More than 800,000 people in Europe and the US appear to have been duped into sharing card details and other sensitive personal data with a vast network of fake online designer shops apparently operated from China.
An international investigation by the Guardian, Die Zeit and Le Monde gives a rare inside look at the mechanics of what the UK’s Chartered Trading Standards Institute has described as one of the largest scams of its kind, with 76,000 fake websites created.
A trove of data examined by reporters and IT experts indicates the operation is highly organised, technically savvy – and ongoing.
Operating on an industrial scale, programmers have created tens of thousands of fake web shops offering discounted goods from Dior, Nike, Lacoste, Hugo Boss, Versace and Prada, as well as many other premium brands.
Actor and comedian Jon Kenny, ‘an entertainer to his core’, dies aged 66
Katie Taylor narrowly defeats Amanda Serrano in brutal contest
Irish soldiers prevented from leaving Lebanon after drunken airport fight
I’ve read what Trump’s trade tsar says about the ‘tiny island nation’ of Ireland. It’s not good
Published in multiple languages from English to German, French, Spanish, Swedish and Italian, the websites appear to have been set up to lure shoppers into parting with money and sensitive personal data.
However, the sites have no connection to the brands they claim to sell and in most cases consumers who spoke about their experience said they received no items.
The first fake shops in the network appear to have been created in 2015. More than 1 million “orders” have been processed in the past three years alone, according to analysis of the data. Not all payments were successfully processed, but analysis suggests the group may have attempted to take as much as €50 million over the period. Many shops have been abandoned, but a third of them – more than 22,500 – are still live.
So far, an estimated 800,000 people, almost all of them in Europe and the US, have shared email addresses, with 476,000 of them having shared debit and credit card details, including their three-digit security number. All of them also handed over their names, phone numbers, email and postal addresses to the network.
“Data is the new currency,” said Jake Moore, a global cybersecurity adviser at the software company ESET. He warned such personal data troves could also be valuable to foreign intelligence agencies for surveillance purposes. “The bigger picture is that one must assume the Chinese government may have potential access to the data,” he added.
The existence of the fake shops network was revealed by Security Research Labs (SR Labs), a German cybersecurity consultancy, which obtained several gigabytes of data and shared it with Die Zeit.
A core group of developers appears to have built a system to semi-automatically create and launch websites, allowing rapid deployment. This core appears to have operated some shops themselves, but to have allowed other groups to use the system. The logs suggest at least 210 users have accessed the system since 2015.
SR Labs consultant Matthias Marx described the model as “franchise-like”. He said: “The core team is responsible for developing software, deploying backends, and supporting the operation of the network. The franchisees manage the day-to-day operations of fraudulent shops.”
Over nearly a decade, a network operating from Fujian province in China used what appears to be a single software platform to create tens of thousands of fake online shops.
There are the big global brands such as Paul Smith, haute couture houses such as Christian Dior, but also more niche, much sought-after names such as Rixo and Stella McCartney, and high street retailers like Clarks shoes. Not just clothes – there are fake stores selling quality toys, such as Playmobil, and at least one selling lighting.
About 49 people who say they were scammed have been interviewed for this investigation. The Guardian spoke to 19 from the UK and the US. Their evidence suggests these websites were not set up to trade in counterfeit goods. Most people received nothing in the mail. A few did, but the items were not the ones ordered. A German shopper paid for a blazer and received cheap sunglasses. A British customer received a bogus Cartier ring instead of a shirt and another was sent a non-branded blue jumper instead of the Paul Smith one they had paid for.
[ Rules change on interest-free loans to family membersOpens in new window ]
Many who tried to shop never lost money. Either their bank blocked the payment, or the fake shop itself did not process it. However, all of those interviewed have one thing in common: they handed over their private data.
Simon Miller, the director of policy and communications for Stop Scams UK, said: “Data can be more valuable than sales. If you are hoovering up someone’s card details that data is invaluable then for a bank account takeover.”
SR Labs, which works with corporations to protect their systems from cyberattacks, believes the scam is operating on two levels. First, credit card harvesting, in which fake payment gateways collect credit card data but do not take any money. Second, fake selling, where the criminals do take money. There is evidence the network took payments processed via PayPal, Stripe and other payment services, and in some cases directly from debit or credit cards.
The network used expired domains to host its fake shops, which experts say can help to avoid detection by websites or brand owners. It appears to have a database of 2.7m of these orphaned domains and runs tests to check which ones are best to use.
In Germany, the owner of a glass bead factory said she had received angry calls almost every day from shoppers asking where their Lacoste clothes were. She found out that an old website of hers, perlenzwoelfe.de, had been used for the scam. She was findable as content she had previously placed on at that address was visible in web archives. She reported the fraud to the police. “The officials just said there was nothing they could do about it.”
It was the same story for Michael Rouah who runs Artoyz, an online store and shop in central Paris selling handmade toys. His full catalogue of products was copied. “They changed the name and used another domain ... They stole the images from our website and changed the prices, putting them – of course – much lower.”
He was alerted to the fraud by customers. “We generally can’t do much about it ... We explored taking action with a lawyer, but it takes time and it costs money,” he said.
[ Twenty tips for a frugal but fun summer with the kidsOpens in new window ]
The network appears to have originated in Fujian province. Many of the IP (internet protocol) addresses can be traced back to China, some to the Fujian cities of Putian and Fuzhou.
Payroll documents found in the data suggest individuals were hired as developers and data harvesters and paid salaries through Chinese banks.
There were also three templates for employment contracts, where the employer is listed as Fuzhou Zhongqing Network Technology Co Ltd.
Officially registered in China, and issued with an official unique identifier number, the company gives its address as Fuzhou, the capital of Fujian. It is not clear what connection it has to the network.
The contracts set out strict working conditions. The employee is given a performance score and can increase their salary with a higher ranking. They are judged on whether they refrain from playing video games, watching movies, or sleeping while at work. If staff are sick or take a holiday, their salary is reduced for days missed unless they work overtime.
The data includes a spreadsheet describing the payment between January and October 2022 of 2,410,000 yuan (almost £266,000) in dividends to at least four shareholders of an unnamed company.
The Fuzhou Zhongqing company is now advertising for developers and data collectors via Chinese recruitment websites. The salary for a data collection specialist is 4,500-7,000 Chinese yuan (about £500 to £700) a month and the business is described as a “foreign trade company that mainly produces sports shoes, fashion clothing, brand bags, and other series”.
The Fuzhou Zhongqing company did not respond to a request for comment. – Guardian