A sophisticated criminal syndicate, dubbed BogusBazaar, has been uncovered that operates a network of over 75,000 fake e-commerce websites, defrauding unsuspecting online shoppers to the tune of millions of dollars. According to analysts at SRLabs, BogusBazaar has defrauded more than 850,000 victims, mainly from Western Europe and the US.

As of April 2024, approximately 22,500 domains were active. The fake shops processed over a million orders with an aggregate order volume of $50 million over the past three years, the researchers said. To gain trust, the syndicate leverages previously expired domains with good Google reputation.

Shops are created semi-automatically with customized names and logos. The current versions of fake webshops run on the WooCommerce WordPress plug-in, while past variants of fraudulent webshops also utilized Zen Cart and OpenCart.

The operation leverages two primary methods: credit card harvesting and fake selling. To lure victims, the fraudsters offer seemingly attractive deals on shoes and apparel from reputed brands at low prices.

Upon attempting to make purchases, the shoppers’ credit card details are siphoned off by bogus payment pages, while in other instances, payments are initiated for high-value items that never materialize.

The criminal enterprise operates on an 'infrastructure-as-a-service' model, with a core team managing the backend infrastructure while a decentralized network of franchisees oversees the day-to-day operations of the fraudulent webshops.

The core team is responsible for software development and infrastructure management, running only a small number of fraudulent sites. Franchisees manage day-to-day operations of fake shops running on this shared infrastructure.

The researchers say that a significant portion of BogusBazaar's operations are based in China, with the majority of servers being hosted in the United States.

“Over time, the group has increased the level of infrastructure automation. Today, extensive orchestration capabilities enable BogusBazaar to quickly deploy new webshops or rotate payment pages and domains in response to take-downs,” the report notes.