Anonymous Wants DDoS Recognised as an Official Form of Protest

Anonymous Wants DDoS Recognised as an Official Form of Protest

Gizmodo / UK
by Gary Cutlack
January 10, 2013

Anonymous Wants DDoS Recognised as an Official Form of Protest
Anonymous Wants DDoS Recognised as an Official Form of Protest


The Anonymous hacking collective has petitioned the White House, using the US government’s open forum to ask for DDoS attacks to be registered as an official form of complaint – and requesting the convictions of previous DDoS attackers be wiped from their records.

The petition does make some sense. Anon claims that a DDoS attack is similar to the modern trend of “occupy” protests, where unshaven anti-capitalists sit inside a branch of Vodafone annoying proper customers with their banners and shouting about tax.

It says a DDoS is the same thing, only virtual, with complainants instead using their computers to occupy a web site and therefore denying users the chance to use it.

Anon doesn’t do itself any favours, though, pointing out that the DDoS attack method is little more than “repeatedly hitting the refresh button on a webpage.” Which doesn’t sound as cool. [White House via The Register]
Direct Link:  http://gizmodo.com/5974785/anonymous-wants-ddos-recognised-as-an-official-form-of-protest

 

Re-Visit: Attack Turns Android Devices Into Spam-Spewing Botnets

Attack Turns Android Devices Into Spam-Spewing Botnets

Beware Trojan app sending 500,000 spam SMS messages per day, charging messages to smartphone owners.

Information Week
by Mathew J. Schwartz
December 19, 2012

 

SPAM-BOT
SPAM-BOT

 

From an attacker’s perspective, malware doesn’t need to be elegant or sophisticated; it just needs to work.

That’s the ethos behind a recent spate of Trojan applications designed to infect smartphones and tablets that run the Android operating system, and turn the devices into spam-SMS-spewing botnets.

By last week, the malware was being used to send more than 500,000 texts per day. Perhaps appropriately, links to the malware are also being distributed via spam SMS messages that offer downloads of popular Android games–such as Angry Birds Star Wars, Need for Speed: Most Wanted, and Grand Theft Auto: Vice City–for free.

Despite the apparent holiday spirit behind the messages, however, it’s just a scam. “If you do download this ‘spamvertised’ application and install it on your Android handset, you may be unknowingly loading a malicious software application on your phone which will induct your handset into a simple botnet, one that leverages the resources of your mobile phone for the benefit of the malware’s author,” according to an overview of the malware written by Cloudmark lead software engineer Andrew Conway.

The malware in question uses infected phones “to silently send out thousands of spam SMS messages without your permission to lists of victim phone numbers that the malware automatically downloads from a command and control server,” said Conway. Of course, the smartphone owner gets to pay any associated SMS-sending costs.

An earlier version of the malware was discovered in October, disguised as anti-SMS spam software, but it remained downloadable for only a day. “Apparently using SMS spam to promote a bogus SMS spam blocking service was not an easy sell,” said Conway. Subsequently, the malware was repackaged as free versions of popular games, and the malware’s creator now appears to be monetizing the Trojan by sending gift card spam of the following ilk: “You have just won a $1000 Target Gift Card but only the 1st 777 people that enter code 777 at [redacted website name] can claim it!”

As with the majority of Android malware, the malicious apps can be downloaded not from the official Google Play application store, but rather from third-party download sites, in this case largely based in Hong Kong. In general, security experts recommend that Android users stick to Google Play and avoid third-party sites advertising supposedly free versions of popular paid apps, since many of those sites appear to be little more than “fakeware” distribution farms. But since Android users are blocked from reaching Google Play in some countries, including China, third-party app stores are their only option.

After installing the malware and before it takes hold, a user must first grant the app numerous permissions — such as allowing it to send SMS messages and access websites. Only then it can successfully transform the mobile device into a spam relay. Of course, people in search of free versions of paid apps may agree to such requests. Furthermore, “not many people read the fine print when installing Android applications,” said Conway.

If a user does grant the malware the requested permissions, it will transform their Android device into node, or zombie, for the malware creator’s botnet. At that point, the malware immediately “phones home” to a command-and-control server via HTTP to receive further instructions. “Typically a message and a list of 50 numbers are returned,” said Conway. “The zombie waits 1.3 seconds after sending each message, and checks with the C&C server every 65 seconds for more numbers.”

