Facebook helping criminals use cloned South African online shops to steal people’s money

Scammers are creating exact clones of South African online shopping websites, advertising their scam sites on Facebook using great deals as bait, and taking payment for orders but never shipping the products.

Local ladies fashion retailer Desray recently had such an incident, but they aren’t the only online store that scammers have cloned to steal people’s money.

A search of the Artists Against 419 fake sites list returns dozens of sites targeted in spoofing attacks.

Not all of these are niche e-commerce operators either. Companies like Woolworths and HiFi Corp have also had their sites cloned in similar attacks.

Desray’s story is particularly interesting because they exposed how the scammers were billing people’s credit cards and how little Facebook appeared to care about scam profiles on its platform.

They also revealed the tremendous impact the attack had on their customers and operations.

Desray managing director Michael Dixon said customers started notifying them on 21 January 2024 about a fake Desray group on Facebook running advertisements offering 70% discounts on their products.

The Facebook advertisement sent customers to an exact copy of the desray.co.za website, using the URL dripgym.shop.

Customers ripped off by the spoof website told Desray that the charges appeared on their credit card statements as being processed by Acqra.com.

“One customer reported that her purchase would be refunded to her, all other reports were that customers would not get their money back,” Dixon said.

Understandably angry, customers commented on social media that people should avoid Desray because they assumed the site had been hacked (which was not the case).

Dixon said this caused terrible damage to Desray’s online trust.

He said that upon learning of the spoof site, they immediately reported it via Google’s Safe Browsing page, Microsoft’s unsafe site reporting tool, and Netcraft’s suspicious site tool.

They also dug into the spoof domain and found it was registered through Namesilo.com and hosted behind Cloudflare.

Namesilo said Dixon had to prove it was a scam site before they would do anything, and Cloudflare sent an automated response and no further feedback.

Dixon supplied Namesilo with screenshots of the Facebook ads and the spoofed site. They eventually took the domain down on 27 January — almost a week later.

He also contacted the US company used to register the DNS, fixAPI.org, with no response.

Reporting the fake Desray Facebook group also proved futile. Dixon said they even tried having all staff, friends, and family report the group.

They received no feedback and Facebook did not take the group down, causing untold damage to customers scammed by the page.

Even after they managed to get the original dripgym.shop attack site shut down, the scammers would relaunch on a new domain and use the Facebook group to promote links to the new URL.

“Each time a phishing site is shut down, the link in the Facebook advertisement is changed to a new domain,” Dixon said.

“Facebook is the biggest part of the problem, because no matter how many times the fraudulent phishing pages and ads are reported, they are not taken down.”

At the time of publication, the fake Facebook page was still live.

Fake Desray Facebook ad screenshot (Click to enlarge)

“When dripgym.shop was shut down we thought we were in the clear but reports were still coming in of customers being scammed,” Dixon said.

“We were then notified that the new phishing address was desray.shop.”

Dixon said this was very frustrating, because their social media and newsletter warnings to customers instructed them to make sure that “desray” appeared in the URL while they were shopping.

“Many more customers have now been scammed and we have reported the site as per the steps above. In addition, we also emailed Nedbank, Standard Bank and SAFPS.org.za about the new site.”

Dixon said they had reports from 50 or more customers, but he suspects there were many more too embarrassed to report it.

“I estimate hundreds of thousands of rands have been stolen in less than a week. One customer reportedly lost R8500,” he said.

He said the reason it is so difficult to stop this scam is because of the online payment portal being used, Acqra.

“Their contact numbers on their website do not work, they have not responded to emails or online form submission,” Dixon said.

“Acqra could stop the scammers immediately if they would engage the victims but they appear not to be interested or are complicit.”

Michael Dixon, Desray managing director

Dixon said their next steps were to investigate companies like Digital Shadows, Fraudwatch International, and Lexsynergy to help them.

However, he noted these services were expensive and reactive so customers would still not be safe from being scammed.

“The only way a customer can know she is safe is by checking that the URL she is shopping on is desray.co.za,” Dixon said.

“We do not own any other domains and this is the message we are sending out now.”

Aside from the huge impact to their customers, Dixon said their online shopping has died as a result of this scam.

They were seeing less than a third of the revenue the site was generating before the scam started.

Additionally, they could not go on summer sale when they wanted to because there was so much confusion online with the scam site offering massive sales.

MyBroadband contacted Facebook, Acqra, Visa, and Mastercard for comment. None of them responded.