BogusBazaar: Massive Network of Fraudulent E-commerce Sites

An extensive investigation has uncovered a criminal enterprise known as BogusBazaar, operating over 75,000 domains to host fraudulent webshops that have processed transactions totaling upwards of $50 million in the last three years.

This sophisticated network has victimized more than 850,000 customers, primarily in Western Europe and the USA, through credit card theft and fake sales of merchandise.

The discovery of BogusBazaar was led by security researchers at SRLabs, while initial reports on a subset of this network were also noted by Yarix.

Modus operandi and structure

BogusBazaar exploits well-known brands, luring victims with the promise of low-priced shoes and apparel. The operation involves two primary fraudulent activities:

1. Fake payment pages are designed to collect sensitive information, including credit card details, from shoppers.
2. Victims are charged for high-value items they never receive or, in some cases, are shipped low-quality counterfeits.

These deceptive tactics are often employed sequentially; first, the victim's data is stolen, and then they are misled by error messages that prompt further transactions through legitimate payment gateways like PayPal and Stripe.

BogusBazaar operates on an ‘infrastructure-as-a-service' model that includes:

• A “core team” that focuses on infrastructure management, software development, and customization of WordPress plugins that facilitate fraud.
• Franchisees who handle the daily operations of these fraudulent webshops, with a significant number operating out of China.

The technical setup includes using previously expired domains with positive Google reputation, and webshops are mainly built using the WooCommerce WordPress plugin. Backend operations are supported by a network of servers mostly located in the United States, capable of running multiple webshops and rotating payment pages to evade detection.

The actual financial damage extends beyond the apparent transaction values due to secondary fraud involving the unauthorized use of stolen credit card details.

To combat this kind of fraud, it is crucial for network infrastructure operators, payment providers, and search engines to collaborate in identifying and dismantling the critical components of these operations. Thanks to concerted efforts by SRLabs and various stakeholders, some of these fraudulent shops have already been taken offline.

The BogusBazaar case exemplifies the growing sophistication and scale of online fraud. Consumers are advised to remain vigilant, especially when deals appear too good to be true. Also, it is advisable to use digital one-time cards when possible instead of actual credit cards.