amart Furniture and Thrills.
France is reportedly the most victimised at 197,642 fraudulent orders – totalling up to $33.6 million (US$22.1 million) in damages – while the US followed closely in second at 167,827 orders and up to $19 million (US$12.5 million) in damages.
Anthony Peake, .au policy expert and product manager at domain management platform Above.com, told Information Age Australia’s domain regulator auDA first detected the scam ring about two years ago.
“We have seen this scam before and we are much better protected in the .com.au name space than other name spaces,” said Peake.
“We worked proactively with auDA on disabling the DNS on the domains in question and the scammers eventually lost interest and moved on to softer targets.
“However, I ran some numbers to see if this is still a problem in the .au namespace and was surprised to learn that it has not gone away, but has remained consistently active.”
Meanwhile, researchers observed “almost none” of the victims are from China, which has been deemed the “main operating hub” of the criminal network.
Senior security consultant at SR Labs, Matthias Marx, told Information Age that in spite of earning millions from its victims, the group seems to have evaded the attention of law enforcement by ensuring each fraud case has a relatively “low volume”.
Franchising fraud
Similar to modern ransomware gangs, BogusBazaar has adopted an “infrastructure-as-a-service” model which sees a core team heading the infrastructure of the scam while a decentralised network of “franchisees” runs its false online stores.
This core team develops software, deploys the backend and customises various WordPress plugins to support the scam’s operations.Meanwhile, its franchisees manage day-to-day operations from a network largely operated out of China.
According to SR Labs, a single server of BogusBazaar typically runs about 200 storefronts, with most of these servers being located in the US.
Furthermore, the fake stores are created “semi-automatically” with franchisees able to customise names and logos to their liking.
If a payment page is blocked for fraud, BogusBazaar enables its network of scammers to simply rotate in a new, functioning payment page without changing the storefront itself.
“The criminal network has grown for years through low-key highly-scalable fraud,” wrote SR Labs.
“Over time, the group has increased the level of infrastructure automation.
“Today, extensive orchestration capabilities enable BogusBazaar to quickly deploy new stores or rotate payment pages and domains in response to take-downs.”
Real domains, false goods
As for how tens of thousands of scam websites are able to stay online, SR Labs found the criminal network behind BogusBazaar uses previously expired domain names – often ones with a good reputation on search engines like Google – to add legitimacy to the scheme.
The criminal network reportedly uses over 75,000 domains to host its fraudulent shops, with approximately 22,500 of those seen to be active as of April.
Furthermore, should a regulator or industry body notice one of these domains is being used for fraudulent purposes, BogusBazaar appears to have countless backup domains to get scam stores back online.
“Currently, the network seems to rely on search engines and the good standing of recently expired domains,” Marx told Information Age.
“This is confirmed by some customers who explained that they had reached the fraudsters' websites via Google.
“More engagement from brands and law enforcement could result in more takedowns of domains and servers.”
When asked how consumers can protect themselves, Marx said it may be worth checking other consumers’ reviews while shopping since some of the scams have been “online for many months or even years”.
“When ordering online, a deal that sounds too good to be true, probably is,” said Marx.
