Card Not Present Fraud , Fraud Management & Cybercrime
Hackers Steal Credit Card Data of Deal-Seeking Shoppers
China-Linked Criminals Processed Orders Worth $50M: Security Research LabsHackers linked to Chinese fraudsters are targeting online shoppers to steal credit card information, likely making off with about $50 million from victims in the United States and Western Europe who order premium shoes at discount prices on fraudulent deal websites.
See Also: 2024 Fraud Insights Report
The criminal group, dubbed BogusBazaar, has processed more than 1 million orders since its inception three years ago, said Security Research Labs. The loss is only an estimate: Hackers may not obtain every payment card number, and the total does not take into account secondary damages caused by fraudulent use of stolen credit card details.
The hackers offer deals on branded shoes and apparel to lure customers, harvesting credit card details through a spoofed payment interface. The spoofed interfaced is designed to throw out an error message and take the victim to a malicious functioning payment gateway. Payments are facilitated through PayPal, Stripe and credit card processors, researchers at the German cybersecurity firm said.
More often than not, the victims don't receive the merchandise. Sometimes, they get cheap counterfeits.
The gang runs a fraudulent network of more than 75,000 domains, most of which are expired domains with good Google reputations. The shops have customized names and logos and have quality assurance procedures in place to minimize inconsistencies. As of April 2024, about 22,500 of these domains were active.
"The criminal network has grown for years through low-key highly-scalable fraud," the researchers said.
The network runs on an infrastructure-as-a-service model, where a core team is responsible for infrastructure management, such as software development, back-end deployment and plug-in customizations to support the fraud operations. A decentralized network of franchisees operates the fraudulent shops.
Each aspect of the operation, such as the web shops, payment gateways and management applications, runs on separate infrastructure.
BogusBazaar fraudsters use the WooCommerce WordPress plug-in, a service often targeted by threat actors.
The gang hosts a majority of its servers in the United States. Each server runs up to 500 web shops and is associated with more than 100 IP addresses each. The researchers did not specify how many servers the gang hosted in total.
Bogus Bazaar has automated its infrastructure deployment, allowing it to quickly deploy new webshops or rotate payment pages and domains that are taken down by law enforcement.