A criminal organization called BogusBazaar defrauded 850,000 people of tens of millions of dollars through a network of dodgy shopping websites.
Victims in Western Europe, Australia, and the United States were tricked into ordering non-existent or cheap knockoffs by these fake sites, and their credit card details were collected for fraud.
A report this week by analysts at SRLabs says the fraudsters behind Caper have extorted approximately $50 million from fake online stores across 22,500 domains over the past three years.
Scammers managed to evade law enforcement despite making millions of dollars
“Operating fraudulent web shops is a seemingly small-scale but well-organized crime,” said Matthias Markus, security consultant at SRLabs. register.
“Due to the relatively small number of each fraud case, it appears that the fraudsters have managed to evade law enforcement authorities even as they have made millions of dollars.”
The main purpose of fake e-commerce networks is to steal credit card data, and BogusBazaar also collected that information by impersonating payment services such as PayPal and Stripe. When the crew isn't collecting credit cards, they're selling fake merchandise that costs real money.
According to the report, most people who shop at fake stores receive nothing (usually at discounted prices on luxury goods), and the lucky few who receive deliveries receive fake products.
Scammers also perform both scams against the same person. First, the customer attempts to complete a purchase through a spoofed payment service. The service collects credit card details and then throws an error. The victim is then taken to a real payment processor, where a real transaction takes place, resulting in, at best, a fake product.
E-commerce fraud using US servers and WordPress
Operations are decentralized and optimized to deploy new fake sites fairly quickly. BogusBazaar's core staff handles all software development and server management.
A single BogusBazaar server, most hosted in the US and powered by Cloudflare, can typically display 200 shops, with some hosting up to 500 stores. These sites use WordPress with the WooCommerce plugin, but previously also used Zen Cart and OpenCart.
The spoofed payment pages are separate from the actual storefront, so even if one fake payment site is removed for fraud, another can easily take its place and continue its fraudulent activity. BogusBazaar seems to be very good at automating the process of creating new websites, especially those that tend to reuse domains that have a good reputation on Google.
The fake shop site itself is run by an affiliate of BogusBazaar, who pay the core team for access to the software and servers, in what the report calls a “fraud-as-a-service” franchise model. Most of the franchisees operate outside China, and many of the victims are in the US, UK, France, Australia and other Western countries.
Unfortunately, SRLabs' report is not an autopsy, and the company estimates that BogusBazaar still operates tens of thousands of websites. The company said it had shared its findings with authorities and relevant internet providers, but did not say what action had been taken against the fraud group so far. ®