More than 800,000 people in Europe and the US appear to have been duped into sharing card details and other sensitive personal data with a vast network of fake online designer shops apparently operated from China.
An international investigation by the Guardian, Die Zeit and Le Monde gives a rare inside look at the mechanics of what the UK’s Chartered Trading Standards Institute has described as one of the largest scams of its kind, with 76,000 fake websites created.
A trove of data examined by reporters and IT experts indicates the operation is highly organised, technically savvy – and ongoing.
Operating on an industrial scale, programmers have created tens of thousands of fake web shops offering discounted goods from Dior, Nike, Lacoste, Hugo Boss, Versace and Prada, as well as many other premium brands.
Published in multiple languages from English to German, French, Spanish, Swedish and Italian, the websites appear to have been set up to lure shoppers into parting with money and sensitive personal data.
However, the sites have no connection to the brands they claim to sell and in most cases consumers who spoke about their experience said they received no items.
The first fake shops in the network appear to have been created in 2015. More than 1m “orders” have been processed in the past three years alone, according to analysis of the data. Not all payments were successfully processed, but analysis suggests the group may have attempted to take as much as €50m (£43m) over the period. Many shops have been abandoned, but a third of them – more than 22,500 – are still live.
So far, an estimated 800,000 people, almost all of them in Europe and the US, have shared email addresses, with 476,000 of them having shared debit and credit card details, including their three-digit security number. All of them also handed over their names, phone numbers, email and postal addresses to the network.
Katherine Hart, a lead officer at the Chartered Trading Standards Institute, described the operation as “one of the largest online fake shops scams that I have seen”. She added: “Often these people are part of serious and organised crime groups so they are harvesting data and may use it against people later, making consumers more susceptible to phishing attempts.”
“Data is the new currency,” said Jake Moore, a global cybersecurity adviser at the software company ESET. He warned such personal data troves could also be valuable to foreign intelligence agencies for surveillance purposes. “The bigger picture is that one must assume the Chinese government may have potential access to the data,” he added.
The existence of the fake shops network was revealed by Security Research Labs (SR Labs), a German cybersecurity consultancy, which obtained several gigabytes of data and shared it with Die Zeit.
A core group of developers appears to have built a system to semi-automatically create and launch websites, allowing rapid deployment. This core appears to have operated some shops themselves, but to have allowed other groups to use the system. The logs suggest at least 210 users have accessed the system since 2015.
SR Labs consultant Matthias Marx described the model as “franchise-like”. He said: “The core team is responsible for developing software, deploying backends, and supporting the operation of the network. The franchisees manage the day-to-day operations of fraudulent shops.”
It was a few weeks before Christmas. Melanie Brown, 54, from Shropshire in England, was looking for a new handbag. She put the image of a leather item from one of her favourite German designers, Rundholz, into Google. Immediately a website appeared offering the bag at 50% off the usual £200 retail price. She added it to her cart.
“It reeled me in,” she said. After selecting the bag she spotted other designer clothes from a high-end brand she loves called Magnolia Pearl. She found dresses, tops and jeans, racking up a £1,200 bill on 15 items. “I was getting a lot for the money, so I thought it was worth it,” she said.
But Brown was being ripped off. Over nearly a decade, a network operating from Fujian province in China used what appears to be a single software platform to create tens of thousands of fake online shops.
There are the big global brands such as Paul Smith, haute couture houses such as Christian Dior, but also more niche, much sought-after names such as Rixo and Stella McCartney, and high street retailers like Clarks shoes. Not just clothes – there are fake stores selling quality toys, such as Playmobil, and at least one selling lighting.
About 49 people who say they were scammed have been interviewed for this investigation. The Guardian spoke to 19 from the UK and the US. Their evidence suggests these websites were not set up to trade in counterfeit goods. Most people received nothing in the mail. A few did, but the items were not the ones ordered. A German shopper paid for a blazer and received cheap sunglasses. A British customer received a bogus Cartier ring instead of a shirt and another was sent a non-branded blue jumper instead of the Paul Smith one they had paid for.
