Image: Julie Clopper/Shutterstock.com
When it comes to security, humans are often the weakest link. If a company employee can be manipulated, there's no need for a hacker to actually break into a computer system. It appears that the staff of Amazon, the multi-billion dollar shopping website, are no exception.On hacking forums, scammers are offering to obtain refunds or replacements for high value electronic items bought on Amazon by tricking the company's customer support staff. This means that somebody buying an Xbox, for example, could order their product and then get their money back or an additional console, whilst keeping the original. All it takes is some information about the Amazon account and a bit of sweet-talking. In exchange, these scammers or middlemen ask for a cut of the earnings.
"Welcome to my Amazon Service, where you will get [the] cheapest and fastest refunds and replacements," one slick advert reads on a clear web hacking forum. "Lots of demand so starting this [service]" said another.
First off, the buyer orders a product like they normally would. Then, after some time has passed, they enlist the help of one of these scammers, who talks to Amazon customer support, either on the phone or through the site's chat function, and claims the item never arrived. The support staff then reportedly either grant a refund or send a replacement item.Perhaps you've legitimately bought an Xbox and you want another for free. Or perhaps you set out to order a PlayStation with the intention of then claiming a refund on it, saving you the entire $400 price tag while keeping the console.Theoretically, anyone could try to carry out this scam themselves. But these middlemen offer to take the stress out of the process, and claim to have a higher level of success."Please also note that this is for people too scared and would like a confident 100% success rate refunder/replacer to get your shit done," one vendor pointed out."I know this is a known method, I just am doing it for people who are worried of making a mistake or doing something incorrect," another wrote.The middleman needs access to the respective Amazon account, or if the buyer is uneasy about handing that power over, one advert suggests they can make do with the order ID of the item, the account holder's full name, billing address, email, and information on what other orders have been made with the account. This is apparently enough to fool an Amazon customer support member into thinking that they are talking to the legitimate account holder.
"I have never failed a refund/replacement and have double dipped PS4's on fresh accounts," one vendor claimed. "Double-dipping" is when a replacement from an item isn't only requested once, but twice, meaning that the buyer can double their return.Amazon did not reply to multiple requests for comment.One hacker attempted to demonstrate the scam to Motherboard, but was unsuccessful. Instead of doing it from his own account or one that had been provided to him, he tried to carry it out on a hacked Amazon account, for which he had obtained the username and password. When a confirmation was sent to the attached email address, he did not have access to it, so could not complete the scam.One middleman asks for five percent of the cut or the value of the item, another advertises seven percent and another 10 percent. Many of the scammers accept PayPal, Bitcoin, Western Union, or Skrill, a money transfer service. Over two hacking forums surveyed by Motherboard, eight individuals were offering this service. One of the adverts says that they have been doing this "for years."Most of the middlemen offer their services for Amazon.com and Amazon.co.uk, but some are willing to tell their customers what needs to be translated and typed in order to convince the Amazon representatives from other countries to award the refund."I just wana take a minute to tell you about this guy… He is a fookin SE [social engineering] hero man," was the review left by one apparently happy customer. Social engineering is the practice of manipulating people into giving up sensitive information or access.One vendor claimed that he had "refunded an Xbox One just now, taking more orders."Whether it's phishing emails that fool government defense contractors into downloading malware, or phone calls tricking victims into giving up sensitive information, this kind of scam shows one shared vulnerability: where there are people, there is an avenue for attack.
One vendor claimed that he had "refunded an Xbox One just now, taking more orders."