Amazon Replacement-Order Scam

Clever:

Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland.

The scam hinged on the fact that Gmail addresses are "dot-blind" (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren't immediately apparent to Chris.

Details here:

If you've used Amazon.com at all, you'll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

[...]

It's clear that there's a scam going on and it's probably going largely unnoticed. It doesn't cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it's also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They're unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.

There's a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That's the sort of thing you're really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon's reps were willing to assign the replacement shipment to a different address is beyond me. I was told it's policy to only issue them to the original address, but some clever social engineering ("I'm visiting family in Oregon, can you ship it there?", for instance) will get around that.

EDITED TO ADD (1/14): Comments from the original author of the piece.

Posted on December 21, 2012 at 6:20 AM • 21 Comments

Comments

RyanDecember 21, 2012 7:31 AM

I'm still a bit uncertain how the "missing dot" factored in to this particular heist, but reading through the articles I found out a cool trick I never knew about gmail: sub-addressing by using plus notation. When signing up for a service or mailing list, add +[something] to your address (e.g. ryan.excelon+amazon@gmail.com) and the mail will still go to you, but you have made it harder for a hacker to guess what actual address you used for the service and you can quickly filter/flag/delete messages by the +[something] value you added.

vwmDecember 21, 2012 7:32 AM

Wouldn't you need Amazon to be "dot-blind" and Gmail to be "dot-aware" to get the hidden communication done?

And still I'd expect that the original E-Mail Address would get something like "Your replacement has been shipped today...".

HaroldDecember 21, 2012 7:35 AM

I also don't know how the dots came to play in this so-called scam. Also, please don't use Gizmodo.

JoeNotCharlesDecember 21, 2012 8:41 AM

Why, what's wrong with gizmodo?

I think an important point about this scam is that it's Amazon that pays for it, not the identity theft victim. So they have an incentive to improve their security practices. Maybe this scam is rare enough that they figure it's better to eat the losses than to risk annoying real customers by refusing replacement requests.

mr derpDecember 21, 2012 9:19 AM

Adding '+amazon' to your gmail account is the oldest trick in the book its literally the second thing a fraudster tries. I heard about this scam a yr ago from Cosmo of the defunct hacking group UGnazi and i don't think amazon will ever change because their policy is to eat fraud and not make it any harder for people to do returns.

You can easily get amazon info by just social engineering netflix to reset your pw. Sign in, collect info now call up Amazon with full ID including the last digits of the card# netflix gives you. From there every online account is yours for the scamming there is zero security in identity based authentication. Everybody knows this but doesn't care and will just eat the fraud considering the vast majority of people want their stuff now they don't want to sign into a bunch of authentication steps.

This is how most fraudsters get amazon gift cards they sell for half price... the refund scam to account credit or 'amazon money' then print off codes and sell them. There are at least 4 other easy amazon scams i know of they will never fix or care to because they will lose business if they make it too difficult, and they have to comply with all the silly credit consumer protection by offering quick and easy returns and refunds

Brian MDecember 21, 2012 10:12 AM

The success of Amazon is deeply rooted in their customer service. Your order didn't get delivered? Oh well, have another. The customer is happy, and amazon only takes a small drop out of their ocean of profits. Keeping their customers happy is really too important for Amazon, so I predict that they will do nothing about this. As was mentioned, there is no real loss to the customer, but it could be troublesome if it ever comes back on them. Of course, this all relies on the notion that the majority, 90%+ of such missing packages, are legitimate and not scams. If this becomes widespread, then we may see a change, but I don't think we will.

B. JohnsonDecember 21, 2012 10:35 AM

I think the "dot blindness" issue came in when humans were trying to read the address. Maybe. My speculation is that they provided the order number and their "user.name@example.com" account address and the human looking at it assumed it's the same as "username@example.com." The scammer would be able to provide the answer to any authentication questions for the "user.name" account, as they created it themselves. Once authenticated to a human, they'd be willing to change the shipping address for the "replacement."

The fact that GMail is "dot blind" is irrelevant for the scam, I think. The actual owner of the original account would still get a second "shipped" notification (if they send them) and probably disregard it as they, presumably, already received their item.

On the +subaddressing thing, it's not accepted by all mail systems (i.e. username+tag is different from username), and some email systems (notably Hotmail, at least back in the day) didn't allow users to even send mail to addresses containing otherwise valid characters such as $, +, #, or !.

MibiDecember 21, 2012 10:41 AM

The dot blindness is buried here in the article:

"She can't find any chats. But I remind her of my "dotted" account. Sure enough, there's a chat from earlier today.."

Basically, by using a different dot configuration for each call, the scammer is able to keep all the CSR chats hidden from each other.

silverwizardDecember 21, 2012 1:02 PM

It's actually this:
I have an amazon account with foo@gmail.com

Scammer setups a new account with f.oo@gmail.com

The scammer then says "my old email was hacked, and I need to get some information for use with this new account". the dot-blindness is used for the creation of the second amazon account that does the evil.

sneakersDecember 21, 2012 5:18 PM

@silverwizard

The scammer then says "my old email was hacked, and I need to get some information for use with this new account". the dot-blindness is used for the creation of the second amazon account that does the evil.