Again, the Android malware used to build the accompanying SMS-spewing botnet isn’t sophisticated, but it does appear to be earning its creator money. “Compared with PC botnets this was an unsophisticated attack,” said Conway. “However, this sort of attack changes the economics of SMS spam, as the spammer no longer has to pay for the messages that are sent if he can use a botnet to cover his costs. Now that we know it can be done, we can expect to see more complex attacks that are harder to take down.”

Your employees are a critical part of your security program, particularly when it comes to the endpoint. Whether it’s a PC, smartphone or tablet, your end users are on the front lines of phishing attempts and malware attacks. Read our Security: Get Users To Care report to find out how to keep your company safe. (Free registration required.)

 

**** [ Anonymous hacks Westboro Baptist Church in aftermath of Connecticut school shooting. Read more at Anonymous Posts Westboro Members’ Personal Information. ] ******

 

Direct Link:  http://www.informationweek.com/security/attacks/attack-turns-android-devices-into-spam-s/240144988?cid=SBX_iwk_related_news_Attacks/breaches_security&itc=SBX_iwk_related_news_Attacks/breaches_security

Aaron Swartz’ Alleged Victim ‘Regretted’ Being Drawn Into Hacking Case

Aaron Swartz’ Alleged Victim ‘Regretted’ Being Drawn Into Hacking Case

ABC News
by Alyssa Newcomb
January 13, 2013

The suicide of Internet activist Aaron Swartz, who was due to stand trial on federal hacking charges, sparked anger from friends, family and followers, while the subscription-based journal service he was accused of hacking said it “regretted” ever being drawn into the case.”

Swartz’ federal trial on computer fraud charges was scheduled to begin in April. In 2011, Swartz was arrested after prosecutors alleged he illegally downloaded millions of scientific journals from JSTOR and the Massachusetts Institute of Technology.

JSTOR, which had stated it did not want to pursue charges against Swartz after he return the articles he had downloaded, posted a statement offering condolences to his family.

“He was a truly gifted person who made important contributions to the development of the internet and the web from which we all benefit,” JSTOR, or Journal Storage, said in a statement. “The case is one that we ourselves had regretted being drawn into from the outset.”

Swartz, 26, had pleaded not guilty to the charges. If convicted, he could have faced decades in prison and millions of dollars in fines.

Aaron Swartz    (Flickr/Fred Benenson/Creative Commoners)
Aaron Swartz (Flickr/Fred Benenson/Creative Commoners)

 

His family and partner issued a statement blaming the prosecution for playing a role in his suicide.

“Aaron’s death is not simply a personal tragedy. It is the product of a criminal justice system rife with intimidation and prosecutorial overreach,” the statement said.

“Decisions made by officials in the Massachusetts U.S. Attorney’s office and at MIT contributed to his death. The US Attorney’s office pursued an exceptionally harsh array of charges, carrying potentially over 30 years in prison, to punish an alleged crime that had no victims. Meanwhile, unlike JSTOR, MIT refused to stand up for Aaron and its own community’s most cherished principles.”

The family set up a website for people to post their memories of Swartz.

When he was 14 years old, Swartz helped create RSS software, revolutionizing the way people subscribed to and consumed information online.

As an adult, he co-founded Reddit, a social news website, and rallied against Internet censorship through the political action group Demand Progress.

PHOTOS: In Memoriam 2013

Technology pioneers paid tribute to the man who “had more work to do, and who made the world a better place when he did it.”

“The billions of snippets of sadness and bewilderment spinning across the Net confirm who this amazing boy was to all of us,” Creative Commons founder Lawrence Lessig wrote.

Sir Tim Berners-Lee, the creator of the World Wide Web, posted a poem, calling Swartz, who was 26 years old at the time of his death, “a mentor, a wise elder.”

Blogger Cory Doctorow posted on  Boing Boing that Swartz had “an unbeatable combination of political insight, technical skill, and intelligence about people and issues”.

And in true Aaron Swartz fashion, Doctorow’s lengthy tribute came with a disclaimer: “To the extent possible under law,  Cory Doctorow has waived all copyright and related or neighboring rights to ‘RIP, Aaron Swartz.’”

His funeral is scheduled for Tuesday, in Highland Park, Ill., his family said, and they said that remembrances of Swartz and donations in his name could be made at rememberaaronsw.com.

