Nearly a million victims hit by massive BogusBazaar campaign — credit card details stolen, but here's how to stay safe
Crime ring has been operating thousands of fake shopping sites
Almost a million people around the world have fallen victim to a highly organized fraud campaign, which scammed them out of some $50 million in the past couple of years.
According to a report from SRLabs, a group of cyber-criminals, supported by a wider network of affiliates, were organized into a crime ring dubbed BogusBazaar. This ring automated the creation and rotation of thousands of fake shopping websites - 22,500 domains, to be exact.
Through these shopping sites, the criminals did two things - steal credit card and other payment data, and steal money.
Well-organized group
Stealing credit card information is as straightforward as one can imagine with fake shopping sites - a person would try to purchase something off the site, they would submit their payment information, and never get the item they ordered. PayPal and Stripe data was stolen from the victims in the same manner.
Stealing money worked in a somewhat different way. Some of the victims actually received an item, albeit not the one they ordered, but rather a cheap copy, or a knock-off.
"The operation of fraudulent webshops is a seemingly small but well-organized crime," Matthias Marx, a security consultant at SRLabs, told The Register. "As each fraud case has a relatively low volume, the fraudsters seem to have managed to evade the attention of the law enforcement authorities despite earning millions."
The majority of the victims were located in Western Europe, Australia, and America.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
The worst part is that the campaign is still ongoing, and is decentralized and automated in a way that makes it difficult for law enforcement to fully eliminate. As soon as one website gets taken down, another one takes its place. The attackers often use expired domains with good standing, making spotting fraud even harder at start.
The majority of the fraudsters seem to be operating out of China.
The internet is filled with scammers and fraudsters, looking to steal people’s money and sensitive information. The best way to stay safe is to always make sure you’re buying from trusted sources and official websites. If you know the shop’s website, type the address in the bar instead of searching for it on Google or other search engines.
If you are being redirected to a website, double check the address and make sure it doesn’t have any weird typos or strange-looking characters.
And finally, always use common sense. If something is too good to be true, it most likely is.
More from TechRadar Pro
- Watch out - these fake Amazon Prime Day bogus sites are looking to steal your wallet with too-good-to-be-true phone deals
- Here's a list of the best firewalls around today
- These are the best endpoint security tools right now
Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.