Support online store Amazon is so good that allows you to chat without logging on (or by phone).
Moreover, they are so ready to meet customers that we can change the address made by the order.
It’s just a gift for the social engineer.
For standard store’s clients is very convenient: the unexpected move or trip the customer can call to Amazon (or exit the chat) – and ask them to forward the last order at the new address.
But it is also convenient for attackers. Recently, more and more often we hear that the attackers redirect foreign orders Amazon to yourself.
Fraud scheme looks like this:
1. We learn the order number of the form 103-4XXXXXX-XXXXXXX. Amazon order numbers with the list of items sold on underground forums. Social engineer can even choose an appropriate order to the goods that he needs.
2. We learn the victim’s name and mailing address to which the order is made. Usually this information is sold together with your order, but you can find other ways. In this case, the support team itself inform the order number.
3. We register address to receive mail and packages in the U.S., with the help of the site ReShip.com or other similar service.
4. WE register email, like the email of the victim. This is not necessary, because in the chat, you can use a non-existent email.
5. We go to the chat Amazon (or a service call on the phone) and ask the friendly Indians to change the delivery address for the order. Indian will ask for the order number, which we found in step 1, this 103-4XXXXXX-XXXXXXX. For proof you can explain to him the reason for changing the delivery address – an unexpected trip, travel, natural disaster, new job, wedding sister, etc., as well as to describe the products that are included in this order.
6. Amazon sends an order for a new mailing address. The company’s policy is to maximize to meet clients in such situations, even if they have to send the goods again. Judging from the description of the scheme of fraud in the blog of Chris Cardinal, one of the victims, Amazon almost always sends two products in such situations. Thus, the company knowingly agrees to some of the costs because of potential fraud, just to increase the loyalty of their customers.
The most interesting is that this fraud will almost certainly remain invisible to the victim if she gets a new product. Chris Cardinal learned of the fraud by accident because I got in my mailbox Gmail confirmation change order. The fact that an unknown attacker used the inexperience chatting mailbox with point (type Chris.Cardinal @ gmail.com). It is similar to the original address ChrisCardinal@gmail.com, but Gmail takes Chris.Cardinal @ gmail.com as an alias ChrisCardinal@gmail.com, and all incoming messages to the point are duplicated at the original address. That’s how the victim and learned about the attack.