Direct Link:  http://abcnews.go.com/blogs/headlines/2013/01/aaron-swartz-alleged-victim-regretted-being-drawn-into-hacking-case/

The hunt for Red October: The astonishing hacking ring that has infiltrated over 1,000 high level government computers around the world

The hunt for Red October: The astonishing hacking ring that has infiltrated over 1,000 high level government computers around the world

  • Researchers say the cyber attack has been in operation since 2007 – and is still running
  • Operation described as ‘massive’ and has stolen ‘several terabytes’ of data
  • Security firm which discovered the attacks claims there is ‘strong technical evidence the attackers have Russian-speaking origins’- but say a private firm or rogue nation could be behind the network.
  • Targets included diplomatic and governmental agencies of various countries across the world, research institutions, energy and nuclear groups, and trade and aerospace firms
Daily Mail / UK
by Mark Prigg
January 16, 2013

A major cyber-attack that has been stealing information from high level government computers around the world since 2007 has been discovered.

Kaspersky Labs, which made the discovery, said in addition to diplomatic and governmental agencies of various countries across the world, Red October also targeted research institutions, energy and nuclear groups, and trade and aerospace targets.

The firm even said the malware was used to infiltrate smartphones of government workers to electronically steal information.

The full extent of the Red October operation is revealed in this infographic, showing how it has hit countries across the globe
The full extent of the Red October operation is revealed in this infographic, showing how it has hit countries across the globe

 

The primary focus of the campaign was targeting countries in eastern Europe.

‘Former USSR Republics and countries in Central Asia were targeted, although victims can be found everywhere, including Western Europe and North America’, said Kaspersky Lab, an antivirus software firm which made the discovery.

‘The main objective of the attackers was to gather sensitive documents from the compromised organisations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment,’

————-
******
————-

WHAT HAS BEEN STOLEN?

The main objective of the attackers was to gather sensitive documents from the compromised organisations.

This included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

Overall, Kaspersky said over 7 terabytes, or 7,000GB data has been stolen.

————-
******
————-

Red October, which has been active since at least 2007, appears to collect files encrypted with software used by several entities from the European Union to Nato.

Kaspersky said Red October also infected smartphones, including iPhones, Windows Mobile and Nokia handsets.

It is believed to be still operating, although since the research was published, the attackers are believed to have started dismantling the system to protect their identities.

‘The project started in October 2012, we received a suspicious executable from a partner,’ Vitaly Kamluk, Chief Malware Expert at Kaspersky Lab told MailOnline.

‘We checked and began to understand what we had was quite massive – we found 1,000 different files in a few weeks, each of them a personalised email.’

Mr Kamluk said the attacks were highly customised.

‘There are a very limited number of machines, around 1,000 around the world, but every target is carefully selected.’

‘We extracted language used and found Broken English was used, with Russian words thrown in, such as Proga, commonly used among Russian programmers.

‘However, we are not pointing fingers at Russia – just that Russian language has been spotted.

‘It could be any organisation or country behind this, it could be nation states or a private business or criminal group.

———–
******
———–

HOW RED OCTOBER WORKS

HOW RED OCTOBER WORKS  One of the fake emails used to infect computers

One of the fake emails used to infect computers

Red October is a malware attack.

Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the various applications.

Intended targets received personalised correspondence based on gathered intelligence on individual people (an example is on the right).

These attacks comprised of two major stages:

Initial infection: Right after the victim opens the malicious document on a vulnerable system, the embedded malicious code initiates the setup of the main Red October software on the machine.

This handles further communication with the master servers run by the hackers, and can survive the computer being restarted.

Spying: Next, the system receives a number of additional spy modules from the hacker's server, including modules to handle infection of smartphones - the team said iPhones, Windows phones and Nokia handsets were seen on the network.

The specific modules are customised for each mobile depending on the infomration the hackers wanted.

The main purpose of the spying modules is to steal information.

All gathered information is packed, encrypted and only then transferred to the Red October command servers.

Other modules were designed to target files encrypted using a system known as Cryptofiler - an encryption standard that used to be in widespread use by intelligence agencies but is now less common

The campaign, identified as 'Rocra', short for 'Red October', is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware.

Kaspersky's research indicated there were 55,000 connection targets within 250 different IP addresses.

Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece.
HOW RED OCTOBER WORKS
One of the fake emails used to infect computers
One of the fake emails used to infect computers
Red October is a malware attack.
Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the various applications.
Intended targets received personalised correspondence based on gathered intelligence on individual people (an example is on the right).
These attacks comprised of two major stages:
Initial infection: Right after the victim opens the malicious document on a vulnerable system, the embedded malicious code initiates the setup of the main Red October software on the machine.
This handles further communication with the master servers run by the hackers, and can survive the computer being restarted.
Spying: Next, the system receives a number of additional spy modules from the hacker’s server, including modules to handle infection of smartphones – the team said iPhones, Windows phones and Nokia handsets were seen on the network.
The specific modules are customised for each mobile depending on the infomration the hackers wanted.
The main purpose of the spying modules is to steal information.
All gathered information is packed, encrypted and only then transferred to the Red October command servers.
Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common
The campaign, identified as ‘Rocra’, short for ‘Red October’, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware.
Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses.
Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece.

Red October is a malware attack.

Initially the malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the various applications.

Intended targets received personalised correspondence based on gathered intelligence on individual people (an example is on the right).

These attacks comprised of two major stages:

Initial infection: Right after the victim opens the malicious document on a vulnerable system, the embedded malicious code initiates the setup of the main Red October software on the machine.

This handles further communication with the master servers run by the hackers, and can survive the computer being restarted.

Spying: Next, the system receives a number of additional spy modules from the hacker’s server, including modules to handle infection of smartphones – the team said iPhones, Windows phones and Nokia handsets were seen on the network.

The specific modules are customised for each mobile depending on the infomration the hackers wanted.

The main purpose of the spying modules is to steal information.

All gathered information is packed, encrypted and only then transferred to the Red October command servers.

Other modules were designed to target files encrypted using a system known as Cryptofiler – an encryption standard that used to be in widespread use by intelligence agencies but is now less common

The campaign, identified as ‘Rocra’, short for ‘Red October’, is currently still active with data being sent to multiple command-and-control servers, through a configuration which rivals in complexity the infrastructure of the Flame malware.

Kaspersky’s research indicated there were 55,000 connection targets within 250 different IP addresses.

Most infection connections were found coming from Switzerland, followed by Kazakhstan and Greece.

———-
******
———-

‘There is senstitive geopolitical information being stolen, which is very valuable,’ said Mr Kamluk.

Kaspersky estimate there were 20-30 developers working full time on this, and all were ‘very experienced programmers’.

‘Over the course of the last five years, we believe several terabytes of data was stolen – it’s massive.

‘Since we published the report, we have seen some of the servers are no longer responding.’

The firm is now working with law enforcement agencies to shut down the remaining servers.

Red October, which is named after the Russian submarine featured in the Tom Clancy novel The Hunt For Red October, also has what Kaspersky Lab called a unique ‘resurrection’ module that hid in Adobe Reader and Microsoft Office programmes that allowed the attackers to regain access if the virus was discovered and removed.

 

Amazon Has Another Huge Security Hole

Amazon Has Another Huge Security Hole

Gizmodo.com
by Chris Cardinal
December 19, 2012

Amazon Has Another Huge Security Hole
Amazon Has Another Huge Security Hole

You may recall that Amazon was implicated as the weak link in the Mat Honan iCloud hack, wherein a gadget blogger had his entire online identity nuked from orbit because Amazon gave up the secondary identifying information necessary to issue a password reset over at Apple. (The last four of your credit card, incidentally.) I’m sad to say that Amazon has clearly not improved their authentication protocols in any meaningful way, but this time it’s hurting them directly.

Someone has devised a relatively simple way of defrauding Amazon.com and they require very little hard information to pull it off. While this story is still developing, I’m writing this up in an effort to make Amazon aware of the problem and hopefully help them tighten their call center and live chat security.

I woke up this morning to find four tightly spaced emails from Amazon apologizing for the premature termination of our live chat session. They all differed slightly but were along the lines of “I couldn’t gather enough information to take action.” At first, I figured this was a bizarre phishing scheme, but the post-chat emails were true to Amazon’s normal format and linked to valid Amazon post-chat survey links. I did notice that the emails were being sent to my name with a dot bisecting the first and last name: GMail is “dot-blind”. You can literally email h.t.mlist@gmail.com and it would get through to the htmlist@gmail.com account with no issues. But Amazon is NOT dot blind. html.ist@gmail.com is a distinct Amazon account from htmlist@gmail.com, even though the email account is the same. (Because many providers are NOT dot-blind, this is actually normal practice.)