I still dont see how that works.

All it does is trick the Amazon operator to sending emails to an address that the scammer cant access and is likely to alert the proper owner.

As far as I can see from reading all the articles here, it would have worked just as well with or without a dotted email address because the Amazon help team are being helpful.

Obviously if this is corporate policy and the actual risk owner (Amazon) is happy that the cost of the scam is less than the possible costs of preventing it, then there is no reason for them to change.

Darryl DaughertyDecember 21, 2012 8:48 PM

@sneakers "if this is corporate policy and the actual risk owner (Amazon) is happy that the cost of the scam is less than the possible costs of preventing it, then there is no reason for them to change"

True enough on the face of it and one would have to assume that a CBA has been done and as is the case in 99% of corporate decisions the key question was, simply, "what makes us the most money?"

What such a limited analysis always overlooks is the potential broader societal cost. Does the ease and simplicity of such scams actually breed more scammers? Does it function as a training ground for the techniques os social engineering and do the Amazon scammers move on to harder targets? Is the stolen merchandise once converted to cash used to fund even more nefarious activities?

My personal preference would be to pay 4% more for an item if it meant stopping the scam (or 5% more if it also resulted in prosecutions) versus 3% when Amazon just takes its lumps. (These numbers are of course merely hypothetical illustration.)

To me it goes to the issue of corporate citizenship. As a private citizen, if I'm burgled I call the cops even if the bad guys didn't get very much. Not solely because my privacy has been violated and I've been dispossessed of my effects, but because I want the perps out of circulation before they prey upon my friends and family.

recordDecember 22, 2012 4:29 AM

@Brian M:

The problem here are the negative effects on Chris Cardinal's record as an amazon customer.

kashmarekDecember 22, 2012 8:13 AM

Apparently Amazon is pretty much aware that others can get on to your account. When you click

Hello xxx
Your Account

The bottom of the drop-down menu shows

Not xxx? Sign Out

It used to just say "Sign Out" but now they apparently recognze others can access your account and seem to present a request for those others to sign out as such. Fat chance of that. They could combat the social engineering aspect by providing a user settable flag on your account that restricts shipping to only the addresses you have already listed.

Sarun RDecember 23, 2012 10:13 AM

Hello

I read somewhere else about dot-blind.

you can read the article here
http://bit.ly/U8Qjh1

Quote from author comment:
The dot-blindness may or may not have been a factor. I’m imagining that they were hoping the reps would be dot blind and by requesting a chat with the dot was hoping to lend credibility to his claim that his primary account had been hacked. But there were no orders under the dotted address, so that may have just been a miscalculation on his part.

So I guess B. Johnson is right.

If it turn out to be this way
I think google's dot-blind is actually a good feature.

If gmail hos no dot-blind feature the scammer is still can order the replacement without noticing the real one.

The real weak link in this case is Amazon's support system.

mooDecember 23, 2012 12:17 PM

@kashmarek:

That "Not foo? Sign out" feature exists because of people using shared computers. If you sit down at a computer in a library or an internet cafe, or something like that, and the previous user forgot to sign out (a common occurrence), you can click that link to enable you to log in so that you too can order things and then forget to sign out.

Even if its your own computer at home, you might share it with other members of your family, and most users just don't think to log out of Amazon's site when they're done browsing or ordering.

BartDecember 23, 2012 9:36 PM

"It doesn't cost the end user anything"

To my knowledge, Amazon does track the number of misdeliveries and blacklists customers after passing a certain (high, somewhere around 100) lifetime treshold. I'm not 100% certain of this, but the notion that it doesn't cost the end user anything would in that case be incorrect - it pushes the end user closer to lockout.

kashmarekDecember 24, 2012 7:57 AM

@moo:

That "feature" (read bug) doesn't have to exist. There are ways to deal with this.

However, I have done this myself (unintentionally left Amazon or closed my browser WITHOUT signing off). It seems that Amazon asks you to sign back in for just about anything that requires account access. The menu item "Not xxx. Sign out" will not gain compliance from anyone attempting to abuse the current session, thus it seems an admission that Amazon has let someone get into a session that isn't theirs. There are ways to avoid this.

Chris CardinalDecember 28, 2012 6:37 AM

Original author of the piece here. I genuinely don't know where/if the dot came into play. The initial four "testing-for-weakness" emails from CSRs were rapid-fire, less than ten minutes apart, and all sent to first.last@gmail.com, which is not an email address I've ever given out. Maybe they had targeted me as a mark and got the email wrong, but I figured it was more likely something they were doing to lend credibility to their claim that their primary account had been "hacked" to further grease the wheels of getting the CSR to just get on with it and give them the order numbers.

You can see that the CSR pushes repeatedly for the basic password reset flow, but this is totally useless to the scammer—he doesn't have access to my email at all, and so "I don’t have time for that right now, could you just help me get the order numbers from November 1st to now?"

So happy to oblige, and there the dominoes come tumbling down. I received the initial "replacement order placed" email from a CSR who "just spoke with you", this time to my correct address, because that was the primary on the account. That's when I first figured out something was quite wrong.

