Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (email@example.com is the same as firstname.lastname@example.org), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
Tim Harford points out that Dieselgate — when VW designed cars that tried to guess when they were undergoing emissions test and dial back their pollution — wasn’t the first time an industry designed its products to cheat when regulators were looking; the big banks did the same thing to beat the “stress tests” that […]
In a new paper published in the peer-reviewed Journal of Ethnicity in Criminal Justice, sociologists and criminologists from University at Buffalo (SUNY), the University of Alabama, Kennesaw State University, the State of Georgia, and Georgia State University review 40 years’ worth of FBI data on violent crimes and property crimes, correlating this data series with […]
Lee Jae-yong is nominally “vice-chairman” of Samsung, but his father, Samsung chairman Lee Kun-hee, is considered to be a mere figurehead, with Lee Jae-yong as the true boss of the company.
Making people aware of goods and services in the digital age requires an array of new strategies from social media and email to number-crunching tools like Google Analytics. To get a handle on the techniques used to capture attention and convert traffic into dollars in a crowded online environment, the Full-Stack Marketer Bundle offers 22 hours of training to get […]
Having a luxurious bed isn’t just a fairy tale from a catalog; it is a real, affordable possibility with offerings like this Olive+Owen bedroom set. If you’re thinking of doing some “spring cleaning”, this bed set is an easy way to completely upgrade your room in one purchase.This 20-piece collection has all of the expected slumberland elements, […]
Python is immensely popular in the data science world for the same reason it is in most other areas of computing—it has highly readable syntax and is suitable for anything from short scripts to massive web services. One of its most exciting, newest applications, however, is in machine learning. You can dive into this booming […]