Today I’m wearing a bright Amazon smile because of a newly discovered way to tap into the biggest database of online shopper earthlings that may ever exist in the history of civilization. Albeit short-lived since I’m telling you about it although, I promise that I wasn’t the first person to reveal Amazon’s privacy shortcomings. The earliest article I found dates back to 2011.
This security flaw isn’t accessible online so don’t second guess their near perfect backdoor stronghold (security experts would disagree). Instead you’ll direct dial the call center and be connected to an English-speaking representative who’ll be keeping a seat warm in a distant non-English speaking country.
Just so you and I are clear: I’m not advising you to hack into anyone’s account.
Successful extraction of an address solely relies on a representative’s lack of English comprehension. Amazon’s own choice to place call centers outside of the United States makes those customer service representatives not only challenged to speak English, but also challenged reading it. Knowing a name and email address on an account may not be the only details customer service would ask to confirm. Screen name, email and naming an item previously purchased (easily done by checking reviews) could also be presented as a challenge to social engineering.
Victims to social engineering attacks explain using a fake address for things like public domain registration. The zip code for the fake address and the real address were the same. One young man writes that he used the address of a local motel instead of his home address noting that he was aware of online rivals past attempts to hack him and felt certain that Amazon had safety measures in place.
The hacker simply called Amazon and provided the address which, to the hacker, seemed authentic. When a representative isn’t fluent in English, then street names seem like a Germanic glyph and the only part of an address which could be easily validated is numerical. This makes the effort of using a fictitious address in your own zip code fruitless.
As soon as Amazon Customer Service disconnects the call their system automatically sends an email asking if the issue was resolved. This was the tip-off that made these victims aware of the unauthorized access.
In Michael Bazzell’s latest edition of Open Source Intelligence Techniques I learned about the offerings of Pipl API and how effectively it aggregates fresh and scarce information, namely, exposing someone’s Amazon screen name. Obviously this is fantastic information if you’re trying to flesh out bank account data for levy. Since Amazon is the world’s leader in online retail then it would be the world’s leader in archival banking data.
It’s pretty easy to guess what kind of information you can pry out of a rep’s grip when playing the role of a disgruntled customer with many undelivered purchases. “Where was my package delivered to? What items were shipped on the last order? What address do you have for me?” Keeping the tone of the angry consumer is easy.
Other interesting facts that I’ve gathered while consuming victim’s complaints are that a customer can ask to place a flag on their account but Amazon doesn’t actually do it. My opinion is that the rep probably can’t comprehend what they’re reading in the account details rendering a warning flag useless.
Another victim tried to hack her own account using a bad address with a correct zip code successfully and then tricked the rep into giving her the delivery address, she did also mention that the rep refused to give her the last four digits of the card that she used for previous purchases but then told her it was a Visa.
It would seem that hackers are targeting Amazon accounts to find high dollar items purchased and then report them as never having been received so that replacements would be given by Amazon but instead being sent to the original delivery address, the replacement item is immediately shipped to the hackers ghost address.
by Valerie McGilvrey
Skip Trace Secrets: Dirty little tricks skip tracers use…: Learn Skip Tracing