This was of particular interest to me as I have never given out my email address with a dot in it. Ever. More on that soon.

Finally, the last email indicated that “I did check on your account and found that no orders are present on this account. However if you’ll be able to provide us the order numbers, we’ll be able to proceed from there.” Someone is sniffing out order numbers.Something wicked this way comes

Two hours later I received yet another post-chat email from Amazon Customer Service. Here it is:

I’m so sorry about the problem you had with your orders. I’ve created a replacement order for you at no additional charge. Here are the details:

Order Number: 103-4XXXXXX-XXXXXXX
Shipping Speed: One-Day Shipping
Guaranteed Delivery Date: Tuesday, December 18, 2012

I’ve requested a refund of $42.99  to your card for B+W 67mm Clear UV Haze with Multi-Resistant Coating (010M).

You’ll see the refund on your Visa statement in the next 2-3 business days.

Oh boy. This was troubling. I had ordered and received that specific camera filter as part of the purchase of a new Canon camera. I was happy with my purchase and was certainly not requesting a refund. But what’s this about a replacement order?

I log into my account to find a one-day-shipping replacement order for the camera and the complimentary bag and memory card that comes with it set in the “shipping soon” status. Seconds later, I receive another email from Amazon:

I’m so sorry about the problem you had with your orders. I’ve created a replacement order for you at no additional charge. Here are the details:

Order Number: 103-4XXXXXX-XXXXXXX
Shipping Speed: One-Day Shipping
Guaranteed Delivery Date: Tuesday, December 18, 2012

Shipping To:
Mr Chris Cardinal
13820 NE Airport Way
K5981
Portland, Oregon 97230
United States
Primary Phone: 647-234-1819

Hm. I’ve heard great things about Oregon, but I’ve never been myself. More to the point, my camera is sitting here with me right now. Definitely don’t need a replacement. Amazon is shipping a phantom replacement to a phantom Chris Cardinal at a phantom address in the Pacific Northwest. By now, I’m a little frustrated.

I call Amazon and inform them of this. I had earlier called to seek a partial price-match refund on my still-shipping camera and lucked out with a North American CSR. This time, not so lucky. The call center rep was certain that my account had been compromised but very forgiving and assured me I wouldn’t be responsible for any of this. I explained that my account itself was still intact, that I possessed full control over it, and I had already changed my password just in case. My email requires two-factor authentication and showed no unusual activity, so at this point, I’m relatively confident that the vector of attack was completely confined to Amazon’s leaky customer service department.

As the order was only still being prepared, I mashed the “request cancellation” button as quickly as possible and was satisfied to find it had been cancelled promptly. The rep wasn’t able to help with my wayward, ill-requested refund, but I figured I had squashed the bug.

I was wrong. If at first, you don’t succeed…

Two hours later, I receive another email, from yet another in the revolving door of CSRs, all of whom appear completely incapable of checking chat history or picking up on a potential fraudulent stream of activity:

This is Giovanni with Amazon.com Customer Service. The one you just conversed with previously.

Replacement Successfully replaced the order. Replacement OrderID: 103-7XXXXXX-XXXXXXX.
Thank you for your inquiry.

Did I solve your problem?

No. You did not solve my problem. Your desire to ship out $900 cameras with wanton, reckless abandon, while well-intentioned, is ruining my day because I don’t want my account tagged for fraudulent behavior should I need an actual replacement order in the future.

I call in again and explain that whatever is happening needs to stop. The rep helpfully suggests I change my email address on my account. At the very least, I figure this will stop them from being able to make it over the most simple hurdle with the live chat corps, and comply. I ask to have my call escalated so that I can hopefully get some attention shined on this.

The supervisor is very apologetic and seems very confused that a replacement order could possibly be shipped to any address but the original. And yet, both replacement attempts (now cancelled) have tried to head out to Portland. They also insist that my account has been hacked. I explain that their reps are the weak link in as polite language as possible and ask if they can pull any chat transcripts from earlier today.

