Vast Network of Fake Web Shops Defrauds 850,000 & Counting

China-based cybercriminal group BogusBazaar created tens of thousands of fraudulent online stores based on expired domains to steal payment credentials.

A vast criminal network has stolen the
payment credentials
of more than 850,000 victims so far with tens of thousands of fake Web shops built on expired domains.
The group — dubbed BogusBazaar by the researchers at Germany-based Security Research Labs (SRLabs) who discovered it — operates out of China to manage an extensive network of more than 75,000 domains hosting fraudulent Web shops.
The group promises various online shopping deals with often high-end merchandise to Web shoppers. Instead of delivering on this promise, BogusBazaar steals payment card details and typically provides no merchandise, the
researchers revealed
in a blog post published May 8.
BogusBazaar lures victims onto fake webshops, mainly offering shoes and apparel by well-known brands at low prices, researcher Matthias Marx and the SRLabs team wrote in the post. Instead of shipping legitimate goods, however, BogusBazaar pursues two crime methods in parallel.
The first is to engage in
payment card harvesting
via fake payment pages, which collect victims contact and card details. The second is to sell expensive merchandise on fake online shops that initiate payments via PayPal, Stripe, or credit card processors, then either not deliver any products to victims at all or occasionally send them cheap counterfeit merchandise.
Sometimes the group uses both criminal activities against the same victim in sequence, harvesting the
payment card data
through a spoofed payment interface and then presenting users with an error message that forwards to a functioning payment gateway to process a payment.
BogusBazaar has processed more than 1 million orders totaling more than $50 million in fraudulent payments since 2021; as of April, 225,000 of the domains were active. However, not every order results in successful payment, so the researchers estimate that the primary financial damage is lower than the numbers would imply. Meanwhile, the group inflicts secondary damages by using stolen credit card details in future crimes.
BogusBazaar operates on an infrastructure-as-a-service model to streamline its operations just like a legitimate franchise-based business might, and also has put in place automation tools to get new sites up running quickly and efficiently, the researchers discovered. One core group develops software, deploys back ends, and customizes various WordPress plug-ins to support the front-end shops, servicing a network of franchises that handle day-to-day operations for the various sites.
A typical BogusBazaar server is often associated with more than 100 IP addresses each and runs about 200 Web shops, with most of the servers hosted in the US. The group also has established extensive orchestration capabilities that enable BogusBazaar to quickly deploy new webshops or rotate payment pages and domains in response to take-downs, according to SRLabs.
Most of the Web shops currently run on the
WooCommerce
WordPress plug-in, while past sites discovered by the researchers also used Zen Cart and OpenCart. The criminals also can rotate payment pages without changing the storefronts, giving them flexibility when a payment page is flagged for fraud, the researchers said.
One way the group helps to ensure that its sites have an effective reach is to build them using expired domains with high Google ratings, thus increasing the likelihood that shoppers will find them, the researchers said.
From a geographical standpoint, victims who have fallen prey to BogusBazaar are mostly from the US and Western Europe; as the main operating hub of the group is in China, there are almost no victims from that region.
SRLabs has shared its findings with authorities and other stakeholders, who have been active in taking some of the fake shops offline. The team also is encouraging users to send info or questions related to the operation to them via email at
[email protected]
.
The criminal network has grown for years through low-key highly-scalable fraud, the researchers noted in the post. Our insights enable network infrastructure operators, payment providers, and search engines to identify the crime nucleus and prevent future large-scale abuse.
To avoid being scammed, consumers should be suspicious of any deal that seems too good to be true, since it most likely is, they added.
There also are services available such as
Fakeshop Finder
in Germany to help consumers verify if a Web shop is legitimate. Similar US-based sites that cater to English-speaking consumers are
ScamVoid
and
URL Void
.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Vast Network of Fake Web Shops Defrauds 850,000 & Counting