Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (email@example.com is the same as firstname.lastname@example.org), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
“Old Man” is a curious and compelling animation of phone chats between Charles Manson and Marlin Marynick, author of “Charles Manson Now.” Directed and animated by Leah Shore. (via Devour)
John Mogan, 28, and Ashley Duboe, 24, were arrested in connection with an Ohio bank robbery after Mogan posted a series of photos of himself playing with a thick wad of cash. In one photo, he pretends the money is a phone. In another photo, he is biting the money. The Smoking Gun has more: […]
Adam Jones of Skegness, England was given a year jail sentence for “aggravated vehicle taking and driving without a license or insurance” after leading police on a 100mph chase that damaged countless cars. After he was caught, Jones reportedly told authorities that his driver’s education consisted of playing Playstation driving games. “You said you ‘Only […]
Power up your gadgets in the most unexpected places with the extremely compact SolarJuice battery pack. SolarJuice charges up at home like your average battery pack, but also lets you add extra juice on-the-go using its built-in solar panel—so you’ll never be left unplugged from the digital world.4.5 Stars on Amazon!Simultaneously charges 2 devices at […]
Hold your camera to higher standards with the brand-new iBlazr 2, the most advanced LED flash to date. Simply attach to your smartphone, tablet, or DSLR camera. Conveniently sized and wireless, this premium flash will let you easily take amazing photos in low light situations. It’s a literal snap to use: simply attach to your […]
Moment of truth: Is “Microsoft Office Expert” on your resume, but not totally accurate? This pay what you want bundle will not only help you brush up on old skills, but teach you advanced techniques that will impress your current and future boss. From intricate Excel formulas to Outlook organization hacks, you’ll not only boost […]