She can’t find any chats. But I remind her of my “dotted” account. Sure enough, there’s a chat from earlier today “but I can only send it to the email address on that chat”. Go nuts. It’s me anyway. (I’ve also since requested a password reset and logged into the dotted account to find the user changed his name to have some different last name. He doesn’t control the email account, so he can’t use the Amazon account.)Anatomy of a successful social engineering attack

Here’s where the getting gets good:

9:22 AM Initial Question: Hi, my old account  was hacked, and so was my email. I was wondering if you can help me get my order numbers off that account for warranty issues.

Vishnu (CSA) : Hello Chris, my name is Vishnu. I will be happy to help you.
Vishnu (CSA) : Before I can view your account I’ll need to do a quick security check. Please confirm the complete name and billing address on your account.
Vishnu (CSA) : I hope we are still connected.
Chris : I’m sorry! I was doing something. My name is Chris Cardinal, my address is .
Vishnu (CSA) : Thank you for the information.
Vishnu (CSA) : In this case would you like to reset your password.
Chris : I don’t have time for that right now, could you just help me get the order numbers from November 1st to now?
Vishnu (CSA) : Sure, please wait for a minute.
Vishnu (CSA) : The orders placed in the moth of November are as follows:
Vishnu (CSA) : 104-8XXXXXX-XXXXXXX
Vishnu (CSA) : Wednesday, November 7
Vishnu (CSA) : 107-0XXXXXX-XXXXXXX
Vishnu (CSA) : Monday, November 12, 2012
Vishnu (CSA) : v
Vishnu (CSA) : 109-9XXXXXX-XXXXXXX
Vishnu (CSA) : v
Vishnu (CSA) : Friday, November 23, 2012
Chris : Is that all?
Vishnu (CSA) : Yes, Chris. These orders were placed in the moth of November.
Chris : How about December?
Vishnu (CSA) : In this case I’ll send you an pa sword reset e-mail and you reset your password.
Vishnu (CSA) : Please wait for a minute, Chris.
Chris : My email is hacked, I’d rather not.
Chris : I just need my order numbers right now, nothing else..
Vishnu (CSA) : Orders in the month of December:
Vishnu (CSA) : 107-9XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 107-6XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 105-6XXXXXX-XXXXXXX
Vishnu (CSA) : Tuesday, December 11, 2012
Vishnu (CSA) : 106-8XXXXXX-XXXXXXX
Vishnu (CSA) : Thursday, December 13, 2012
Vishnu (CSA) : 106-2XXXXXX-XXXXXXX
Vishnu (CSA) : Saturday, December 15, 2012
Vishnu (CSA) : 106-6XXXXXX-XXXXXXX
Vishnu (CSA) : Saturday, December 15, 2012
Vishnu (CSA) :  106-2XXXXXX-XXXXXXX
Vishnu (CSA) : Sunday, December 16, 2012
Vishnu (CSA) : That is all, Chris.

Chris has left the conversation.

Pay dirt. As you can see, I’ve been a busy shopper. It’s the holiday season and I’m also buying some accessories for the new camera. A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple.

If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying.

Oh good, another email:

 Good day!

Per our conversation a few minutes ago,  the replacement was successfully processed under order Id. No.: 103-4xxxxx-xxxxxxx. I gave you this confirmation but  the replacement was then cancelled.

Shipped To:

Shipping To:
Mr Chris Cardinal
13820 NE Airport Way
K5981
Portland, Oregon 97230
United States
Primary Phone: 647-234-1819

It seems that we are still currently working on this matter.  I am so sorry for the inconvenience.

This guy is persistent!

As you can see in the last line, it now appears that they have put the brakes on issuing new orders, per my insistence that they freeze the account and challenge for something other than billing address.

I’ve been told the issue has been forwarded to their fraud prevention department and should expect to hear back soon. In the mean time, where did this guy come from and where was my replacement order going?

A few possibilities: I’ve tweeted about my desire to buy a Canon T4i recently. I didn’t mention Amazon or that I did buy it, but someone who is searching for model numbers has a place to start. My Twitter name is my actual name. My actual name’s first Google result is usually my cake contest website, Threadcakes. And up until early this afternoon, the whois information for my domain included my name, email address, and mailing address. Means, motive, opportunity, and enough to bypass Amazon’s CSR and get pretty much anything he needed.It’s happened before

So what about the mysterious Portland address? It’s actually owned by a company called ReShip.com: a company that allows you to have a “virtual” mailing address which will forward packages and mail out of the US. Clearly, the camera was on its way overseas.

