We have discovered a new fraud trend taking place in Japan and China. The scheme consists of completely fake e-commerce sites, solely created with the intention of stealing credit card information from the buyers (victims). These sites don’t actually sell anything – they are designed for the sole purpose of capturing credit card data, to be used fraudulently elsewhere.
The following images capture different shopping sites, featuring products with a wide range of prices and brands, advertising different payment methods, including major credit cards like Visa and Mastercard, as well as alternative methods like Western Union.
The screenshots below show the user entering a credit card. Note that the site doesn’t use SSL certificate and does not check for credit card numbers used, even though it pretends to be a secured site, using high-profile security seals like Verisign and Visa as endorsers.
Once the shopper makes the purchase and enters the credit card information, the fraudsters have completed the scam, and now possess the credit card and billing information. The fraudsters can now take their operation to the next level and remove funds from the victim’s account. The victim doesn’t realize they have been scammed until their merchandise doesn’t arrive, a few days or weeks later. In the meantime, their cards and information are being used to buy other goods or steal their identity.
These kinds of schemes have proven effective mainly because it takes an extremely watchful eye to differentiate this site from a legitimate e-commerce site. We have seen this starting in Japan, and then expanding into China, which indicates that the scammers are greatly benefiting from this kind of fraudulent operation.
Like most profitable fraud methods, fake shopping sites are here to stay and most likely expand (see English site below) targeting countries in the Western Hemisphere. Because these sites are cloned from one another, they are extremely easy to duplicate and a new one can be created in minutes. It is only a matter of time before these sites completely infect the Internet, make it increasingly harder for financial institutions and key players in the payment industry to fight these threats to their brands and end-users.