Massive webshop fraud ring steals credit cards from 850,000 people


A massive network of 75,000 fake online shops called ‘BogusBazaar’ tricked over 850,000 people in the US and Europe into making purchases, allowing the criminals to steal credit card information and attempt to process an estimated $50 million in fake orders.

Additionally, millions of stolen credit card details were resold on dark web marketplaces, allowing other threat actors to purchase them and perform unauthorized online purchases.

According to a report by the German cybersecurity firm Security Research Labs GmbH (SRLabs), the BogusBazaar network has attempted to process an estimated $50 million in fake purchases since the operation launched three years ago.

Most of the victims are concentrated in the United States and Western Europe. At the same time, there are virtually no victims from China, which is thought to be the operational base of the scam operation.

Origin of purchases
Origin of purchases on BogusBazaar shops
Source: SLR

A massive network of fake webshops

BogusBazaar is a highly organized operation that has launched over 75,000 fake webshops since 2021 but has recently diminished to over 22,500 active sites.

The cybercriminals host fake shops on previously expired domains with a good reputation with Google and typically pretend to sell shoes and clothing products at very low prices.

The sites are created semi-automatically and feature custom names and logos, so there’s some effort to raise the quality and, with it, the perceived legitimacy of the shop.

One of the fraudulent shops
One of the fraudulent shops
Source: SLR

The payment pages on these sites either collect the victims’ contact and credit card details or steal people’s money via PayPal, Stripe, and credit card payments for non-existent orders they will never receive.

SRLabs says the cybercrime group is organized, featuring distinct teams with dedicated roles operating under an infrastructure-as-a-service model.

“The group has adopted an ‘infrastructure-as-a-service’ model: A core team is responsible for infrastructure management, while a decentralized network of franchisees operates fraudulent shops,” reads the SRLabs report.

“The BogusBazaar core team deploys infrastructure and appears to operate only a small number of fake webshops. The core team is responsible for developing software, deploying backends, and customizing various WordPress plugins that support fraud operations.”

The researchers say the management and developers behind the operation are creating customized WooCommerce WordPress plugins used to steal money and data. That team operates only a small number of fake shops, possibly for testing.

The vast majority of the BogusBazaar shops are operated by an extensive, decentralized network of franchisees, who use the tools provided by the core team to manage the shops’ day-to-day operations.

The webshops, payment gateways, and management applications are hosted on separate infrastructure.

While the operation is believed to be managed from China, most BogusBazaar servers are located in the United States. Each of these servers hosts between 200 and 500 webshops and is hidden behind Cloudflare, offering a degree of anonymity.

SLR has shared the complete list of URLs and IoCs related to BogusBazaar with the authorities and other stakeholders.

BleepingComputer has also reviewed the list of active domains, and while most of the shops have been shut down and are now showing Cloudflare errors, many are still in operation.

Confirming webshop legitimacy

To confirm that an online shop is authentic, consumers are recommended to check for contact information, examine the return policy, check for trust seals, browse the website content in general, and check its social media presence.

By doing the above, consumers can establish if the webpages were hastily put together or created with high professional standards.

Also, many of the fake webshops reviewed by BleepingComputer use a similar template consisting of a list of items, with the original price crossed out and new prices offered with an over 50% discount.

In addition, read online reviews, follow the announcements of local consumer protection agencies, and use available online checker tools such as this one suggested by SRLabs for the German market.



Source link