January 25, 2016 at 11:22Support is a real security hole.
You follow all safety rules, use unique passwords, two-factor authentication, a secure computer. Think your account and personal information are safe now? Not. Amazon's example shows that this is not the case. The most vulnerable link in the system is the Amazon support service, which is ready to give out your personal information to an outsider if he has the skills of social engineering.
The tragedy of Matt Honan has not yet been erased(year 2012). In just one hour, the journalist hacked Amazon, GMail, Apple and Twitter accounts, remotely destroyed information on his iPad, iPhone and MacBook. Among other things, he lost all the photographs of his daughter from her birth, many documents and most of the correspondence. Then it all started with the fact that the attacker called Amazon support using the personal data of the victim from Whois records on his website.
A similar story now happened with developer Eric Springer, an AWS and Amazon customer. And again, Amazon's support has proven to be a true security backdoor.
It all started with the fact that Eric received a rather innocent letter from the support team: “Hello! Thank you for contacting us. Best regards, Maheshvaran. "
The problem is that Eric did not contact them.
At first, he thought it was a late letter of a month ago when he contacted support.
However, curiosity prevailed, and he nevertheless turned to Amazon with a question, what was the matter? They replied that he had just talked to the support department. Perplexed Eric sent a chat log.
Eric explains that the address indicated in the chat is not real, he just used it once when registering a domain, so this address is stored in Whois records. Further:
As you can see, after such an “identity confirmation”, the support officer gave out detailed information about the order: what was ordered, what address it was sent to, what account balance, real home address and telephone number of the victim. This is already enough to start a real attack.
Eric Springer was seriously angry that some left was given a person all the information about him. He contacted support and, having difficulty restraining himself, asked to mark his account as at risk of social engineering, so that chats would be carried out with him only after authorization in the system. An Amazon employee said that they will make a note in the account, and a specialist will contact him separately (he never got in touch).
After a couple of months, when everything seemed to be in the past, another letter arrived. Again the same: "Thank you for contacting Amazon.com ...".
Eric again contacted a support employee who could not understand that someone was impersonating another person. In the end, he still sent the chat log.
The hacker (or social engineer) used the address that he received at the previous stage of the attack.
And again the same thing. The support officer again provided the delivery address, that is, the victim’s real home address.
Next, the hacker tried to figure out the last four digits of the credit card. Thank God, it was unsuccessful, otherwise he would have gained access to many other web services, including Apple iCloud, as is the case with Matt Honan.
Eric contacted the caliper and repeated the same mantra about the importance of keeping your account safe and not giving out his personal data to anyone. They promised to tag the account and that this will never happen again, and that a specialist will contact him (this did not happen again).
Based on the results of the story, Eric Springer decided that the company should not be trusted, so he completely deleted information about his address from the Amazon account.
Soon he received another letter, clearly written in response to a previous conversation (which was not).
This time, the chat log could not be obtained because the attacker called by phone.
It is not clear what the hacker is trying to achieve, but one thing is clear: the guy is clearly not very experienced. If desired, a social engineer could do much more harm using the main backdoor in the security system - a support service.
Eric Springer recommends that all Amazon users be careful and be prepared for these kinds of attacks. In turn, he recommends that you start chatting with customers only after they log in to the online store. An exception can be made if a person has forgotten the password.
The tragedy of Matt Honan has not yet been erased(year 2012). In just one hour, the journalist hacked Amazon, GMail, Apple and Twitter accounts, remotely destroyed information on his iPad, iPhone and MacBook. Among other things, he lost all the photographs of his daughter from her birth, many documents and most of the correspondence. Then it all started with the fact that the attacker called Amazon support using the personal data of the victim from Whois records on his website.
A similar story now happened with developer Eric Springer, an AWS and Amazon customer. And again, Amazon's support has proven to be a true security backdoor.
It all started with the fact that Eric received a rather innocent letter from the support team: “Hello! Thank you for contacting us. Best regards, Maheshvaran. "
The problem is that Eric did not contact them.
At first, he thought it was a late letter of a month ago when he contacted support.
However, curiosity prevailed, and he nevertheless turned to Amazon with a question, what was the matter? They replied that he had just talked to the support department. Perplexed Eric sent a chat log.
Eric explains that the address indicated in the chat is not real, he just used it once when registering a domain, so this address is stored in Whois records. Further:
As you can see, after such an “identity confirmation”, the support officer gave out detailed information about the order: what was ordered, what address it was sent to, what account balance, real home address and telephone number of the victim. This is already enough to start a real attack.
Eric Springer was seriously angry that some left was given a person all the information about him. He contacted support and, having difficulty restraining himself, asked to mark his account as at risk of social engineering, so that chats would be carried out with him only after authorization in the system. An Amazon employee said that they will make a note in the account, and a specialist will contact him separately (he never got in touch).
After a couple of months, when everything seemed to be in the past, another letter arrived. Again the same: "Thank you for contacting Amazon.com ...".
Eric again contacted a support employee who could not understand that someone was impersonating another person. In the end, he still sent the chat log.
The hacker (or social engineer) used the address that he received at the previous stage of the attack.
And again the same thing. The support officer again provided the delivery address, that is, the victim’s real home address.
Next, the hacker tried to figure out the last four digits of the credit card. Thank God, it was unsuccessful, otherwise he would have gained access to many other web services, including Apple iCloud, as is the case with Matt Honan.
Eric contacted the caliper and repeated the same mantra about the importance of keeping your account safe and not giving out his personal data to anyone. They promised to tag the account and that this will never happen again, and that a specialist will contact him (this did not happen again).
Based on the results of the story, Eric Springer decided that the company should not be trusted, so he completely deleted information about his address from the Amazon account.
Soon he received another letter, clearly written in response to a previous conversation (which was not).
This time, the chat log could not be obtained because the attacker called by phone.
It is not clear what the hacker is trying to achieve, but one thing is clear: the guy is clearly not very experienced. If desired, a social engineer could do much more harm using the main backdoor in the security system - a support service.
Eric Springer recommends that all Amazon users be careful and be prepared for these kinds of attacks. In turn, he recommends that you start chatting with customers only after they log in to the online store. An exception can be made if a person has forgotten the password.