Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.
The scam hinged on the fact that Gmail addresses are "dot-blind" (firstname.lastname@example.org is the same as email@example.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.
Others have reported on this scam, but word hasn't gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon's own systems.
A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.
If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.
Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam
(via Hacker News)
This happened today in Auburn Hills,MI Another Karen .. pic.twitter.com/lWksZwXITD — 🦋Makay (@makaysmith10) July 2, 2020 A woman was arrested yesterday after pulling a gun on another woman and her daughter outside a Detroit-area Chipotle. The circumstances are unclear and in dispute, but mostly on film. It appears the child, who is black, and the […]
Ghislaine Maxwell, the British heiress and longtime confidant of billionaire sex trafficker Jeffrey Epstein, is in FBI custody. She was arrested in New Hampshire, reports NBC News, and charged with conspiracy to sexually abuse children. The six-count indictment in Manhattan federal court alleges that Maxwell helped Epstein groom girls as young as 14 years old, […]
Porn star Ron Jeremy was charged today with rape and sexual assault, the Los Angeles District Attorney’s office announced today. According to the charges, Jeremy, 67, raped three women and assaulted another in incidents dating back to 2014. Prosecutors allege Jeremy forcibly raped a 25-year-old woman at a home in West Hollywood in May 2014. […]
There was already enough concern about the healthy state of our drinking water before COVID-19. And while there’s no evidence that the coronavirus has ever been detected in the water supply, the general sense of fear surrounding any type of contamination is obviously at a fever pitch everywhere. Contaminants like lead, chromium, arsenic, copper, mercury, […]
Allergies are brutal, affecting about 30 percent of all American adults. While many only saddle sufferers with mild irritations like coughing, sneezing, a runny nose or watering eyes, some symptoms can be even more intrusive and significantly more painful. Sinus pressure is one of those unholy side effects, causing a pain that can stretch from […]
“I probably use my chef’s knives more than any other tool in the kitchen.” – Bobby Flay, celebrity chef Cooking at home has taken on a whole new life in the wake of COVID-19, and even with restaurants slowly reopening across the US, there’s heavy reason to suspect that more of us preparing more meals […]