On Monday, the Wall Street Journal reported a wave of hijacked Amazon seller accounts that proceeded to fleece buyers for large sums of money. As reported here, attackers would use credentials harvested from other breaches to take over the account, then either simply redirect funds to their own deposit account or create lots of fake "sales" to collect money from buyers, but never deliver goods. Pretty good scam, right? So how do we defend against it?
First, we've talked about credential dumps before and why they're a security risk. In brief, a breach on a third party site that isn't all that important to you can yield credentials that can be reused on sites that are much more important. (Please do not reuse passwords.) While you can't control how a third party chooses to protect your password, you can implement control measures on your end like Two Factor Authentication. While Amazon doesn't appear to have documentation on how to do this for a seller account, their support forum makes reference to its recent release as a feature here. The thread also has some great advice for sellers who suspect their account has been breached:
That's all well and good for sellers, but how do you protect yourself from a bogus third party seller? First, do not rely on feedback alone. Sellers can easily purchase bots to generate positive feedback for themselves in bulk. Further, Amazon seller fraud generally runs on a cycle of several weeks. The fake seller will collect orders within that timeframe, then at the threshold where a defrauded buyer is able to tell Amazon "Hey I never received the item," they'll take their money and close the account. If they're able to do this before attracting significant scrutiny, a new account can be opened and the process can start again. A simple way to not get caught by this sort of scam is:
Don't use third party sellersSimple, but not easy. Let's say you're a vintage electronics collector and you want to buy this sweet click wheel iPod.
It says Apple right there in the header, so it must be a refurbished product, right? But, if you look further down you'll see a very optimistic sales price and
Fulfilled by Amazon. Which means...
So while Amazon will ship that snazzy iPod to you, they can't tell you how reliable the seller is, if the iPod actually is an iPod, or something closer to a P-P-P-Powerbook. What you really want is "Ships from and Sold By Amazon," as seen here:
Buying only "Ships from and sold by," can be harder than it looks. Sales analysis here shows that third party sellers make up a significant portion of Amazon's profits and are projected to increase sharply over the near term. According to CNBC, roughly 40% of Amazon's unit sales come from third parties and the number can be higher for certain types of products. While it is increasingly frustrating to avoid bogus sellers, the company does provide extensive support after the fact and will guarantee that purchases are delivered and are as advertised.
Amazon third party sellers have consistently had issues with fraud and counterfeit goods. Now we can add a new threat to the pile of attacks against sellers themselves. Keep yourself safe by using a quality password with two-factor authentication enabled and try to stick with the seller you know, rather than someone offering a price that might be a little too good.