A group of bad actors — likely from China — is running a global cybercrime-as-a-service operation. It oversees a massive network of fake shopping websites that has conned more than 850,000 people in the United States and Europe into purchasing items, over the past three years, and the organization has tried to process more than $50 million in fraudulent orders.
The scam, called BogusBazaar by the researchers at German security research and consulting firm Security Research Labs (SRLabs), has included 75,000 false online shops with two goals: stealing credit card credentials from victims and processing never-fulfilled orders for expensive items through the fake websites.
“Both methods are sometimes used against the same victim in sequence: First, credit card data is harvested through a spoofed payment interface,” SRLabs consultant Matthias Marx wrote in a report. “The victim is then shown an error message and forwarded to a functioning payment gateway, which initiates a payment.”
As of last month, about 22,500 fake shopping sites were still active. Since 2021, the network has processed more than a million orders with an aggregated order volume of more than $50 million. Because not every order is successful, the overall financial loss from processing orders is