Amazon Replacement Order Scam: anatomy of a social engineering con in action

Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.

The scam hinged on the fact that Gmail addresses are "dot-blind" ( is the same as, but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.

Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.

A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.

If you’ve used at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

Two-for-one:’s Socially Engineered Replacement Order Scam (via Hacker News)


    1. Here’s another one, then: will both direct all mail to *and* allow you to set up filters to match  “” So you effectively have unlimited, almost-throwaway addresses instantly on hand. (“Almost” throwaway because you would have to keep a filter that rerouts them to trash. Having extra filters bugs me, but I’ll bet that’s just me.)

  1. Going to be a good day when companies realize reciting an address or number is not a valid way to identify a caller. Any kind of account change should use some other channel for verification.. sending an email or a phone call to the on-record entry should be the minimum requirement.

    Email accounts can still be hacked and phones stolen, but that changes it from a “simple” con to a more difficult one.

    1. It’s difficult to be a CSR when your customers are likely dolts in the first place who can’t recall their password or anything helpful other than their address in the first place.  They’re being paid to make the customer happy and that’s what they want to do so they can get off the phone and clock out.

      If Amazon wanted to stop theft they’d invariably start upsetting customers, and they’re certainly not interested in anything that might possibly do that.

    2. Here’s a nice scam where the police call you to tell you that your cards have been misused and ask for your card numbers.  When you demur, they tell you to hang up and call 999 (911) to verify that they’re real.  Only they don’t hang up, so you’re just dialing over a live line.  And then they keep you on the phone for hours so that you won’t call your bank to report the problem until after they’ve used your card numbers.

      1. Hmmm… Is this a purely UK scam? I would bet the majority of people use a cell phone, so hanging up on their end will terminate the call. Also, with landline you would have to be somewhere with REALLY old equipment to keep that kind of hold on a line and you’d both have to be on that old circuitry. Granted, it’s been decades since I had a landline, but I don’t think it will work in most places here in the US, as so much has been upgraded to digital circuits, with only the final wires from the CO to the address (and many times not even that!) being analog. One way the phone company has leveraged their bandwidth is to put in a digital aggregator so all the customers in one area are combined onto one T-1 line. Anyone here in the US tried this out with two landlines?

        1. That article only mentions the UK. The scammers make the original call, so they would only call land lines.

          1. And the largest users of analog landlines in the US are probably older, so already a target of scammers. My dad (84 y/o) has AT&T U-verse so he gets caller ID on his TV when the phone rings. I finally convinced him that if he didn’t recognize the phone number, it said “blocked”, or was a 1-800 number, to just ignore it. Saves hanging up on all those spammers and scammers. 

  2. I got an odd call yesterday from a police detective investigating credit card fraud.  He wanted to know if I had purchased a small bit of electronics for about $200 from WalMart about nine months ago.  I told him that we had in fact bought it, and the timing was right, but that I wound never intentionally buy anything from WalMart.  He asked if I had a mastercard issued by a credit union that I don’t use.  I told him no.  And I had no receipt email from walMart regarding the purchase.

    He asked me to check my records and call him back if I found any more detail. 

    What I found was that we bought the item from a private seller on Amazon for about $160, which at the time was less than what other sellers were offering it at.  And this triggered my memory- the private seller had ordered the product drop-shipped from Walmart, and had paid roughly $200 for it but was only charging us $160!  It was weird enough that it made me remember the shipping slip but not so weird that I picked up the phone to call anyone- I figured the seller must have some kind of commission deal with WalMart or something to explain the $40 price difference.

    So fast-forward to yesterday, I think I know what must have happened now.  This third-party private seller had lifted a CC number from some unrelated fourth party, and was taking orders in from Amazon Fulfillment and then using the stolen card number to fill those orders via 5th-party drop-shippers.  Amazon charged my card, took a cut, put cash in the third-party seller’s account, and nobody was any wiser until the fourth party got around to checking their card statement. 

    1. This seems like such an overly complex way to make forty bucks.  I mean, do it ten times and you’re starting to talk about real money, but to do all that work to make a decent income and put yourself out there for credit card fraud seems small time.  If you’re going to get hit for cc fraud, make enough money to pay for a great lawyer to get you off first.

      1. Actually, this one has potential. What you need is a group of people who are all into the CC theft and fraud thing. You set up a distributed app that has a bank of stolen credit card accounts associated with it. When your end-user crook wants to place the order, you serve up a stolen CC. The crook has to provide a rough geographical area and pay a subscription fee — with bitcoins, or something similar — it’s not as if you trust your clients in this case!). The geo info is used to duck the processor’s fraud detection algorithms for as long as possible by clustering transactions near the legitimate owner’s rough location, only serving up the card to crooks in the vicinity, and also decreasing the number of consecutive hits at the same business against the same card.

        You then locate the stolen CC database in a remote, encryption-friendly jurisdiction, and serve up the data via TOR.

        How’m I doing so far?

        1. You’re doing very well, if you’re trying to make me ill. Yikes! Even on Amazon I’m wary of third party sellers. But from now on I’ll be staying away from them completely.

          1. Seriously? My idle what-if speculation scared you that much?
            For all I know the whole thing is utterly unrealistic and disregards long-established security features used by all transaction processors.But, if that off-the-cuff writeup makes you ill, you should be really careful about what you read. I particularly urge you to avoid Peter Watts and Charles Stross.

          2. LOL! I LOVE both Watts and Stross. What freaked me out is that reading it made me feel like I was reading one of those “this is how the computer exploit worked…” pieces that make me think:
            1) I never would have thought of that.
            2) makes me realize how many possible holes there are.
            But you’re not talking about something like low level network or OS tech, but about how our online commerce has become that convoluted. And there will always be that person who just “sees” the scam potential in these systems. I caught myself re-using passwords, so recently changed them all to long, unique ones. Also set up text alerts from my bank account if anything out of the ordinary or over a minor dollar amount happens. The original post, and what you wrote made me realize I don’t know enough about how Amazon works when I buy something other than direct from Amazon. My own ignorance of something I’ve probably trusted in the past is what worries me the most. 

  3. I am not sure how the dot-blindness of gmail can be used. I have a gmail account and I tried to register another account that is similar to mine but with dots in it. It did not work.

    1. But if you’re targeting who has an Amazon account, you can create a new Amazon account with the email  Extrapolate from there.

      The dot is significant in an address per RFC.  Google is doing it wrong here, Amazon is doing it right.  Everybody needs to follow the same standards for the Internet to work.  Amazon may choose to work around the Gmail problem because it’s such a large provider, but anybody else implementing this ‘feature’ is going to leave their users vulnerable to similar attacks.

      1. But the confirmation of that new account is still going to I still don’t see how dot blindness could be part of the scam it isn’t explained and the article isn’t saying Google is in fault.

Comments are closed.