Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (email@example.com is the same as firstname.lastname@example.org), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
What happens to a journalist assigned to cover Chicago’s overnight violent crime? Chicago Tribune reporter Peter Nickeas describes in harrowing detail how three years of covering endless violence and misery changed him:
Police in Hyannis, Massachusetts were on the lookout for 31 year old Shaun Miller, who was wanted for drug trafficking. Officers went to a house were he was believed to be staying, and when they encountered an “elderly man” there, the “officers determined that the ‘elderly man’ was in fact Miller, and at that point, […]
Austin James Wilkerson, a 22-year-old University of Colorado student, was convicted of raping a drunk woman. But he’ll be released on probation after District Judge Patrick Butler said he “struggled, to be quite frank, with the idea” of imprisoning him. Supporters of Wilkerson, as in the California case of Turner, appealed for leniency. Wilkerson’s friends […]
To be a Pokémon master, you’ll need a phone that won’t constantly die on you. Because nothing is worse than seeing the screen go black right as you’ve finally found the Charizard of your dreams.That’s why we’re so excited about the LinearFlux PokeCharger Portable Battery ($39.99). With its 3.0 Amp HyperCharging technology, this slim battery will […]
The tech industry is constantly innovating, and in order to stay competitive, you’ll need to keep up. The Programming Into the Future Bundle was created to teach you the skills employers are looking for at this very moment, including in-demand coding languages like Google Go.The bundle of courses includes instruction on a range of innovative tools that advanced coders […]
If you’re running low on MacBook storage, your options are pretty limited. External hard drives mean toting around another piece of bulky equipment, and you probably don’t want a USB stick constantly protruding from your laptop.That’s why the Nifty MiniDrive for MacBooks is such a desirable alternative, and one of our top tech finds this year. You can add […]