Over 850,000 people hit with online shopping scam that steals credit cards — how to stay safe

 A hacker typing quickly on a keyboard.
A hacker typing quickly on a keyboard.

Even though shopping online has now become the norm, you still need to be careful when buying products from lesser-known stores, as doing so could lead to hackers stealing your credit card information.

Case in point, the German cybersecurity firm SRLabs recently uncovered a massive network of 75,000 fake online shops called ‘BogusBazaar’, which over the course of three years, tricked more than 850,000 people into buying $50 million worth of fake goods.

As reported by BleepingComputer, online shoppers duped by these fake stores also had their credit card details stolen and then resold on the dark web. Not only can this lead to additional fraud but the information used at checkout on these fake online stores could be used to commit identity theft.

Whether you’re an avid digital shopper or just occasionally buy things from the web, here’s everything you need to know about this huge network of fake stores and how you can stay safe when shopping online.

Using expired domains to launch fake online stores

A screenshot of fake online store selling shoes at a heavily discounted price
A screenshot of fake online store selling shoes at a heavily discounted price

According to SRLabs’s report on the matter, most of BogusBazaar’s victims live in either the U.S. or Western Europe. Surprisingly, there are virtually no victims from China where the operation is likely located.

Since 2021, the cybercriminals behind BogusBazaar have launched more than 75,000 fake online stores. They do this by setting up these shops on previously expired domains with a good reputation, ensuring their fake stores show up in search results.

As seen in the picture above, most of these fake stores pretend to sell shoes and other apparel at very low prices. Likewise, they use custom names and logos to appear more legitimate.

Even though the stores themselves are fake, the cybercriminals running this operation used PayPal, Stripe and legitimate credit card processing services. In order to steal money and data from their customers, the operators of BogusBazaar have also developed custom WooCommerce WordPress plugins. For those unfamiliar, WooCommerce is a free plugin for WordPress that turns any site into an online store and is often used by the best website builders.

The group behind BogusBazaar is using an infrastructure-as-a-service model where a core team manages the operation’s infrastructure while the fake stores themselves are operated by a large, decentralized network of franchisees.

While the operation itself is believed to be headquartered in China, the servers used for these fake stores are mostly located in the U.S. As such, it likely won’t be long until we hear about how government agencies took them down in order to disrupt the entire operation.

How to stay safe when shopping online

A woman looking at a smartphone while using a laptop
A woman looking at a smartphone while using a laptop

Even though you may want to support small businesses online, a story like this one could make you reconsider buying products from unfamiliar stores.

While you could stick to large online retailers like Amazon, Best Buy and Walmart in order to stay safe online, sometimes it can be difficult to find more niche products at these larger online stores. For this reason, there are a couple of things to keep in mind when shopping at an unfamiliar online store.

To confirm that a store is actually real, you want to check out its contact information, examine the return policy, look for trust seals, browse through the entire site and also check its social media. This will help you avoid fake stores overall.

As BleepingComputer points out, many of the fake stores in this BogusBazaar operation use the same template: items are listed with their original prices crossed out and a new sale price—often more than 50% off—next to them. You can use the example image above from SRLabs to weed out fake stores from this campaign, too.

When shopping online, you also want to read reviews and use an online shopping checker like this one from F-Secure or even Bitdefender's Scamio before you head to checkout.  There are some other signs to look out for, too, which include examining a store’s URL for spelling mistakes and other errors, poor quality pixelated images, poor website design and an overly complex or non-existent return policy. The biggest red flag, though, is highly discounted prices. If a deal seems too good to be true, it likely is. This is why you want to price-check any products you're shopping for online before pulling the trigger.

Just like malicious apps and phishing attacks, fake online stores have been used by cybercriminals, scammers and other hackers for years to dupe unsuspecting shoppers. It’s up to you to look at them carefully and determine whether what looks to be a great deal is worth having your credit card information or identity stolen.

More from Tom's Guide