More than 800,000 people in Europe and the United States appear to have been tricked into sharing card details and other sensitive personal data with a vast network of fake online designer stores apparently operated from China.
An international investigation by The Guardian, Die Zeit and Le Monde offers a rare look inside the mechanics of what the UK’s Chartered Trading Standards Institute has described as one of the largest scams of its kind, with 76,000 fake websites created.
A wealth of data examined by journalists and IT experts indicates that the operation is highly organized, technically savvy and continuous.
Operating on an industrial scale, programmers have created tens of thousands of fake web stores offering discounted products from Dior, Nike, Lacoste, Hugo Boss, Versace and Prada, as well as many other premium brands.
Published in several languages, from English to German, French, Spanish, Swedish and Italian, the websites appear to have been created to entice buyers to part with money and sensitive personal data.
However, the sites have no connection to the brands they claim to sell and in most cases consumers who spoke about their experience said they did not receive any items.
The first fake stores on the network appear to have been created in 2015. More than one million “orders” have been processed in the last three years alone, according to data analysis. Not all payments were processed successfully, but analysis suggests the group may have attempted to receive up to €50m (£43m) during the period. Many shops have been abandoned, but a third of them (more than 22,500) are still alive.
So far, an estimated 800,000 people, almost all in Europe and the United States, have shared email addresses, and 476,000 of them have shared debit and credit card data, including their three-digit security number. All of them also provided their names, telephone numbers, email and postal addresses to the network.
Katherine Hart, director of the Chartered Trading Standards Institute, described the operation as “one of the biggest fake online store scams I have ever seen”. She added: “Often these people are part of serious, organized criminal groups, so they collect data and can use it against people later, making consumers more susceptible to phishing attempts.”
“Data is the new currency,” said Jake Moore, global cybersecurity advisor at software company ESET. He warned that such personal data could also be valuable to foreign intelligence agencies for surveillance purposes. “The bigger picture is that you have to assume that the Chinese government could potentially have access to the data,” he added.
The existence of the network of fake stores was revealed by Security Research Labs (SR Labs), a German cybersecurity consultancy, which obtained several gigabytes of data and shared it with Die Zeit.
A core group of developers seems to have built a system to Create and launch websites semi-automatically, allowing for rapid deployment. This core appears to have operated some stores itself, but allowed other groups to use the system. Records suggest that at least 210 users have accessed the system since 2015.
SR Labs consultant Matthias Marx described the model as “franchise-like.” He said: “The core team is responsible for developing software, implementing backends and supporting network operation. Franchisees manage the daily operations of the fraudulent stores.”
“It caught me…”
It was a few weeks until Christmas. Melanie Brown, 54, from Shropshire in England, was looking for a new bag. She Googled a picture of a leather item by one of her favorite German designers, Rundholz. She immediately popped up a website offering the bag at 50% off the usual retail price of £200. She added it to her cart.
“It got me,” he said. After selecting the bag, she looked at other designer pieces from a high-end brand she loves called Magnolia Pearl. She found dresses, blouses and jeans, racking up a £1,200 bill across 15 items. “I got a lot for the money, so I thought it was worth it,” she said.
But Brown was being scammed. For nearly a decade, a network operating out of China’s Fujian province used what appears to be a single software platform to create tens of thousands of fake online stores.
There are the big global brands like Paul Smith, haute couture houses like Christian Dior, but also more niche and highly sought after names like Rixo and Stella McCartney, and high street retailers like Clarks shoes. Not just clothes: there are fake stores that sell quality toys, like Playmobil, and at least one that sells lighting..
For this investigation, around 49 people who say they have been scammed have been interviewed. The Guardian spoke to 19 people from the UK and the US. Their evidence suggests that these websites were not created to trade in counterfeit products. Most people didn’t receive anything in the mail. Some did, but the items were not as ordered. A German buyer paid for a jacket and received cheap sunglasses. One British customer received a fake Cartier ring instead of a shirt and another received an unbranded blue sweater instead of the Paul Smith one he had paid for.
