Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (email@example.com is the same as firstname.lastname@example.org), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
The five Volkswagen executives who were criminally charged in the USA for their role in the Dieselgate scandal have been advised not to travel to the USA because they are liable to arrest there: they’ve also been told that leaving Germany is risky because they might be arrested and extradited to the USA.
It’s not just regulatory compliance exec Oliver Schmidt — arrested last week — who faces personal criminal repercussions for his role in the Dieselgate scandal: five more VW execs have been indicted and face criminal charges, including the former head of VW R&D, the head of engine development, an engine development supervisor, and another regulatory […]
The EPA and the California Air Resources Board (CARB) say that since 2014, Chrysler shipped 104,000 trucks with “defeat devices” designed to cheat emissions tests — like VW’s cheating, this software was designed to produce low NOx ratings when the trucks were undergoing emissions tests, but to ramp up NOx emissions during normal road use, […]
Traditional folding wallets are designed for paper bills—but these days, carrying cash is rarely a necessity. More often than not, I don’t carry cash at all. This Bogui Clik Wallet is the best answer I’ve found for avoiding the hassle of those tight-fitting credit card pockets.This attractive, minimalist wallet features a protective lip, so my cards don’t […]
Using my iPhone while it’s charging is always a hassle. With tucked-away outlets and the meager length of included lightning cables, comfortable scrolling while plugged in is annoying. These 10-Ft MFi-Certified Lightning Cables are super convenient and probably the best iPhone accessory purchase I’ve made.At over three times the length of normal cables, these reach anywhere you […]
With countless applications for modern life, artificial intelligence (AI) is one of the most in-demand fields of study in tech. Beyond modelling human decision making processes and learning abilities, AI can be used to analyze massive volumes of data and create complex interactive systems.This Machine Learning & AI for Business Bundle made mastering these concepts possible for […]