A criminal network has been uncovered by researchers at Security Research Labs (SRLabs) in Germany, revealing that they have stolen the payment credentials of over 850,000 victims through a network of more than 75,000 fake web shops hosted on expired domains. This group, known as BogusBazaar, operates out of China and entices online shoppers with attractive deals on high-end merchandise, only to steal their payment card details and provide little to no actual products, as reported in a blog post on May 8.
The modus operandi of BogusBazaar involves two main criminal methods. Firstly, they engage in payment card harvesting by creating fake payment pages to collect victims’ contact and card details. Secondly, they sell pricey items on counterfeit online shops that initiate payments using platforms like PayPal, Stripe, or credit card processors but do not deliver goods, or sometimes send substandard, cheap merchandise. Additionally, the group sometimes employs both tactics in sequence to maximize their gains, capturing payment card data through a spoofed interface and then redirecting users to a legitimate payment gateway.
Since 2021, BogusBazaar has processed upwards of 1 million orders totaling more than $50 million in fraudulent payments. However, due to unsuccessful transactions, the actual financial damage is estimated to be lower than the initial numbers suggest. Moreover, the group also uses stolen credit card details for future criminal activities, inflicting secondary damages on the victims.
To streamline its operations, BogusBazaar operates on an “infrastructure-as-a-service” model similar to legitimate franchises. They utilize automation tools to quickly launch new sites efficiently. The group employs around 100 IP addresses per typical server hosting 200 webshops, with most servers being in the US. This setup, along with sophisticated orchestration capabilities, allows BogusBazaar to swiftly deploy new sites or switch payment pages and domains in response to takedowns.
Most of the fraudulent webshops operated by BogusBazaar run on the WooCommerce WordPress plug-in, leveraging expired domains with high Google ratings for better visibility to potential victims. Geographically, the majority of victims targeted are from the US and Western Europe, with very few from China, where the group is based.
SRLabs has shared its findings with relevant authorities and stakeholders, leading to the takedown of some fake shops. The team recommends that users report any related information or queries via email to [email protected] to aid in combating this criminal network. Consumers are advised to be cautious of deals that seem too good to be true and utilize services like Fakeshop Finder in Germany or ScamVoid and URL Void in the US to verify the legitimacy of online shops.
In conclusion, the discovery of the BogusBazaar network sheds light on the sophistication and scale of online fraud operations. By staying vigilant and utilizing available resources, consumers can protect themselves from falling victim to such scams and contribute to the prevention of large-scale abuse by criminal entities.