A group of bad actors likely from China is running a global as-a-service cybercrime operation overseeing a massive network of fake shopping websites that has conned more than 850,000 people in the United States and Europe over the past three years into purchasing items and has tried to process more than $50 million in fraudulent orders.

The scam, called BogusBazaar by the researchers at German security research and consulting firm Security Research Labs (SRLabs), has included 75,000 false online shops with the two goals: stealing credit card credentials from victims and processing orders for expensive items through the fake websites that were never fulfilled.

“Both methods are sometimes used against the same victim in sequence: First, credit card data is harvested through a spoofed payment interface,” SRLabs consultant Matthias Marx wrote in a report. “The victim is then shown an error message and forwarded to a functioning payment gateway, which initiates a payment.”

As of last month, about 22,500 fake shopping sites were still active and since 2021, the network has processed more than a million orders with an aggregated order volume of more than $50 million. Because not every order is successful, the overall financial loss from processing orders is likely less than that. But some were, and further damage was done by hackers using the stolen credit card information.

The operators also were able to make money by selling the stolen card information on dark web marketplaces.

Online Shopping Scams

E-commerce has been riddled with fraud. Bank of America reported that in 2023, imposter scams like BogusBazaar cost victims $752 million.

“By creating fraudulent websites using legitimate information they’ve harvested from online sources, these scammers lure clients and potential prospects into providing confidential information with the intention of committing financial fraud,” the financial services company wrote.

Market research firm Statista wrote that in recent years, more than 70% of all victims of online shopping scams suffered financial losses. The Federal Trade Commission (FTC) found that in 2022, imposter scams like BogusBazaar resulted in consumers losing $2.6 billion, second most only to investment fraud.

BogusBazaar is an IaaS Operation

According to SRLabs, BogusBazaar is an infrastructure-as-a-service operation, with a core group of people managing the infrastructure for a larger group of “franchisees” that run the fake online shops on the share infrastructure, with Marx saying that much of the network operates from China, based in part on the fact that almost all of the victims come from the United States and Europe and essentially none from China.

The core group is responsible not only for the infrastructure but also for developing software, deploying backends, and customizing WordPress plugins that support the operation. It also operates a small number of fake web shops, Marx wrote.

On the backend, each BogusBazaar runs about 200 fraudulent online shopping sites, though some can host more than 500, and each are associated with more than 100 IP addresses. The sites themselves are exposed through Cloudflare’s network services and most servers are hosted in the United States.

“Over time, the group has increased the level of infrastructure automation,” Marx wrote. “Today, extensive orchestration capabilities enable BogusBazaar to quickly deploy new webshops or rotate payment pages and domains in response to take-downs.”

Expired Domains with Good Reputations

On the frontend, the operations typically use expired domains that have good Google reputations. The shops, spun up via some automation, include customized names and logos, with quality assurance procedures to reduce inconsistencies. They run on the WooCommerce WordPress plugin, though some in the past also used the Zen Cart and OpenCart online store management systems.

Most of the shops offer low-priced shoes and apparel by well-known brands and payments are run through PayPal, Stripe, and credit card processors, and payment pages are rotated without needing to change store fronts if a page is blocked for fraud.

Marx wrote that the “criminal network has grown for years through low-key highly-scalable fraud” and he hopes SRLabs’ research has given network infrastructure operators, payment providers, and search engines a heads up to detect the scam and protect themselves and users. Also, the firm has contacted law enforcement agencies and that now some of the fraudulent sites have been taken offline.