On three separate calls, an attacker used social engineering techniques to trick a representative of Amazon’s customer service into disclosing a user’s personal information.
An Amazon user named Eric Springer described how it all started with an email from Amazon’s customer service thanking him for reaching out:
Curious, Eric contacted Amazon’s customer service only to discover that someone claiming to be him had contacted a representative of the popular e-commerce company and had tricked them into disclosing his real shipping address and phone.
The attacker succeeded in their effort by providing the representative with a fake address: a nearby hotel’s address that Eric had used to set up some domains, knowing that the whois information would eventually become public.
Eric was shocked:
“Wow. Just wow. The attacker gave Amazon my fake details from a whois query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.”
But the social engineering attacks did not stop there.
After requesting that customer service not provide anyone with his personal information, Eric received another email from Amazon a few months later. This led to another call with customer service, which provided Eric with a transcript indicating that the attacker had (unsuccessfully) attempted to social engineer a representative into providing them with his credit card number.
By this point, Eric had had enough, so he removed his address from his account.
Unfortunately, that didn’t prevent him from receiving another correspondence from Amazon customer service some months later. This time, the attacker had contacted Amazon by phone, so there was no way to obtain a transcript.
Given the progression of the social engineering attacks, Eric is convinced that Amazon forfeited his credit card number to the attacker.
“At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.”
News of this story had already made its way around the web, including to Reddit, where former customer support employees (albeit not from Amazon) have outlined the social engineering training they had received and expressed dismay at Amazon’s failure to provide the same training:
“How can a company as big as Amazon not have stronger privacy polices? When I worked customer support they drilled it into our heads that the most common means of fraud was social engineering, and they gave us workshops on how social engineering works and what to look out for. These employees need to be retrained ASAP.”
Not surprisingly, Eric has a few recommendations for Amazon and for companies everywhere. Above all, he suggests that companies need to be careful when taking customer support calls and that they should verify the customer’s IP address with on-staff support agents.
As for ordinary users, you can learn more about social engineering attacks.
It also might be a good idea to enable two-factor authentication on your Amazon account and on whichever other accounts offer this service.
It won’t necessarily protect against social engineering attacks directed at company’s support teams, but it could complicate the plans of an attacker who is looking to compromise your account.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.