They were all next-day-air orders, too, and if I hadn't been sitting in front of my computer, he would've gotten a free camera. I cancelled it and two hours later, he pushed another one through. Not sure how he determined that the original had failed, but I'm guessing he got antsy and inquired if the order number he had been issued for the replacement order had shipped yet, heard it was cancelled, and said "no, I've been hacked, please try again."

Primary issues here:

  • Amazon reps don't require non-public information to authenticate your identity. Have me generate a code online, describe something I've purchased before (doesn't work if scammers already have order #s), or allow me to set a phone pin, ala GoDaddy

  • Amazon reps give up order numbers. Why? They're trying to be incredibly helpful, which is nice, and good customer service sense, but I don't know if it ever really makes sense to divulge order numbers to a customer, especially en masse like this... Can someone think of a legitimate reason for a chat-based request for that information?

  • Replacement orders sent to other address: This was the biggest bummer. Again, as easy as blaming it on holiday travel and Amazon attempting to appease "me", but they actually created the address record IN MY ADDRESS BOOK because that's the only way things get shipped anywhere. This was pretty nuts to me and should never be allowed. If it's that big a problem, the user should be able to go the password reset route. If the user's email has been hacked, that's a problem too, but by then, the Amazon account would already be compromised by virtue of the email being hacked.

The other issue I have is that with the order numbers, the scammer was clearly able to determine what I purchased. I could have named the article "I Know What You Bought from Amazon This Winter", and maybe I shouldn't have buried the lede, but at the time, I figured the bigger scam was the reputation blow to my account and general sieveness of Amazon's CS.

With the order numbers, I'm guessing he hit several other reps to do a quick "hey, can you tell me what was on this order?" Without having to be signed in for any of the chat and with the trifecta of Amazon authentication, they would likely give that up, no problem.

What's stranger still to me is he pushed a refund through for the camera filter I bought—on a separate order. The refund hit my credit card, so, hurray, free camera filter. But I thought that strange: is he trying to give me hush money? He obviously iterated through my order history, discarded the low valued junk I had purchased, and realized he hit it big with a $900 camera in my history.

As I mentioned elsewhere, I had tweeted my intention to purchase a Canon T4i, but that was a week or two before, and made no mention of Amazon, OR of actually completing the purchase. I just idly mentioned that I wanted to convince the wife that we need one. Who knows if they found me that way... from there, a simple whois would've brought up my Amazon email address and billing address (whoops, since privatized, but whois caches forevermore will vex me) and so here we are.

I've since cloaked the Amazon account under a completely unique email address, per Amazon's suggestion, and even tried to SE my way back into getting the new email address using only information the scammer would have at his disposal.

Interestingly enough, the Amazon CSRs completely refuse to budge at all without the third piece of the trifecta, even when I presented them with order numbers, my old account email address, my name, and billing address. They needed that email, and "I" didn't have it.

Regarding the "Not you?" element: kashmarek is right. This is done out of convenience. Amazon wants to implicitly remember you so that you're able to window shop easier and with fewer barriers to entry. But they explicitly require re-authentication for absolutely any activity of merit. Basically, you're given persistent "read only" access to whatever account was last used if they didn't log out, but read only doesn't get you very far, so once you try to do anything at all, it'll prompt you to log in. (Ironic exception, I believe: One-click orders, to whatever the usual one-click address is.)

I'm really hoping that Amazon perks up and implements some slightly more stringent practices, instead of giving up my entire purchase history to anyone who knows my name, email, and address and asks nicely.

ElemeccaJanuary 8, 2013 4:38 PM

@Chris Cardinal


Basically, you're given persistent "read only" access to whatever account was last used if they didn't log out, but read only doesn't get you very far, so once you try to do anything at all, it'll prompt you to log in. (Ironic exception, I believe: One-click orders, to whatever the usual one-click address is.)

I have One-Click configured, although I don't use it very often. Usually when I go to a product page on Amazon it exhorts me to "log in to enable One-Click ordering". I almost always see the prompt unless I've continued browsing immediately after signing in or doing something that required re-authentication. It seems to me like the One-Click authorization times out independently of the session and the timeout value is fairly short.

JoeFebruary 26, 2013 9:55 PM

Amazon keeps track of returns/refunds/replacements/RMAs... my cousin used to be a frequent shopper on Amazon, till she started giving clothes a try. Buying clothes online was a bad idea. You cannot try them on. This resulted in multiple returns. She would return the clothes she did not like legitimately, meaning she'd send them back and await her refund. After the 5th in-a-row return, Amazon closed her account with an email stating she requested too many returns there for her account was banned and any relating account would also be banned. How these scammers get a way with fraud is beyond me. When its legit we get screwed but when its fraud they win. Just like fraud in cell phones. People get approved for 5 lines at AT&T and get 5 iPhones and cancel their contract and sell off the phones for a prophet.

ToyJune 16, 2014 9:08 AM

Hi,

How do the Hackers added new shipping address in to customers account to process replacement. I understand that email address, name and billing address is enough to verify account but adding address is something done via Amazon account by customer end.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.