We investigated a sprawling criminal e-commerce network that operates fake webshops. The fake shops processed over a million orders with an aggregate order volume of USD 50 million over the past three years.
A criminal group, which we name BogusBazaar, operates an extensive network of 75,000+ domains hosting fraudulent webshops. As of April 2024, approximately 22,500 domains were active. The network has processed more than one million orders since 2021, with an estimated aggregate order volume exceeding USD 50 million.
Not every order results in successful payment, so the actual primary financial damage is lower. Secondary damages caused by fraudulent use of stolen credit card details add to the overall damage.
Our research is covered by Die Zeit (German), The Guardian (English), and Le Monde (French). A subset of this criminal network has previously been reported on by Yarix.
BogusBazaar lures victims onto fake webshops, mainly offering shoes and apparel by well-known brands at low prices. BogusBazaar pursues two crime methods in parallel:
Both methods are sometimes used against the same victim in sequence: First, credit card data is harvested through a spoofed payment interface. The victim is then shown an error message and forwarded to a functioning payment gateway, which initiates a payment.
The group has adopted an ‘infrastructure-as-a-service’ model: A core team is responsible for infrastructure management, while a decentralized network of franchisees operates fraudulent shops.
The BogusBazaar core team deploys infrastructure and appears to operate only a small number of fake webshops. The core team is responsible for developing software, deploying backends, and customizing various WordPress plugins that support fraud operations.
Franchisees manage day-to-day operations of fake shops running on this shared infrastructure. Research indicates that a large part of the network operates from China.
The criminals operate webshops, payment gateways, and management applications on separate infrastructure.
BogusBazaar primarily uses previously expired domains and prefers domains with good Google reputation. Shops are created semi-automatically with customized names and logos. Quality assurance procedures aim to minimize inconsistencies.
Webshops currently run on the WooCommerce WordPress plug-in. Past versions of fraudulent webshops also utilized Zen Cart and OpenCart.
Payment pages can be rotated without changing the store fronts, for instance when a payment page is blocked for fraud.
A typical BogusBazaar server runs about 200 webshops, with few servers hosting more than 500. These servers are often associated with more than a hundred IP addresses each. Externally, the webshops are exposed via Cloudflare. Most servers are hosted in the United States.
Over time, the group has increased the level of infrastructure automation. Today, extensive orchestration capabilities enable BogusBazaar to quickly deploy new webshops or rotate payment pages and domains in response to take-downs.
The criminal network has grown for years through low-key highly-scalable fraud. Our insights enable network infrastructure operators, payment providers, and search engines to identify the crime nucleus and prevent future large-scale abuse.
SRLabs shared research findings with relevant stakeholders including authorities. Some of the fake shops are now offline.
Please send questions about this research to: bogusbazaar@srlabs.de
