Social engineering tricks Amazon’s customer support reps into handing out sensitive customer data
An attacker used “social engineering” techniques to fool an Amazon’s customer service representative into disclosing a user’s personal information to an unnamed third party.
Eric Springer, an Amazon user and a victim described his story on blog post at Medium as how it all started with an email from Amazon’s customer service thanking him for reaching out. Eric is an Australian developer who worked at Amazon as a software developer engineer. He left a few years ago to work on several Bitcoin projects, one of which he sold.
Although Eric describes himself as a security-conscious individual, using long passwords and two-factor authentication where possible, after he contacted Amazon’s customer service, he found out that someone claiming to be him had contacted a representative of the popular e-commerce company and had tricked them into disclosing his real shipping address and phone. He was also able to recover a chat log between someone claiming to be him and an Amazon employee.
The attacker succeeded in their effort by providing the representative with a fake address: a nearby hotel’s address that Eric had used to set up some domains, knowing that the WHOIS information would eventually become public. The phony customer then pressed the customer representative for more information and was quickly told the real address and phone number of Eric, as well as the balance of any gift cards on the account.
Eric was shocked:
“Wow. Just wow. The attacker gave Amazon my fake details from a WHOIS query, and got my real address and phone number in exchange. Now they had enough to bounce around a few services, even convincing my bank to issue them a new copy of my Credit Card.”
But the social engineering attacks did not stop there.
Despite requesting customer service to not provide anyone with his personal information as his account was at risk of being socially engineered, Eric received another email from Amazon a few months later that another incident had taken place. This call with customer service for which Eric was provided with a transcript indicated that the attacker had (albeit unsuccessfully) attempted to social engineer a representative into providing them with the last few digits of his credit card.
Eric Springer is not happy, mostly because he believes that Amazon let a nefarious type get at his account. In a blog over at Medium, Springer revealed that he was the victim of a “social engineering” hack that exposed his details to an unnamed third party. With just a rough idea of Springer’s location and his email address, the attacker tricked a customer services rep to give up almost all of his personal information. The attacker was subsequently able to use this data to trick Springer’s bank into sending out a copy of his credit card.
By this point, Eric had had enough, so he removed his address from his account.
Unfortunately, that didn’t prevent him from receiving another correspondence from Amazon customer service some months later. This time, the attacker had contacted Amazon by phone, so there was no way to obtain a transcript.
Given the progression of the social engineering attacks, Eric is convinced that Amazon forfeited his credit card number to the attacker.
“At this point, Amazon has completely betrayed my trust three times. I have done absolutely everything in my power to secure my account, but it’s hopeless. I am in the process of closing my Amazon account, and migrating as much to Google services which seem significantly more robust at stopping these attacks.”
This incident already made its way through the web, including Reddit, where former customer support employees (albeit not from Amazon) have outlined the social engineering training they had received and expressed disappointment at Amazon’s failure to provide the same training:
“How can a company as big as Amazon not have stronger privacy polices? When I worked customer support they drilled it into our heads that the most common means of fraud was social engineering, and they gave us workshops on how social engineering works and what to look out for. These employees need to be retrained ASAP.”
Amazon has yet to comment on the story. On the other hand, Eric has a few recommendations for Amazon and for companies everywhere. He suggests that companies need to be careful when taking customer support calls and that they should verify the customer’s IP address with on-staff support agents.
It also might be a good idea to enable two-factor authentication on your Amazon account and on whichever other accounts offer this service.
As of now, this story serves as a great wake-up call that even the best passwords and most carefully plotted online lives aren’t protected from a really shrewd and determined social engineer.