Amazon Replacement Order Scam: anatomy of a social engineering con in action

Discuss

19 Responses to “Amazon Replacement Order Scam: anatomy of a social engineering con in action”

  1. “The scam hinged on the fact that Gmail addresses are “dot-blind” (foo@gmail.com is the same as f.oo@gmail.com)”

    No fucking way, seriously? Learn something new every day!

  2. xzzy says:

    Going to be a good day when companies realize reciting an address or number is not a valid way to identify a caller. Any kind of account change should use some other channel for verification.. sending an email or a phone call to the on-record entry should be the minimum requirement.

    Email accounts can still be hacked and phones stolen, but that changes it from a “simple” con to a more difficult one.

    • mccrum says:

      It’s difficult to be a CSR when your customers are likely dolts in the first place who can’t recall their password or anything helpful other than their address in the first place.  They’re being paid to make the customer happy and that’s what they want to do so they can get off the phone and clock out.

      If Amazon wanted to stop theft they’d invariably start upsetting customers, and they’re certainly not interested in anything that might possibly do that.

    • Antinous / Moderator says:

      Here’s a nice scam where the police call you to tell you that your cards have been misused and ask for your card numbers.  When you demur, they tell you to hang up and call 999 (911) to verify that they’re real.  Only they don’t hang up, so you’re just dialing over a live line.  And then they keep you on the phone for hours so that you won’t call your bank to report the problem until after they’ve used your card numbers.

      • Andy Reilly says:

        Hmmm… Is this a purely UK scam? I would bet the majority of people use a cell phone, so hanging up on their end will terminate the call. Also, with landline you would have to be somewhere with REALLY old equipment to keep that kind of hold on a line and you’d both have to be on that old circuitry. Granted, it’s been decades since I had a landline, but I don’t think it will work in most places here in the US, as so much has been upgraded to digital circuits, with only the final wires from the CO to the address (and many times not even that!) being analog. One way the phone company has leveraged their bandwidth is to put in a digital aggregator so all the customers in one area are combined onto one T-1 line. Anyone here in the US tried this out with two landlines?

        • Antinous / Moderator says:

          That article only mentions the UK. The scammers make the original call, so they would only call land lines.

          • Andy Reilly says:

            And the largest users of analog landlines in the US are probably older, so already a target of scammers. My dad (84 y/o) has AT&T U-verse so he gets caller ID on his TV when the phone rings. I finally convinced him that if he didn’t recognize the phone number, it said “blocked”, or was a 1-800 number, to just ignore it. Saves hanging up on all those spammers and scammers. 

  3. sg says:

    I got an odd call yesterday from a police detective investigating credit card fraud.  He wanted to know if I had purchased a small bit of electronics for about $200 from WalMart about nine months ago.  I told him that we had in fact bought it, and the timing was right, but that I wound never intentionally buy anything from WalMart.  He asked if I had a mastercard issued by a credit union that I don’t use.  I told him no.  And I had no receipt email from walMart regarding the purchase.

    He asked me to check my records and call him back if I found any more detail. 

    What I found was that we bought the item from a private seller on Amazon for about $160, which at the time was less than what other sellers were offering it at.  And this triggered my memory- the private seller had ordered the product drop-shipped from Walmart, and had paid roughly $200 for it but was only charging us $160!  It was weird enough that it made me remember the shipping slip but not so weird that I picked up the phone to call anyone- I figured the seller must have some kind of commission deal with WalMart or something to explain the $40 price difference.

    So fast-forward to yesterday, I think I know what must have happened now.  This third-party private seller had lifted a CC number from some unrelated fourth party, and was taking orders in from Amazon Fulfillment and then using the stolen card number to fill those orders via 5th-party drop-shippers.  Amazon charged my card, took a cut, put cash in the third-party seller’s account, and nobody was any wiser until the fourth party got around to checking their card statement. 

    • mccrum says:

      This seems like such an overly complex way to make forty bucks.  I mean, do it ten times and you’re starting to talk about real money, but to do all that work to make a decent income and put yourself out there for credit card fraud seems small time.  If you’re going to get hit for cc fraud, make enough money to pay for a great lawyer to get you off first.

      • invictus says:

        Actually, this one has potential. What you need is a group of people who are all into the CC theft and fraud thing. You set up a distributed app that has a bank of stolen credit card accounts associated with it. When your end-user crook wants to place the order, you serve up a stolen CC. The crook has to provide a rough geographical area and pay a subscription fee — with bitcoins, or something similar — it’s not as if you trust your clients in this case!). The geo info is used to duck the processor’s fraud detection algorithms for as long as possible by clustering transactions near the legitimate owner’s rough location, only serving up the card to crooks in the vicinity, and also decreasing the number of consecutive hits at the same business against the same card.

        You then locate the stolen CC database in a remote, encryption-friendly jurisdiction, and serve up the data via TOR.

        How’m I doing so far?

        • Andy Reilly says:

          You’re doing very well, if you’re trying to make me ill. Yikes! Even on Amazon I’m wary of third party sellers. But from now on I’ll be staying away from them completely.

          • invictus says:

            Seriously? My idle what-if speculation scared you that much?
            For all I know the whole thing is utterly unrealistic and disregards long-established security features used by all transaction processors.But, if that off-the-cuff writeup makes you ill, you should be really careful about what you read. I particularly urge you to avoid Peter Watts and Charles Stross.

          • Andy Reilly says:

            LOL! I LOVE both Watts and Stross. What freaked me out is that reading it made me feel like I was reading one of those “this is how the computer exploit worked…” pieces that make me think:
            1) I never would have thought of that.
            2) makes me realize how many possible holes there are.
            But you’re not talking about something like low level network or OS tech, but about how our online commerce has become that convoluted. And there will always be that person who just “sees” the scam potential in these systems. I caught myself re-using passwords, so recently changed them all to long, unique ones. Also set up text alerts from my bank account if anything out of the ordinary or over a minor dollar amount happens. The original post, and what you wrote made me realize I don’t know enough about how Amazon works when I buy something other than direct from Amazon. My own ignorance of something I’ve probably trusted in the past is what worries me the most. 

  4. Sandra Belloq says:

    I am not sure how the dot-blindness of gmail can be used. I have a gmail account and I tried to register another account that is similar to mine but with dots in it. It did not work.

    • But if you’re targeting bobsmith@gmail.com who has an Amazon account, you can create a new Amazon account with the email bob.smith@gmail.com.  Extrapolate from there.

      The dot is significant in an address per RFC.  Google is doing it wrong here, Amazon is doing it right.  Everybody needs to follow the same standards for the Internet to work.  Amazon may choose to work around the Gmail problem because it’s such a large provider, but anybody else implementing this ‘feature’ is going to leave their users vulnerable to similar attacks.

Leave a Reply