Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (firstname.lastname@example.org is the same as email@example.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
Bill Cosby’s attempt to avoid facing a sexual assault charge was ended Monday by a Pennsylvania appeals court. The entertainer, who claimed that an old deal with prosecutors not to charge him in the 2004 case should be honored, will now be criminally prosecuted. Cosby, 78, is facing trial over a 2004 encounter at his […]
For years, Geoff Manaugh has entertained and fascinated us with his BLDGBLOG, and now he’s even better at full-length, with A Burglar’s Guide to the City (previously), a multidisciplinary, eclectic, voraciously readable book that views architecture, built environments, and cities themselves through the lens of breaking-and-entering.
The central bank of Bangladesh lost $81M in a digital heist whose perpetrators have not been caught, thanks in large part to the bank’s decision to run its computers without a firewall, and to run networking with second-hand cheapie routers it sourced for $10 each.
Isn’t it about time to stretch what your Mac can do? I mean, you’ve got plenty of great programs now…but don’t you think you could use some new tools to get your creative, analytical and organizational juices really flowing? It’s spring, so we cleaned up a whole bunch of super-cool apps lying around and packaged […]
In the world of app development, there’s no greater arena to find success than with Android users. About 80% of the smartphones in use today worldwide operate on the Android operating system, so if you build a great app that Android users love, you’re an international rock star. You’ll be able to make sure your […]
Unless you’re a programmer or webmaster, the term SQL probably doesn’t mean much to you. But for those looking to understand more about how and why the web works the way that it does, know this – SQL and its process of managing and presenting large data sets is everywhere…and it’s the most in-demand programming […]