A sophisticated online shopping scam out of China has netted an estimated $50 million over the past three years, operating through a whopping 22,500 fake retail websites. With more than 850,000 victims primarily across the U.S., Western Europe, and Australia, customers placed orders for products they never received, falling prey to credit card theft in the process. Several aspects of the scheme made it difficult for consumers and law enforcement to detect the fraudulent activity.
Dubbed BogusBazaar by analysts at the German cybersecurity collective SRLabs, the criminal ring employed a two-pronged approach. BogusBazaar. Initially, they engaged in credit card harvesting, in which fake payment pages collected victims’ contact and credit card information. Then, they utilized deceptive sales tactics, enticing individuals to purchase expensive merchandise at reasonable prices. The victims received either cheap counterfeit goods or nothing at all.
The payments were facilitated through seemingly legitimate methods like PayPal, Stripe, and credit card processors. SRLabs said that once a user’s credit card data was harvested through a spoofed payment interface, they encountered an error message. Unbeknownst to them, they were then redirected to a functional payment gateway, initiating an actual transaction.
Laying Low
Two aspects of the scam helped it escape detection for years. “As each fraud case has a relatively low volume, the fraudsters seem to have managed to evade the attention of the law enforcement authorities despite earning millions,” SRLabs noted in its report.
Additionally, the criminals made use of expired domains, targeting those with established reputations on Google. This strategy ensured their website appeared prominently in internet searches. The online stores were then given customized names and logos, creating an illusion of legitimacy for unsuspecting shoppers.
Seeking the Signs of Fraud
Online purchase scams are still the most effective method of targeting victims, according to Jennifer Pitt, Senior Analyst of Fraud and Security at Javelin Strategy & Research.
“Unfortunately, there are more organizations there just like BogusBazaar,” Pitt said. “Purchasers should use caution when shopping online. Instead of clicking on an ad or link, consumers should view the company’s actual website. When shopping with a company for the first time, consumers should do their research—search for reviews and information about the organization.
The BogusBazaar sites enticed consumers with very low prices for what appeared to be luxury goods. “Compare prices of similar items to known legacy organizations,” Pitt said. “If prices seem too good to be true, it could be a scam. Always keep in the back of your mind, ‘Could this be a scam?’”
