38C3: BogusBazaar gang still operating thousands of fake stores

The Chinese fake store factory "BogusBazaar" is still active and operates thousands of stores to defraud customers. The discoverers of the criminal network found this out and presented their discoveries at 38C3.

Matthias Marx from security service provider SRLabs and Kai Biermann from Zeit Online stated that although the network of fake stores has shrunk, the presumed Chinese originators have adapted their approach. For example, BogusBazaar no longer uses so-called "expired domains", i.e. Internet addresses that have not been renewed by their original owners, but mainly generic top-level domains (TLDs) such as .xyz and .store. These are popular with spammers due to their easy and inexpensive availability.

BogusBazaar, a criminal network of up to 75,000 fake stores, was uncovered in May. Its operators intercept orders for branded clothing and accessories in order to use the fraudulent credit card details to make fraudulent bookings and sell them on. The victims never receive the goods, or at best they are of very poor quality. The undelivered orders alone caused an estimated loss in the mid double-digit millions for over 800,000 victims.

Marx tracked down the store network when he discovered the same configuration files for a Git repository at various suspicious-looking online stores. Using the code repository, he found the source code of the stores, discovered a security vulnerability and thus gained access to the criminals' entire infrastructure, whose extensive network he then analyzed.

The technical platform of the BogusBazaar stores is based on Wordpress with the e-commerce add-on module wooCommerce and various automated mechanisms for loading product data and images into the databases. Employees of the BogusBazaar gang perform this data import for a monthly salary, which the researchers know from employment contracts they have found. Marx and Biermann also got their hands on internal training documents.

9,500 fake stores lurking for customers

After his presentation at 38C3, Matthias Marx provided us with the current list of all known BogusBazaar stores. This confirms the change in the criminals' approach. Of the more than 15,900 domains, almost 11,600 use a ".store" domain, around 4,200 use the .com TLD and around 180 use .xyz or .top.

Many of the stores are still online. Although around 6,000 can no longer be resolved to an IP address, the remaining 9,500 fake stores are still accessible and waiting for customers. The presentation with logos of well-known brands and attractive discounts is intended to arouse interest, but once the order has been placed, buyers become victims of fraudulent credit card charges instead of owners of new branded clothing.

The criminals, who according to Marx and Biermann run a company in China, use various European, but above all some large US Internet services. First and foremost Cloudflare: 98.6 percent of the BogusBazaar stores still accessible on the afternoon of December 29 are hiding behind the Internet giant's CDN, thus concealing their true IP address. Other providers are also (presumably involuntarily) aiding the fraudsters: a dozen IP addresses in the Amazon network are home to suspected fake online stores.

The US payment service providers Stripe and PayPal are also involved. As PayPal's trust system makes it difficult for criminals to carry out fraud quickly and at low risk, they often use a trick: instead of paying for goods, they trick their customers into making a donation, which PayPal does not refund even in the event of fraud.

Providers sometimes uncooperative, Chinese authorities too

Of course, the providers abused by BogusBazaar were informed, but some of them were uncooperative. Marx reported that even after repeated attempts, it was not possible to persuade Google to automatically include the fake domains in its "Safe Browsing API", which warns of malicious websites in the browser. According to Marx, filling out a web form and CAPTCHA tens of thousands of times was too much of a hassle. As a result, only a few domains in a random sample taken by heise security are currently on the Mountain View-based industry giant's "Safe Browsing" blocklist.

Even the Chinese authorities, who were tipped off by the discoverers via the diplomatic representation in Germany, did not react – and the willingness of German investigators to take on the fake stores was also poor, the security researchers stated.

To protect yourself against fake stores, Marx and Biermann recommend a healthy caution towards suspiciously cheap offers and unknown online stores. They have also handed over all the BogusBazaar stores they found to the "Fakeshop Finder" of the Federation of German Consumer Organizations, which will incorporate them into its service.

(cku)