SOCRadar® Cyber Intelligence Inc. | BogusBazaar Scams 850K Shoppers Through Fraudulent E-Commerce Sites


May 10, 2024
5 Mins Read

BogusBazaar Scams 850K Shoppers Through Fraudulent E-Commerce Sites

In a recent investigation, researchers exposed an expansive network of fraudulent e-commerce websites that scammed over 850,000 victims out of approximately $50 million in the last three years.

This intricate operation, dubbed “BogusBazaar,” involves thousands of fake webshops that offer tempting deals on various apparel items, such as shoes and clothing. As BogusBazaar lures unwary shoppers, the true cost for these goods is the unauthorized extraction of their credit card information.

BogusBazaar’s Fraud Mechanism

The BogusBazaar criminal network uses sophisticated techniques to maintain and scale its operations, such as leveraging both direct theft of credit card information and selling counterfeit goods.


Products displayed on a fake shopping website involved in the BogusBazaar scams (SRLabs)

Products displayed on a fake shopping website involved in the BogusBazaar scams (SRLabs)

In both cases, shoppers are lured with high-quality images of products; for credential harvesting, threat actors use bogus payment pages set up to collect personal and payment details from customers, likely infected with stealer malware. On the other hand, sometimes these goods are sold for real, yet they either never arrive or are very low-quality knock-offs.

Researchers note that payments are processed through popular platforms like PayPal, Stripe, and various credit card processors.

In some instances, shoppers were duped by a two-pronged scheme: they were tricked into sharing their financial information, shown an error message, and then redirected to a payment page.

Our recent blog post titled “2024 Analysis of E-Commerce Websites in Stealer Logs” reveals the extent and nature of user data captured by scams, specifically through information stealer malware. By analyzing stealer log data from major platforms like eBay and Amazon for Q1 2024, we discovered that 2,454 unique credit card details were compromised. This, coupled with the discovery of the BogusBazaar scam, underscores the significance of threats to financial information shared online.

Geographic and Financial Impact of BogusBazaar

The majority of BogusBazaar’s victims are from Western Europe and the United States, highlighting the reach of their operations.

Despite the large number of affected users (over 850,000 victims reported so far), the actual financial damage varies as not all transactions result in completed payments, and secondary damages from the misuse of stolen credit card details continue to accumulate.

Let’s point out that such scams frequently exploit the reputations of well-known brands to attract potential victims. However, there is an effective strategy to counter these threats. SOCRadar’s Brand Protection feature allows you to identify impersonating domains, social media profiles, and applications. Moreover, with our Integrated Takedown service, you can swiftly respond to these scammers, preventing financial and reputational damage to your organization before they escalate.

SOCRadar’s Brand Protection

SOCRadar’s Brand Protection

Additionally, you can detect risks associated with domain spoofing and phishing attempts with tools like SOCRadar’s Phishing Radar.

Phishing Radar is a free service provided on SOCRadar LABS

Phishing Radar is a free service provided on SOCRadar LABS

Technical Infrastructure and Expansion

The infrastructure behind BogusBazaar is robust and highly automated, allowing for rapid deployment and management of fraudulent sites primarily originating from China. Here are some key insights into the infrastructure of BogusBazaar:

  • Infrastructure Model:

The core team focuses on infrastructure setup and maintenance, and customizing plugins to support their fraudulent activities.

BogusBazaar’s network features fraudulent shop sites operated by affiliates who buy software and server access from the core team, a practice researchers identify as a Fraud-as-a-Service model. Essentially, the core team provides these affiliates with back-end support.

  • Use of Expired Domains:

Many of the fake shops are hosted on domains that previously expired but had good reputations on Google, aiding in evading initial suspicion and benefiting from established SEO strengths.

  • Server Operations and Security Measures:

Each server can host up to 500 webshops, often protected by Cloudflare and based primarily in the United States. These servers are capable of quickly rotating payment pages and domains without changing store fronts to avoid detection and possible takedown by authorities.

It is also important to note that BogusBazaar runs a vast network with more than 75,000 domains that house phony online stores. Approximately 22,500 of these domains were actively used to carry out the scam as of April 2024.

Lately, these fake shops have been operating using the WooCommerce WordPress plugin. Reportedly, they also utilized platforms such as Zen Cart and OpenCart in the past.

Recommendations to Combat E-Commerce Fraud

To be safe from sophisticated e-commerce frauds such as BogusBazaar, the following strategies are recommended:

  • Check domain registrar information to ascertain the legitimacy of a webshop. Services like Whoxy can be useful for checking domain registration details and helping to identify potential red flags in the ownership and history of a website.
  • Use virtual credit cards for online purchases to minimize the risk of credit card fraud. These cards provide a layer of security by masking your real credit card information and often allow you to set spending limits or create single-use numbers for transactions.
  • Use plugins and extensions that verify the authenticity of content and reviews on e-commerce platforms. Tools like Fakespot analyze reviews and provide indicators of trustworthiness, helping consumers make more informed decisions.

Furthermore, you can leverage SOCRadar’s Dark Web Monitoring services to track whether your data is leaked or up for sale on the dark web. This proactive monitoring allows for timely interventions to prevent data breaches and identity theft.

SOCRadar’s Dark Web Monitoring

SOCRadar’s Dark Web Monitoring