So I was looking to buy a piece of workshop equipment recently and happened across an interesting amazon scam. Something smelt fishy right away but it took me a while to figure out what the actual “con” was…so here’s how it works…
You’re looking for an item on amazon – in my case it was a piece of machinery which was around the £400 mark and is sold under various brand names in the UK. I was after one sold under a specific brand who I’d had good experiences with in the past, especially re support, spares etc.
So I couldn’t find any of the model I was looking for on ebay and had a look on amazon…wow there were a couple of the exact model I was looking for and at the right price too.
I was ready to order and I noticed the seller’s “storefront” had a bit of an unusual name which mentioned somethign about not being able to deliver to all addresses, so please email some address before ordering.
I figured fair enough – this looks a bit dodgy but it’s a heavy bit of kit so perhaps there are legitimate restrictions on where they can deliver to. However the listing showed there was only one left so i thought “sod it” and placed the order through amazon. All done (or so I thought).
A few hours later I get an email from amazon saying my order had been cancelled. That seemed a bit wierd but perhaps there was a stock issue. No worries, I’d seen there was another seller on amazon offering the same item so did another search. This seller had the following name:
“WE CAN’T Dɪsᴘᴀᴛᴄʜ T0 ALL Aᴅᴅʀᴇssᴇs. BEF0RE “Aᴅᴅ Tᴏ Bᴀsᴋᴇᴛ” Cᴏɴᴛᴀᴄᴛ Us: ※※info[ᴀᴛ]ppp262.com※※”
Again – seemed a little “off” (ok a lot) but I checked amazon’s policies and their a-z guarantee seemed pretty comprehensive so I figured it was probably safe to order. So I placed another order with this second seller and also figured perhaps I ought to email the address just to make sure the item was in stock and that they could deliver to my address. Again this smelt a little fishy but I thought I’d cautiously go along with it. So I emailed the address (email@example.com) without giving too much away but saying that I’d placed the order and would they be able to deliver etc.
I actually spoke to an amazon support person about this time and mentioned my suspicions and they assured me that as long as the transaction was completed on amazon everything was fine, this was totally legit and I was covered. That made me really nervous. I could smell a scam but couldn’t see what the “con” was yet.
So as I sorta expected, a few hours after placing it, the order was cancelled on amazon but I got a reply from the “seller”..
Hello, The "XXXXXXXXXXXX Item" is new, with international warranty and all accessories from the manufacturer. The price is £ 430, 00 incl. VAT (Free shipping). To buy, please send us your name and address and we will contact Amazon to process your order. Shipping with DHL (3-5 days). Return Policy: You will get your money back in 14 days with Amazon A-Z warranty. Do not place your order. Everything will be done automatically by Amazon. Please contact us for further information. Thanks
By now I’m convinced this is a scam but am also curious to see how it works. Why do they want me to not place the order.. wtf?
So I played along and sent them the address to post to – minimal risk, there’s not much a scammer can do with just a name and address. They’d not asked for card details or anything so we should be good, right?
And I get a response:
Hello, We'll immediately send the required data to Amazon Department. They will contact you with the order and details about payment and shipping. Waiting your reply ASAP! Thanks!
Aha! so there it is…
Essentially the initial email with your address details are a primer for a personalised “spear phishing” attack.
- Unknown person compromises a legitimate Amazon seller’s account and changes the storefront details to include the dodgy email address (in this case firstname.lastname@example.org) and lists a bunch of high-priced items at very competetive but not unbeleivable prices.
- You look for the high ticket item you want to buy on amazon – find it and think you’ve found a bargain. Oh and it’s the last one too – best get in there quick (“buyer frenzy” mode activated)
- You buy the item and email the (dodgy) address to check delivery is all good…
- They reply saying yes everything is fine, send us your name and address, we’ll complete the transaction automatically on amazon (wtf does that even mean)
- They cancel your order on amazon
- You send them name and address…
- They then send you a fake email designed to look like it’s from amazon in order to “complete the transaction automatically”. That’s where they trick you to enter your card details and where the actual scam/phish happens.
Thing is by this point you’ve got “buyer frenzy”…dammit you want your shiny new whatever and just want to get the order placed. They’ve already harvested your personal details (which you handed over earlier) which gives them all the info they need in order to send you a perfectly crafted, personalised phishing email to the correct email address with all your correct info in it ready for you to complete payment on what you think is Amazon but actually isn’t…plus you’re already half-expecting an email from amazon about your order so your guard is way down.
It’s rather clever and quite an ingenious implementation of spear phishing in the wild IMHO.
