It turns out that halfway clever phishing attacks really, really work

A new phishing attack hops from one Gmail account to the next by searching through compromised users' previous emails for messages with attachments, then replies them from the compromised account, replacing the link to the attachment with a lookalike that sends you to a fake Google login page (they use some trickery to hide the fake in the location bar); the attackers stand by and if you enter your login/pass, they immediately seize control of your account and attack your friends. Read the rest

Howto social-engineer someone's address and other sensitive info from Amazon

Eric Springer is a former Amazon engineer and a heavy AWS user. He's posted a long, terrifying explanation of how identity thieves have been able to repeatedly extract his personal info from Amazon's customer service reps by following a simple script. Read the rest

Prisoner escapes by faking an email ordering his release

Neil Moore was locked up in England's notorious Wandsworth Prison when he used a smuggled cellphone to send an email to the prison that appeared to come from a court clerk who was ordering his release on parole. Read the rest

Amazon Replacement Order Scam: anatomy of a social engineering con in action

Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.

The scam hinged on the fact that Gmail addresses are "dot-blind" (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.

Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.

A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.

If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address?

Read the rest