eCommerce Shop Scams

Data from Security Research Labs has revealed a China based fake shopping network that they have named ‘BogusBazaar.’  They claim that:

‘As of April 2024, approximately 22,500 domains were active. The network has processed more than one million orders since 2021, with an estimated aggregate order volume exceeding USD 50 million’.

The scam is run as a fraud as a service model with multiple shop fronts run by affiliate fraudsters.  The webshops are running on WordPress with the WooCommerce plug-in.  Payment pages are not necessarily on the same system as the shop front.  New payment engines being rotated in as others are shut down.  There is a 2-edged sword to the fraud.  Customers pay for goods with apparent deep discounts.  They either never receive the goods or are sent a cheap substitute.  In addition the users’ credit card details are harvested and sold on for subsequent fraud attacks.  The system is wide scale and sophisticated.  A single server may run 200 to 500 distinct webshops with domains, IP addresses and payment providers rotated as a response to takedowns.

A Guardian report in May 2024 indicates that these scam shopping sites are frequently visited in the USA and Northern Europe.  18,950 email addresses were found to have been harvested from the UK.  UK buyers seem to have kept their purchase funds; either due to their banks blocking payments or the site not collecting them.  They still suffered from the theft of personal or financial data.  The theft and sale of verified customer data would be a major part of the business model of these operations.

The fake sites prefer to use recently expired domain names (orphaned domains) for their storefronts.  This has the advantage that search engines and customer reviews may back up the apparent legitimacy of the site.  It adds an additional victim to the mix as the legitimate previous owner of a domain may be contacted in relation to the fraudulent sales.  This was certainly the case for Artoyz, a seller of handmade toys in France whose full catalogue was copied and offered at reduced prices on a fake store.

Genuine online sales will also be affected.  It is said that if a deal is ‘too good to be true’ then it is ‘too good to be true’ but there are genuine deals to be had; for instance due a clearance of slow moving stock or the closure of a business.  In many such cases the perceived bargain will only exist for a limited time making it relatively risky to make a buying decision.

There are ways to reduce the risk of falling victim to these scam shops.  Sites such as Scam Detector will accept a URL and report on its possible validity based on reviews, domain registrations and other Internet activity.  There will always be a problem that by the time comprehensive information is available a scam will have run its course.  Consider a known scam site ‘’ (now offline) that is rated 39.5% by Scam Detector (controversial, risky, red flags).  The genuine seller ‘’ rates as 78.6% (fair, valid, known).  Although the conclusions speak for themselves the ratings are far from clear 0% or 100% ratings.

Detector sites will take some time to build up a reliable picture of a seller.  There are other signs of potential danger.

  • How recently was the domain name registered?
  • What physical address is associated with the domain name? Does this make sense compared to the shop location listed on the web site?
  • Are there any related records on the web archive? The ‘Wayback Machine’ will pull out archived websites indicating takeover of an orphaned domain.
  • Look for customer reviews. These could easily be fake but a lack of any reviews or text that does not closely relate to alleged purchases is a bad sign.
  • Are the images original? A reverse image search will show up other instances of the same image.  Some might be legally provided by the manufacturer.  None should be taken directly from other sales sites.
  • Poor grammar and spelling, anyone running a genuine site not in their native language needs to put the effort in here to avoid driving away sales.

If in doubt about making a purchase but still wanting to avoid missing out there are some ways to reduce the risk

  • Pay with PayPal or a pre-paid card with limited funds. This restricts what the user can do with the information.
  • Register any account with a throwaway (but genuine) email address and password; not a combination that is commonly used elsewhere.
  • Contact your bank with any doubts as soon as possible.

More from Security


Lockbit Ransomware Takedown

In February 2024 the UK National Crime Agency released details of how the NCA and other international policing agencies had disrupted the actions of …

Read post


UK Cyber security breaches survey 2024

Lies, damned lies, and statistics (attributed to Disraeli) The UK Cyber Security Breaches Survey 2024 was published on 9th April 2024.  Not surprisingly it …

Read post


Digital Gift Card Issues

Both Apple and Google offer gift card services for use on their App stores.  Just as it states on the tin the card can …

Read post


Biometric Security Hacks

Biometric security may not be the bulletproof security system that it appears to be.  The theory is that information such as fingerprints or facial …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus