Security researchers have warned online shoppers to be on their guard after revealing news of an extensive network of fake e-commerce stores designed to steal victims’ card details and cash.
Operated primarily from China, the BogusBazaar network has processed over one million orders since 2021, according to Security Research (SR) Labs.
The security vendor estimated that over 850,000 shoppers have already fallen victim, mostly from Western Europe and the US. They’re thought to have ordered over $50m worth of non-existent items since 2021, although not every order results in successful payment, so the financial damage is expected to be somewhat lower.
However, even if payment isn’t successful, the scammers behind the operation will be able to harvest the victim’s card details and personal information via fake payment pages, SRLabs said.
In some cases, counterfeit items are shipped to the victim, but often they receive nothing.
Read more on e-commerce fraud: E-commerce Fraud Surges By Over 50% Annually.
Shoppers are lured to the fake web shops by legitimate-looking websites selling luxury and branded items at low prices. The scammers typically choose expired domains with good Google reputation, with the stores running on the WooCommerce WordPress plug-in, Zen Cart or OpenCart.
SRLabs claimed that 22,500 domains are currently active, although it has recorded over 75,000 in total used by the network.
“The group has adopted an ‘infrastructure-as-a-service’ model: A core team is responsible for infrastructure management, while a decentralized network of franchisees operates fraudulent shops,” SRLabs explained.
“The BogusBazaar core team deploys infrastructure and appears to operate only a small number of fake web shops. The core team is responsible for developing software, deploying backends and customizing various WordPress plugins that support fraud operations.”
BogusBazaar uses servers located mainly in the US, with each running around 200 fake e-commerce stores, although some support more than 500. Each server is associated with over 100 IP addresses.
Franchisees, again based mainly in China, manage day-to-day operations, SRLabs said.
“Payment pages can be rotated without changing the store fronts, for instance when a payment page is blocked for fraud,” it added.
SRLabs said it has shared its findings with network infrastructure operators, payment providers, search engines and other stakeholders in the hope they take action against the massive fraud operation.