Strangely, many who tried to shop never lost money. Either their bank blocked the payment, or the fake shop itself did not process it.
However, all of those interviewed have one thing in common: they handed over their private data.
Simon Miller, the director of policy and communications for Stop Scams UK, said: “Data can be more valuable than sales. If you are hoovering up someone’s card details that data is invaluable then for a bank account takeover.”
SR Labs, which works with corporations to protect their systems from cyber-attacks, believes the scam is operating on two levels. First, credit card harvesting, in which fake payment gateways collect credit card data but do not take any money. Second, fake selling, where the criminals do take money. There is evidence the network took payments processed via PayPal, Stripe and other payment services, and in some cases directly from debit or credit cards.
The network used expired domains to host its fake shops, which experts say can help to avoid detection by websites or brand owners. It appears to have a database of 2.7m of these orphaned domains and runs tests to check which ones are best to use.
In Germany, the owner of a glass bead factory said she had received angry calls almost every day from shoppers asking where their Lacoste clothes were. She found out that an old website of hers, perlenzwoelfe.de, had been used for the scam. She was findable as content she had previously placed on at that address was visible in web archives. She reported the fraud to the police. “The officials just said there was nothing they could do about it.”
It was the same story for Michael Rouah who runs Artoyz, an online store and shop in central Paris selling handmade toys. His full catalogue of products was copied. “They changed the name and used another domain … They stole the images from our website and changed the prices, putting them – of course – much lower.”
He was alerted to the fraud by customers. “We generally can’t do much about it … We explored taking action with a lawyer, but it takes time and it costs money,” he said.
The network appears to have originated in Fujian province. Many of the IP (internet protocol) addresses can be traced back to China, some to the Fujian cities of Putian and Fuzhou.
Payroll documents found in the data suggest individuals were hired as developers and data harvesters and paid salaries through Chinese banks.
There were also three templates for employment contracts, where the employer is listed as Fuzhou Zhongqing Network Technology Co Ltd.
Officially registered in China, and issued with an official unique identifier number, the company gives its address as Fuzhou, the capital of Fujian. It is not clear what connection it has to the network.
The contracts set out strict working conditions. The employee is given a performance score and can increase their salary with a higher ranking. They are judged on whether they refrain from playing video games, watching movies, or sleeping while at work. If staff are sick or take a holiday, their salary is reduced for days missed unless they work overtime.
The data includes a spreadsheet describing the payment between January and October 2022 of 2,410,000 yuan (almost £266,000) in dividends to at least four shareholders of an unnamed company.
The Fuzhou Zhongqing company is now advertising for developers and data collectors via Chinese recruitment websites. The salary for a data collection specialist is 4,500-7,000 Chinese yuan (about £500 to £700) a month and the business is described as a “foreign trade company that mainly produces sports shoes, fashion clothing, brand bags, and other series”.
The Fuzhou Zhongqing company did not respond to a request for comment.
Action Fraud, the UK’s reporting centre for cybercrime, said it would seek to have the fake web shops taken down.
Online scams are a growing problem. There were 77,000 cases of purchase fraud – where goods are paid for but never materialise – in the UK in the first six months of 2023, a 43% increase compared with the same period in 2022. In the US consumers lost nearly $8.8bn to fraud in 2022, an increase of more than 30% over the previous year. The second most commonly reported scam is related to online shopping fraud.
According to the TSB fraud spokesperson Matt Hepburn, purchase fraud is “the biggest driver” of online financial crime in the UK. He said technology companies should do more to protect consumers. “Search engines and tech platforms must prevent their users from being exposed to fake sites, and swiftly remove the scam content that is reported to them.”
Hester Abrams, the international engagement manager at the industry collaboration Stop Scams UK, said: “Consumers will only be better protected from criminal outfits exploiting digital systems if businesses and governments make scam prevention a genuine priority. Investigations like this show just how much impact we could have against scammers with a better coordinated international effort.”
Additional reporting from Helen Davidson and Chi-hui Lin