Fake online stores have defrauded over 850,000 customers

Security researchers have warned online shoppers to be on guard after revelations of a vast network of fake online stores designed to steal victims’ card details and cash.

Mainly operated from China, the BogusBazaar network has processed over a million orders since 2021, according to Security Research (SR) Labs.

The security provider estimated that more than 850,000 customers, mostly from Western Europe and the United States, had already been victims. As of 2021, they are believed to have ordered over $50 million worth of non-existent items, although not every order results in successful payment, so the financial damage is expected to be somewhat less.

However, even if the payment fails, the fraudsters behind the operation will be able to intercept the victim’s card details and personal information via fake payment sites, SRLabs claims.

In some cases, the victim is sent counterfeit items, but often receives nothing.

Read more about e-commerce fraud: E-commerce fraud is increasing by over 50% annually.

Shoppers are attracted to fake online stores by legitimate-looking sites selling luxury and branded products at low prices. Fraudsters usually choose expired domains that have a good reputation on Google, and stores run on a WooCommerce WordPress plugin, Zen Cart or OpenCart.

SRLabs claimed there were 22,500 domains currently active, although it recorded a total of over 75,000 in use by the network.

“The group has adopted an infrastructure-as-a-service model: the core team is responsible for managing the infrastructure, while a decentralized network of franchisees runs mock stores,” SRLabs explained.

“The BogusBazaar core team is implementing the infrastructure and appears to only support a small number of fake online stores. The core team is responsible for software development, backend implementation and customization of various WordPress plugins that support fraud operations.

BogusBazaar uses servers located primarily in the US, and each server hosts around 200 fake e-commerce stores, although some host over 500. Each server is associated with over 100 IP addresses.

Franchisees, also based mainly in China, manage day-to-day operations, SRLabs said.

“Payment pages can be changed without changing store fronts, for example when the payment page is blocked due to fraud,” he added.

SRLabs said it has shared its findings with network infrastructure operators, payment service providers, search engines and other interested parties in the hope that they will take action against this massive fraud operation.