Interestingly, many of those who tried to buy never lost money. Either your bank blocked the payment or the fake store did not process it.
However, all those interviewed have one thing in common: they handed over their private data.
Simon Miller, policy and communications director at Stop Scams UK, said: “Data can be more valuable than sales. “If you’re hoovering up someone’s card details, that data is invaluable for a bank account takeover.”
SR Labs, which works with corporations to protect their systems from cyberattacks, believes the scam operates on two levels. Firstly, credit card harvesting, where fake payment gateways collect credit card data but do not accept money. Secondly, fake sales, in which criminals take money. There is evidence that the network accepted payments processed through PayPal, Stripe and other payment services and, in some cases, directly with debit or credit cards.
The network used expired domains to host its fake stores, which experts say can help avoid detection by websites or brand owners. It appears to have a database of 2.7 million of these orphan domains and runs tests to see which ones are best to use.
In Germany, the owner of a glass bead factory said she had received angry calls almost every day from shoppers asking where their Lacoste clothes were. She discovered that an old website of hers, perlenzwoelfe.de, had been used for the fraud. It was findable because the content she had previously placed at that address was visible in the web archives. She reported the fraud to the police. “Officials just said they couldn’t do anything about it.”
The same story happened to Michael Rouah, who directs artoyz, an online store in the center of Paris that sells handmade toys. Their entire product catalog was copied. “They changed the name and used another domain… They stole the images from our website and changed the prices, making them – of course – much lower.”
Customers alerted him to the fraud. “Usually we can’t do much about it… We explore taking action with an attorney, but it takes time and costs money,” he said.
The network appears to have originated in Fujian province. Many of the IP (Internet Protocol) addresses can be traced back to China, some to the cities of Putian and Fuzhou in Fujian.
Payroll documents found in the data suggest that people were hired as developers and data collectors and paid salaries through Chinese banks.
There were also three templates for employment contracts, where the employer appears as Fuzhou Zhongqing Network Technology Co Ltd.
Officially registered in China and issued with an official unique identification number, the company lists its address as Fuzhou, the capital of Fujian. It is not clear what connection it has to the network.
Contracts establish strict working conditions. The employee receives a performance score and can increase his or her salary with a higher rating. They are judged on whether they refrain from playing video games, watching movies, or sleeping while at work. If staff are sick or take vacation, their pay is reduced for the days missed, unless they work overtime.
The data includes a spreadsheet describing the payment between January and October 2022 of 2,410,000 yuan (almost £266,000) in dividends to at least four shareholders of an unnamed company.
Fuzhou Zhongqing Company now offers advertisements for developers and data collectors through Chinese recruitment websites. The salary of a data collection specialist is 4,500 to 7,000 Chinese yuan (£500 to £700) per month and the company is described as a “foreign trade company that mainly produces sports shoes, fashion clothing, handbags brand and other series.”
The Fuzhou Zhongqing company did not respond to a request for comment.
Action Fraud, the UK’s cybercrime reporting centre, said it would try to remove fake webshops.
Online scams are a growing problem. There were 77,000 cases of purchase fraud (where goods are paid for but never materialise) in the UK in the first six months of 2023, an increase of 43% compared to the same period in 2022. In the US. , consumers lost nearly $8.8 billion to fraud. in 2022, an increase of more than 30% compared to the previous year. The second most commonly The reported scam is related to online shopping fraud.
According to TSB fraud spokesperson Matt Hepburn, shopping fraud is “the biggest driver” of online financial crime in the UK. He said technology companies should do more to protect consumers. “Search engines and technology platforms must prevent their users from being exposed to fake sites and quickly remove fraudulent content reported to them.”
Hester Abrams, international engagement manager at industry collaboration Stop Scams UK, said: “Consumers will only be better protected from criminal gangs exploiting digital systems if businesses and governments make scam prevention a real priority. Research like this shows how much impact we could have against scammers with a better coordinated international effort.”
Additional reporting by Helen Davidson and Chi-hui Lin