Almost a million people around the world have fallen victim to a highly organized fraud campaign, which scammed them out of some $50 million in the past couple of years.
According to a report from SRLabs, a group of cyber-criminals, supported by a wider network of affiliates, were organized into a crime ring dubbed BogusBazaar. This ring automated the creation and rotation of thousands of fake shopping websites – 22,500 domains, to be exact.
Through these shopping sites, the criminals did two things – steal credit card and other payment data, and steal money.
Well-organized group
Stealing credit card information is as straightforward as one can imagine with fake shopping sites – a person would try to purchase something off the site, they would submit their payment information, and never get the item they ordered. PayPal and Stripe data was stolen from the victims in the same manner.
Stealing money worked in a somewhat different way. Some of the victims actually received an item, albeit not the one they ordered, but rather a cheap copy, or a knock-off.
“The operation of fraudulent webshops is a seemingly small but well-organized crime,” Matthias Marx, a security consultant at SRLabs, told The Register. “As each fraud case has a relatively low volume, the fraudsters seem to have managed to evade the attention of the law enforcement authorities despite earning millions.”
The majority of the victims were located in Western Europe, Australia, and America.
The worst part is that the campaign is still ongoing, and is decentralized and automated in a way that makes it difficult for law enforcement to fully eliminate. As soon as one website gets taken down, another one takes its place. The attackers often use expired domains with good standing, making spotting fraud even harder at start.
The majority of the fraudsters seem to be operating out of China.
The internet is filled with scammers and fraudsters, looking to steal people’s money and sensitive information. The best way to stay safe is to always make sure you’re buying from trusted sources and official websites. If you know the shop’s website, type the address in the bar instead of searching for it on Google or other search engines.
If you are being redirected to a website, double check the address and make sure it doesn’t have any weird typos or strange-looking characters.
And finally, always use common sense. If something is too good to be true, it most likely is.