Googling the address yielded almost nothing. Except, of course, a wonderful gem: a posting on Amazon’s own forums of a user complaining about the exact same behavior occurring on their account, on December 4th, 2012. Even better, they were buying a Canon camera. The post was deleted, but Google’s cache still had it. Here’s what they had to say:

I recently bought two electronic items over the Black Friday week, a Canon PowerShot S100 12.1 MP Digital Camera with 5x Wide-Angle Optical Image Stabilized Zoom and a Yamaha RX-V671 7.1-Channel Network AV Receiver. I received both items promptly.

But then a few days after receiving my Yamaha I get an Amazon email saying they are sorry my Yamaha receiver didn’t arrive and were shipping a replacement order right away. The email was a valid Amazon email with valid link. That shipment went to some unknown address at 1711 Cudaback Ave, Niagara Falls, New York 14303. That turns out to be a shipping and storage facility.

When I called Amazon about this, the friendly customer rep from India said another customer used my email by mistake and that he would take care of this.

A few days later another apologetic email from Amazon arrived, saying that they were sorry my Canon S100 did not arrive and a new shipment will be sent. This shipment is going to another warehouse at 13820 NE Airport Way K5981, Portland, Oregon 97230. Again I emailed Amazon but this time I haven’t gotten a response.

Both shipments have my name as recipient but with addresses I’ve never shipped anything to. Both mysteriously showed up in my Amazon address list, too, before deleting them. One of them has my old landline phone number while another number has 7165554985 listed.

It’s clear that there’s a scam going on and it’s probably going largely unnoticed. It doesn’t cost the end user anything, except perhaps suspicion if they ever have a legitimate fraud complaint. But it’s also highlighting that Amazon is entirely too lax with their customer support team. I was told by my rep earlier today that all you need is the name, email address, and billing address and they pretty much can let you do what you need to do. They’re unable to add payment methods or place new orders, or review existing payment methods, but they are able to read back order numbers and process refund/replacement requests.

There’s a great deal of potential for fraud here. For one thing, it would be dirt simple for me to get and receive a second camera for free. That’s the sort of thing you’re really only going to be able to pull off once a year or so, but still, they sent it basically no questions asked. (It was delivered Fedex Smartpost, which means handed off to the USPS, so perhaps the lack of tracking custody contributes to their willingness to push the replacement.) Why Amazon’s reps were willing to assign the replacement shipment to a different address is beyond me. I was told it’s policy to only issue them to the original address, but some clever social engineering (“I’m visiting family in Oregon, can you ship it there?”, for instance) will get around that.

So what now?

So what can be done? Amazon can challenge with a phone pin, like GoDaddy uses: a pin number that is separate from your account password and only used for dealing with their customer support telephone service. Amazon can challenge replacement requests with the last four of your payment method. This was never asked of the fraudster. They could also do better to collate chat/support history. This user had at least 4 separate live chat requests nearly simultaneously, like raptors testing a fence for weakness, all asking about the same account email address. That should be a huge red flag to Amazon. Instead, no one rep knew about the other. And when he went to place his replacement order two hours later under a different rep, they never knew there was a history where he was complaining about his “account being hacked.”

Amazon could also reach out to the police and request they subpoena ReShip for the account holder’s information for their box there, but they’re almost certainly out of the country and thus out of anyone’s jurisdiction. So the problem comes back on Amazon. I appreciate their willingness to help and to basically operate with a no-questions-asked mentality. But this is too few questions. And even though the fraudster never gained access to my account, it scared me. I didn’t know what else he could convince the CSRs to do: they thought they were speaking with me, so perhaps they could change his account email address. At that point, he could repurpose the entire account with my payment methods intact and order as much as possible. Since he’s shipping to essentially a dead-drop address anyway, he could make out with a great deal of expensive gear before my credit card sounded the alarm or hit its limit.

I hope that Amazon considers adding something other than basic identifiable information to access and manipulate accounts like this. It’s frustrating, worrying, and your name, email, and mailing address are typically easily tracked down. In the mean time, they’re going to be paying for an insane amount of fraud, right under their noses, facilitated by their ever-too-cheerful customer service reps.

Image credit: Flickr/amandagroe (Creative Commons)
Direct Link:  http://gizmodo.com/5969981/two+for+one-amazons-socially-engineered-replacement-order-scam?tag=hacking