Last month Yours Truly got snookered by a too-good-to-be-true online scam in which some dirtball hijacked an Amazon merchant’s account and used it to pimp steeply discounted electronics that he never intended to sell. Amazon refunded my money, and the legitimate seller never did figure out how his account was hacked. But such attacks are becoming more prevalent of late as crooks increasingly turn to online crimeware services that make it a cakewalk to cash out stolen passwords.
The elusive Sonos Play:5
The item at Amazon that drew me to this should-have-known-better bargain was a Sonos wireless speaker that is very pricey and as a consequence has hung on my wish list for quite some time. Then I noticed an established seller with great feedback on Amazon was advertising a “new” model of the same speaker for 32 percent off. So on March 4, I purchased it straight away — paying for it with my credit card via Amazon’s one-click checkout.
A day later I received a nice notice from the seller stating that the item had shipped. Even Amazon’s site seemed to be fooled because for several days Amazon’s package tracking system updated its progress slider bar steadily from left to right.
Suddenly the package seemed to stall, as did any updates about where it was or when it might arrive. This went on for almost a week. On March 10, I received an email from the legitimate owner of the seller’s account stating that his account had been hacked.
Identifying myself as a reporter, I asked the seller to tell me what he knew about how it all went down. He agreed to talk if I left his name out of it.
“Our seller’s account email address was changed,” he wrote. “One night everything was fine and the next morning our seller account had a email address not associated with us. We could not access our account for a week. Fake electronic products were added to our storefront.”
He couldn’t quite explain the fake tracking number claim, but nevertheless the tactic does seem to be part of an overall effort to delay suspicion on the part of the buyer while the crook seeks to maximize the number of scam sales in a short period of time.
“The hacker then indicated they were shipped with fake tracking numbers on both the fake products they added and the products we actually sell,” the seller wrote. “They were only looking to get funds through Amazon. We are working with Amazon to refund all money that were spent buying these false products.”
As these things go, the entire ordeal wasn’t awful — aside maybe from the six days spent in great anticipation of audiophilic nirvana (alas, after my refund I thought better of the purchase and put the item back on my wish list.) But apparently I was in plenty of good (or bad?) company.
The Wall Street Journal notes that in recent weeks “attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven’t used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash.”
Perhaps fraudsters are becoming more brazen of late with hacked Amazon accounts, but the same scams mentioned above happen every day on plenty of other large merchandising sites. The sad reality is that hacked Amazon seller accounts have been available for years at underground shops for about half the price of a coffee at Starbucks.
The majority of this commerce is made possible by one or two large account credential vendors in the cybercrime underground, and these vendors have been collecting, vetting and reselling hacked account credentials at major e-commerce sites for years.
I have no idea where the thieves got the credentials for the guy whose account was used to fake sell the Sonos speaker. But it’s likely to have been from a site like SLILPP, a crime shop which specializes in selling hacked Amazon accounts. Currently, the site advertises more than 340,000 Amazon account usernames and passwords for sale.
The price is about USD $2.50 per credential pair. Buyers can select accounts by balance, country, associated credit/debit card type, card expiration date and last order date. Account credentials that also include the password to the victim’s associated email inbox can double the price.
The Amazon portion of SLILPP, a long-running fraud shop that at any given time has hundreds of thousands of Amazon account credentials for sale.
If memory serves correctly, SLILPP started off years ago mainly as a PayPal and eBay accounts seller (hence the “PP”). “Slil” is transliterated Russian for “слил,” which in this context may mean “leaked,” “download” or “to steal,” as in password data that has leaked or been stolen in other breaches. SLILPP has vastly expanded his store in the years since: It currently advertises more than 7.1 million credentials for sale from hundreds of popular bank and e-commerce sites.
The site’s proprietor has been at this game so long he probably deserves a story of his own soon, but for now I’ll say only that he seems to do a brisk business buying up credentials being gathered by credential-testing crime crews — cyber thieves who spend a great deal of time harvesting and enriching credentials stolen and/or leaked from major data breaches at social networking and e-commerce providers in recent years.
SLILPP’s main inventory page.
Fraudsters can take a list of credentials stolen from, say, the Myspace.com breach (in which some 427 million credentials were posted online) and see how many of those email address and password pairs from the MySpace accounts also work at hundreds of other bank and e-commerce sites.
Password thieves often then turn to crimeware-as-a-service tools like Sentry MBA, which can vastly simplify the process of checking a list of account credentials at multiple sites. To make blocking their password-checking activities more challenging for retailers and banks, these thieves often try to route the Internet traffic from their password-guessing tools through legions of open Web proxies, hacked PCs or even stolen/carded cloud computing instances.
PASSWORD RE-USE: THE ENGINE OF ALL ONLINE FRAUD
In response, many major retailers are being forced to alert customers when they see known account credential testing activity that results in a successful login (thus suggesting the user’s account credentials were replicated and compromised elsewhere). However, from the customer’s perspective, this is tantamount to the e-commerce provider experiencing a breach even though the user’s penchant for recycling their password across multiple sites is invariably the culprit.
