Howto social-engineer someone's address and other sensitive info from Amazon

Eric Springer is a former Amazon engineer and a heavy AWS user. He's posted a long, terrifying explanation of how identity thieves have been able to repeatedly extract his personal info from Amazon's customer service reps by following a simple script.

Springer was tipped off to the attacks by messages from Amazon thanking him for contacting their customer service by text-chat. He retrieved the chat transcripts from Amazon and discovered that the crooks followed a simple script, almost to the word, to get information out of the Amazon support reps. Worse, Amazon's reps continued to give up his data after he reported the first fraud and asked the company to put a fraud alert on his account.

Let me just stop right there, so I can point out that address isn’t mine. It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.

Amazon’s customer service backdoor [Eric Springer/Medium]

(via Waxy)

Start the discussion at