Sadly I never actually got the scam email in the end, I was kinda looking forward to deconstructing it. I guess Amazon must have stepped in and locked down the seller’s account before that could happen.
What I found interesting about this is that I queried the dubious seller name with the amazon support person I spoke to and they didn’t seem phased by it. I told them I suspected a scam and they were like “no this is fine”
Afterwards I searched on the email address which showed up numerous discussions re whether it was a scam. the general consensus was that it *was* a scam but there weren’t any details as to what the actual “con” was.
Anonymised transcript from my second conversation with amazon:
12:34 PM GMT Me: so I spoke to one of your colleagues last night about an order I placed where things seemed a little suspicious...he assured me everything was ok but I had another email from the "seller" this morning and I'm pretty sure they're operating a phishing scam can you see my recent orders? it's for the [XXXX Item XXXX], £430 12:34 PM GMT Amazon rep: yes, I see that from our end. 12:35 PM GMT Me: ok so I ordered, the seller cancelled the order and I sent them an email to the address in their storefront username... 12:35 PM GMT Amazon rep: I'm sorry to hear that the order you placed with seller is hacked now. Will now check and help you with it. 12:35 PM GMT Me: it's not hacked yet - but they're in the process of trying to phish.. 12:36 PM GMT Amazon rep: Oh, thank you for the clarification 12:36 PM GMT Me: their username had a titles like "we can't dispatch to all locations, please email email@example.com" 12:37 PM GMT Amazon rep: I'm sorry about this. Will report this to our seller support team as well will submit claum for the order cost. 12:37 PM GMT Me: I wasn't sure if it was a delivery location issue so I emailed them after they cancelled my order to check whether there was an issue 12:37 PM GMT Amazon rep: Claim * So that your order will be cancelled and you are requested to place a new order from your end. 12:37 PM GMT Me: they replied saying please send them my name and address details and they would process the order directly with amazon... 12:38 PM GMT Me: I wasn't sure what the con was initially but I got a follow up email from them today saying to expect an email from "amazon" with info how to pay...I would imagine that's the targeted phishing email they've just cancelled the order (or someone has)... 12:39 PM GMT Me: the next step will be for them to send an email with phoney links to try and capture my payment details... it's clearly a scam i searched on the email address they provided and found lots of examples of other cases where the same technique has been used: http://amazongeneralhelprefugees.createaforum.com/index.php?action=recent 12:40 PM GMT Me: the email address given in the storefront title was firstname.lastname@example.org 12:41 PM GMT Me: it looks like my order has been cancelled - either by them or by you just now, so I don't think there's been an actual breach at this point, but they're definitely up to no good 12:42 PM GMT Amazon rep: Thank you for the details, I have checked and cancelled the order completely. Will report about this to seller. Please rest assured that the order which you placed by 25th will be delivered to you as promised. Also appropriate actions will be taken from our end. 12:42 PM GMT Me: thanks. you can see more examples of the "bait" here: https://www.amazon.co.uk/gp/offer-listing/B00624DW3A/ref=dp_olp_new_mbc?ie=UTF8&condition=new 12:43 PM GMT Amazon rep: Sure, thank you. Will mention this to our team. So that rest of our customers will not suffer from this,. 12:44 PM GMT Me: awesome :) I work in IT security so figured soethign was a little off... but couldn't see how they scam would work .. but then I got the emails from them this mornign saying to expect an "email from amazon with info how to pay"... and that's the setup for a targeted phish/spearphish I think that's all really- the order is cancelled and I just wanted to let you know this was happening.. 12:45 PM GMT Amazon rep: I can understand. Please rest assured that no money will be transferred to their account. It will be transferred to only registered sellers. Still they try for it, please not to worry this will be investigated from our end 12:45 PM GMT Me: great stuff, thanks :) 12:46 PM GMT Me: I dare say it's a genuine seller whose account has been compromised... anyway that's all - thanks for your help, I hope you catch them. If you want me to forward the emails I got from them I can do so 12:47 PM GMT Amazon rep: yes, I understand that.
At the time you could find a bunch of other items which they were running the scam on by searching on amazon for the scammer’s email address…they were all high-ticket items around the £4-500 mark…exclusive kitchen knives, trampolines, big TVs etc.
A few days later I got apologetic emails from the *actual* amazon sellers whose accounts had been compromised.
I just checked again today and whilst nothing shows up for that email address, I looked for the same item I’d tried to buy and there’s still similar scams going on, albeit using a slightly different format:
click the pic to bigger it
So..as they say..“caveat emptor” and also the more recent but slightly less well-known phrase: “Amazon venditores facere certus vos have a validus password” (Amazon sellers make sure you have a strong password!)