There are a multitude of useful security lessons here, some of which bear repeating because their lack of general observance is the cause of most password woes today (aside from the fact that so many places still rely on passwords and stupid things like “secret questions” in the first place). First and foremost: Do not re-use the same password across multiple sites. Secondly, but equally important: Never re-use your email password anywhere else.
Also, with a few exceptions, password length is generally more important than password complexity, and complex passwords are difficult to remember anyway. I prefer to think in terms of “pass phrases,” which are more like sentences or verses that are easy to remember.
If you have difficult recalling even unique passphrases, a password manager can help you pick and remember strong, unique passwords for each site you interact with, requiring only one strong master password to unlock any of them. Oh, and if the online account in question allows 2-factor authentication, be sure to take advantage of that.
I hope it’s clear that Amazon is just one of the many platforms where fraudsters lurk. SLILPP currently is selling stolen credentials for nearly 500 other banks and e-commerce sites. The full list of merchants targeted by this particularly bustling fraud shop is here (.txt file).
As for the “buyer beware” aspect of this tale, in retrospect there were several warning signs that I either ignored or neglected to assign much weight. For starters, the deal that snookered me was for a luxury product on sale for 32 percent off without much explanation as to why the apparently otherwise pristine item was so steeply discounted.
Also, while the seller had a stellar history of selling products on Amazon for many years (with overwhelmingly positive feedback on virtually all of his transactions) he did not have a history of selling the type of product that thieves tried to sell through his account. The old adage “If something seems too good to be true, it probably is,” ages really well in cyberspace.
High on the list of things that annoy me is that Ebay do not offer a way for a user to report fraudulent listings.
I see them everytime I go on Ebay and they are obvious because the “buy now” price is a fraction of the true value of the item and the seller is always new to Ebay, with no history of sales.
What I have discovered is that the fraudster copies images from a legitimate seller, so if I do a Google image search I can find the genuine seller, advise them of the fraud being perpetrated and they can report the listing as copying their images and so get it removed.
I agree about ebay frauds. They seem very common. I almost fell for one the first time, but sent the seller an email like “wow, what a great deal. Is the manufacturer discontinuing this model?”l When I didn’t hear back from them and 10+ more items had sold for 1/10th the normal cost, I was glad I hadn’t purchased and that I wouldn’t be dealing with a refund process via ebay.
I did find that you can report this sort of thing, but is rather painful.
Look for ‘report this item’ link at bottom right the section “more options for this product”.
Click the “report this item” link
->File a Report
->(Report Category)->Listing Practices,
-> (Reason for Report)-> Fraudulent Listing Practice,
-> (Detailed Reason)-> You suspect that a listing is fraudulent.
I’m assuming multiple people have to flag the fradulent listing and then ebay reviews the posting. I never had a follow up query from ebay about why I thought it was fraudulent.
Good Article, Sad the deal turned out to be a Scam. Could you do a follow up on how they were able to fake the shipping Tracking information. Have you contacted the Shipping company to explain their part in this?
I don’t know if they use Fedex or not, but most of the Fedex tracking number is for the company the package is shipped by. The last (6 I think) digits is a semi sequential number. If they had a US customer ship them something, they could use the tracking number they received, add a few to the number and then run it through Fedex tracking. Lather-rinse-repeat until they found an active number. Then start there for the next one.
What I hate about Amazon is that legitimate item pages can easily be hijacked by sellers offering counterfeits.
I had also been looking at a name brand wireless speaker for a few days but I was on the fence about purchasing. The sellers ratings were high. At some point I noticed the price dropped significantly. Thinking there was some kind of sale, I pulled the trigger.
What arrived was some knock off fake which looked liked the speaker I ordered but sounded terrible and had no name brand on it. Going back to Amazon, I realized that for the seller I purchased from with this exact same item listing, my seller was not the same as I had previously vetted and which currently listed. Somehow when I bought the speaker, a fake seller was temporarily listed on this legitimate offering.
I am not sure how this happens, if Amazon displays the lowest selling price or what, but you really have to be diligent on Amazon to make sure the sellers aren’t fly by night hijacking a legitimate listing.
This one almost got me when I was trying to buy a Google Pixel phone. I noticed the trade-in value ($300) was more than the phone was selling for ($208) so I thought better than to buy it.
all world and goverments are criminals anyways.
usa russia uk cia kgb fsb russian mafia and etc.
bs all who cares this is all just tip of the iceberg.
and krebs is part of this mafia. I have no hope
for nothing everything corrupted !!!!!
so do the world a favor and shoot yourself now.
Brian,
Had something similar happen to me as buyer of a product on Amazon. It seems to be from third party resellers and not Amazon distributed products.
To best of my knowledge this is what happened to me:
1. Found item and clicked ship
2. Receive tracking number – Note: From what i can tell once tracking number is updated in Amazon, seller can pull funds out of their account
3. Tracking number for me showed delivery in different state. Not sure how attackers are getting valid UPS tracking numbers but they are using them.
