Skip links

What do Europeans, Americans and Australians have in common? Scammed $50M by fake e-stores

A crime ring dubbed BogusBazaar has scammed 850,000 people out of tens of millions of dollars via a network of dodgy shopping websites.

Victims in Western Europe, Australia, and America were tricked by these sham sites into placing orders for goods that either didn’t exist or were cheap knock-offs, and had their credit card details harvested for fraud to boot.

The crooks behind the caper bagged roughly $50 million in the past three years from fake online stores spanning 22,500 domains, according to a report by analysts at SRLabs this week.

The fraudsters managed to evade the attention of the law enforcement despite earning millions

“The operation of fraudulent webshops is a seemingly small but well-organized crime,” Matthias Marx, a security consultant at SRLabs, told The Register.

“As each fraud case has a relatively low volume, the fraudsters seem to have managed to evade the attention of the law enforcement authorities despite earning millions.”

The primary purpose of the fake e-commerce network is to steal credit card data, and BogusBazaar also spoofed payment services like PayPal and Stripe to collect that information. When the crew isn’t harvesting credit cards, it sells fake goods that cost real money.

According to the report, most folks who make a purchase on one of the fake stores – usually for discounted luxury items – don’t receive anything at all, and the lucky few who do get a delivery are greeted with counterfeit merchandise.

The crooks have also been running both scams against the same person. First, a customer will attempt to complete their purchase via a spoofed payment service, which will collect their credit card details and then throw an error. After that, the victim is brought to the actual payment processor, which makes a real transaction that at best results in fake goods.

E-commerce fraud, powered by US servers and WordPress

The operation is decentralized and optimized to deploy fresh fake sites fairly quickly. The core BogusBazaar crew handles all of the software development and server management.

A single BogusBazaar server, most of which are hosted in the US and use Cloudflare, can usually present 200 shops, with some hosting up to 500 storefronts. These sites use WordPress with the WooCommerce plugin, though in the past Zen Cart and OpenCart were also used.

The spoofed payment pages are decoupled from the actual store fronts, meaning if one bogus payment site is taken down for fraud, another can be rotated in easily to keep on scamming. BogusBazaar has apparently got very good at automating the process for creating new websites, which tend to reuse expired domains, especially those with a good reputation on Google.

The fake shop sites themselves are run by BogusBazaar affiliates, who pay the core team for the software and server access in what the report terms a fraud-as-a-service franchising model. Most franchisees are operating out of China, and their victims are largely in the US, the UK, France, Australia, and other Western nations.

Unfortunately, SRLabs’ report isn’t an autopsy, and the firm estimates BogusBazaar is still operating tens of thousands of websites. The firm says it has shared its findings with the authorities and relevant internet providers, though didn’t mention what actions had been taken so far against the fraud ring. ®