Social engineering scams involve a mix of technical skills and psychological manipulation. Chris Cardinal discovered someone running such a scam on Amazon using his account: the scammer contacted Amazon pretending to be Chris, supplying his billing address (this is often easy to guess by digging into things like public phone books, credit reports, or domain registration records). Then the scammer secured the order numbers of items Chris recently bought on Amazon. In a separate transaction, the scammer reported that the items were never delivered and requested replacement items to be sent to a remailer/freight forwarder in Portland. The scam hinged on the fact that Gmail addresses are “dot-blind” (foo@gmail.com is the same as f.oo@gmail.com), but Amazon treats them as separate addresses. This let the scammer run support chats and other Amazon transactions that weren’t immediately apparent to Chris. Others have reported on this scam, but word hasn’t gotten around at Amazon yet, and when Chris talked to Amazon reps to alert them to the con, they kept insisting that his computer or email had been hacked, not understanding that the con artist was attacking a vulnerability in Amazon’s own systems. A little bit of sniffing finds this thread where users at a social engineering forum are offering to buy order numbers. Why? Because as it turns out, once you have the order number, everything else is apparently simple. If you’ve used Amazon.com at all, you’ll notice something very quickly: they require your password. For pretty much anything. Want to change an address? Password. Add a billing method? Password. Check your order history? Password. Amazon is essentially very secure as a web property. But as you can see from my chat transcript above, the CSR team falls like dominoes with just a few simple data points and a little bit of authoritative prying. Two-for-one: Amazon.com’s Socially Engineered Replacement Order Scam ( via Hacker News )
See the article here:
Amazon Replacement Order Scam: anatomy of a social engineering con in action
pigrabbitbear writes “Things aren’t looking awesome for Pirate Bay founder Gottfrid Svartholm, who’s currently under lock and key in a newly built jail about 15 minutes north of Stockholm. Svartholm’s mother Kristina says that her 28-year-old son is being held in solitary confinement for 23 hours a day without any human contact other than his interactions with the guards. It’s been nearly two months since Svartholm was arrested in Cambodia, where he’d been living for years, and extradited back to Sweden, where he’s due to spend a year behind bars and pay a $1.1 million fine for copyright offenses related to his role at the Pirate Bay. But that’s not why Sweden’s being so tough on him in prison. Authorities believe he may have played a role in the hacking of Logica, a Swedish technology company with ties to the country’s tax authorities. They haven’t charged him with any crimes yet in that case, however.” Read more of this story at Slashdot.