4. Tracking number shows delivery to wrong state.
5. Opened dispute with seller, no response
6. Open A-Z guarantee with Amazon.
Things Learned:
– Sellers seem to be registering in China
– They use fake tracking numbers from China (fooling amazon) or US tracking numbers showing delivery to random locations
– The scam works because once people buy and tracking number is uploaded, Seller can process payment from Amazon. In addition, scammers will also set a long delay in delivery time to make it harder for Amazon to claw back funds through A-Z process as Amazon makes you wait 3 days after expected delivery to initiate which gives them time to withdraw funds and move on.
– I’ve been more diligent buying only from Amazon warehoused items and ignoring third party resellers as I’ve had this happen twice in last month.
Good Stuff,
A good thumb of rule is always look at the company information if it’s not being sold/shipped by amazon.
Question: How often is there a new article on here? is there a specific time the article drops or is it at random.
Thanks.
What frustrates me is Facebook is advertising scam and bogus online sellers without responsibility
Speakers at this price point are not like fine wine. Start with the bible: http://thewirecutter.com/reviews/best-home-bluetooth-speaker/
Then adjust as necessary. Capture a good value.
WRT to Amazon, if the seller is new and the seller’s item description asks you to send them an e-mail verifying the item is still in stock you most likely have a fraudulent seller. My first experience (new to Amazon) I sent the e-mail, got verification and executed purchase through Amazon. It took three days for refund by Amazon My second experience (amusingly today) I knew better than to send e-mail and just executed purchase through Amazon (if the item was delivered I would have accepted it but I doubted that would happen). I received confirmation immediately and then about 45 minutes later got a cancellation. Checked seller’s store and all items were unavailable. I don’t know if my purchase was the trigger or I just happened to be in the timeline. Anyway Amazon is taking measures to prevent this fraud and protect their customers. PS I knew the risk I was taking and was actively managing it.
Continuing this Amazon story, this morning I added to my List but didn’t purchase an item from a seller matching the characteristics I described above. This afternoon I checked my List and status was unavailable plus the seller no longer existed. I checked more “can’t resist” items like those that tempted Brian and found a dismaying large quantity of fraudulent sellers (eg, one storefront with 20+ items ranging from exercise machines to gasoline generators all priced at $395). This increase is recent. I think Amazon is under some sort of attack.
Am late to this post. Congrats on this story, Brian; a scoop in my view on a major digital commerce problem; very informative for all Consumers re. all Merchant type websites.
Queries
Using Amazon as a discussion focus (as stated, there are many other large Merchant websites that have been hacked) there are some other points that need to be clarified for me to understand all the consequences.
It would seem that upon being notified by the True Merchant that he has been hacked, and observing the evidence on their own website, Amazon would immediately claw back from the fake Merchant’s Credit Card (CC) account, all those CC charges that Amazon is able to retrieve (they’re within Amazon’s 3 day hold rule), and return them to the individual CC. Is that true?
For those charges (most) that Amazon can’t claw back (they’re past Amazon’s 3 day release rule), the fraud loss comes about when Amazon asks the True Merchant to reimburse Amazon’s registered customer for the full retail amount the customer paid for the fake product, and to credit the customer’s CC. Is that true?
It would seem that the fake Merchant can’t get his lucre via CC transfers, without the direct help of an Acquiring Bank, who registered the crook, the crook’s CC Processor, the crook’s commercial bank, and the crook’s checking account there, to receive the cash transfers. Is that true?
Or no, Amazon immediately collects the CC funds when the consumer hits Amazon’s “Buy” button, and after 72 hours, transfers the released funds to the crook’s commercial bank’s checking account by irrevocable ACH transfer? Is this true?
All this (Acquiring Bank, Processor, commercial bank and the crook’s checking account) is set up by the crook BEFORE he then attacks the True Merchant’s Amazon site. Is this true?
The Brand (Visa, M/C) and the Acquiring Bank know the physical location and principals of the crook’s Processor, and the crook’s commercial bank. Is this true?
Are there not severe civil penalties that the Brands can impose (after seeing evidence) on the crook’s Acquiring Bank, Processor (if they process other Visa/M/C charges), and his commercial bank (if they are an Issuer and/or use the Visa or M/C networks in any way), for gross failure to vet their customer or complicity?
Agree the Consumer needs to do all he can to avoid aiding the fraud against the True Merchant, but doesn’t Amazon, the CC Brand, Acquiring Bank, crook’s Processor, crook’s commercial bank, have some accountability here as well?
Am interested in your answers; suspect answers are not immediately available, but also suspect journalist Krebs can get answers before any Consumer can. And there are many future Krebs scoops here.
I have always been wary of sketchy looking deals. I usually avoid making any purchases on Amazon that are not fulfilled by Amazon, but after reading this article, I will definitely heed your advice on all future purchases. Another great scoop as always Brian.
Thats really sad. One should always be aware of scammers internet is full of them