Scammers devise all kinds of sneaky approaches to steal users’ personal and payment details, some cybercriminals directly compromise companies, while others use malware to collect data. However, it appears that a China-based e-commerce scam takes a simpler approach that does not involve hacking or malware - the fraudsters set up hundreds of malicious websites instead that ostensibly sell legitimate goods, but in reality capture card numbers for sale on the dark web marketplaces.

According to researchers at Gemini Advisory, this scheme allows scammers to make a double profit: in addition to selling the payment and PII (personally identifiable information) data of customers of e-commerce sites to cybercriminals, they also receive money for goods that are “faulty, counterfeit, or nonexistent.”

“The group operates hundreds of scam sites and has exposed tens of thousands of US and international payment card records and individuals’ personally identifiable information (PII) over the past six months,” the researchers said, adding that the group likely recorded profits upwards of $500,000 just from the sale of the stolen payment card data and personal info on the dark web.

Gemini identified nearly 600 scam sites, with most of them registered through China’s ename.net. The fake online shops use the e-commerce platform OpenCart, which is open source. The group also relies on web infrastructure from Cloudflare “to hide its IP addresses for all of its sites.”

To disguise as legitimate merchants and avoid suspicions, scam sites used a unique merchant name and merchant identification number (MID). Registering a new MID is a complex process that requires either a direct partnership with an acquiring bank or a relationship with a third-party merchant company that works with a dedicated acquiring bank. The researchers said they found nearly 200 scam sites linked to the Chinese acquiring bank Jilin Jiutai Rural Commercial Bank Co., Ltd. It is not clear if the bank was involved in the scam, it is possible that the relationship was managed via third-party companies.

“For the average customer, there is no visible link between the different sites within the network as each appears to be a distinct, legitimate shop. The sites use Google Ads and social media advertisement campaigns to attract customers with offers for products at a discount below market deals. The sites’ advertisements almost always indicate that the deals are part of a limited-time sale to pressure potential customers into making a purchase,” the report said.