January 27, 2016 at 14:07Amazon customer support backdoor
Could a security conscious user using the best practices — unique passwords, two-factor authentication, using only his reliable computer to log in, and the ability to identify phishing sites per mile — be completely sure that nothing threatens his accounts and personal data? Unfortunately no.
When someone deliberately watches you, all these tricks become useless. The fact is that most systems have a backdoor, user support. In this post, I am going to focus on the most malicious criminal: Amazon. com. This was one of several companies to which I could entrust my personal data. In the end, I shop there, and besides, I used to work as a software developer, and therefore I consider myself a rather large AWS user (with a turnover of more than $ 600 / month).
It all started with a rather harmless email.
The first thing I suggested was that it should be an error or a late message from the answering machine (a month earlier I contacted support). But curiosity got the better; I contacted Amazon to find out what was the matter with them. They calmly replied that I spoke with Amazon support. What the heck? It was a text message that they were able to provide me with an email.
Let me note that the address indicated in the correspondence does not belong to me. This is the address of the hotel whose zip code matches mine. I used it to register multiple domains, knowing that information on Whois too often became public. For registration, I used the area in which I live, so that my static IP matches the data specified in Whois.
We continue:
Wow. Just wow. The attacker presented Amazon with my false data, which he took in the Whois domain and in return received my real address and phone number. Now they have received enough data to get access to some services and even convince my bank to issue a new copy of my credit card. It was very difficult to restrain myself so as not to pour out all the indignation at the support. I contacted Amazon Retail and AWS, expressing my disappointment and asking them to set a note in my account that the risk of hacking and logging in to my account is very high. Amazon Retail said that they will set a checkmark in my account and a specialist will contact me (who has not contacted). At the same time, AWS ignored the existing risk.
Quickly rewinding events a couple of months in advance, I made a terrible mistake and thought that the threat was already behind. I have provided Amazon with fresh credit card information and new address information. In return, I received another letter.
I contacted Amazon support again to figure out what was going on. This time, I was lucky enough to talk with a support employee who was 100% unclear how this is possible, so that someone else would speak on my behalf. It was really difficult for me to restrain myself when he started telling me that I had to change my password so that such situations with “doubles” did not arise in the future. In the end, I had to admit that it was "I" and demand from him a printout of "my" dialogue (and he was still able to provide it).
Further, the attacker shows unsuccessful attempts to get the last 4 digits of my credit card.
I guess I’m very lucky that Amazon did not give out my credit card information. And again, I contact support, repeating how important it is not to transfer my data to other personalities. They again promise that they will add a note to my account and a specialist will contact me (and again, no specialist).
This time, I decided that I could not trust Amazon with my address data and it was time to remove it from my account.
Now on to the second day of my adventure with Amazon:
This time I could not get a printout of the dialogue, because the attackers contacted Amazon on the phone and they did not have a record. I thought with horror that now the attackers managed to get the last digits of my credit card. As it turned out later, the fears were not in vain.
This time, Amazon finally betrayed my trust in them (or rather, already three times!). I did everything in my power to provide the necessary protection for the account. But this turned out to be a hopeless affair.
At the moment, I am already in the process of closing my account on Amazon and migrating to Google services, which seem more resistant to such attacks.
I would like to advise users to be extremely careful with the information that they post on their accounts. After all, even a giant like Amazon cannot provide adequate data protection from various hacker attacks.
The original of this post and you can find on Eric's blog .
When someone deliberately watches you, all these tricks become useless. The fact is that most systems have a backdoor, user support. In this post, I am going to focus on the most malicious criminal: Amazon. com. This was one of several companies to which I could entrust my personal data. In the end, I shop there, and besides, I used to work as a software developer, and therefore I consider myself a rather large AWS user (with a turnover of more than $ 600 / month).
It all started with a rather harmless email.
The first thing I suggested was that it should be an error or a late message from the answering machine (a month earlier I contacted support). But curiosity got the better; I contacted Amazon to find out what was the matter with them. They calmly replied that I spoke with Amazon support. What the heck? It was a text message that they were able to provide me with an email.
Let me note that the address indicated in the correspondence does not belong to me. This is the address of the hotel whose zip code matches mine. I used it to register multiple domains, knowing that information on Whois too often became public. For registration, I used the area in which I live, so that my static IP matches the data specified in Whois.
We continue:
Wow. Just wow. The attacker presented Amazon with my false data, which he took in the Whois domain and in return received my real address and phone number. Now they have received enough data to get access to some services and even convince my bank to issue a new copy of my credit card. It was very difficult to restrain myself so as not to pour out all the indignation at the support. I contacted Amazon Retail and AWS, expressing my disappointment and asking them to set a note in my account that the risk of hacking and logging in to my account is very high. Amazon Retail said that they will set a checkmark in my account and a specialist will contact me (who has not contacted). At the same time, AWS ignored the existing risk.
Quickly rewinding events a couple of months in advance, I made a terrible mistake and thought that the threat was already behind. I have provided Amazon with fresh credit card information and new address information. In return, I received another letter.
I contacted Amazon support again to figure out what was going on. This time, I was lucky enough to talk with a support employee who was 100% unclear how this is possible, so that someone else would speak on my behalf. It was really difficult for me to restrain myself when he started telling me that I had to change my password so that such situations with “doubles” did not arise in the future. In the end, I had to admit that it was "I" and demand from him a printout of "my" dialogue (and he was still able to provide it).
Further, the attacker shows unsuccessful attempts to get the last 4 digits of my credit card.
I guess I’m very lucky that Amazon did not give out my credit card information. And again, I contact support, repeating how important it is not to transfer my data to other personalities. They again promise that they will add a note to my account and a specialist will contact me (and again, no specialist).
This time, I decided that I could not trust Amazon with my address data and it was time to remove it from my account.
Now on to the second day of my adventure with Amazon:
This time I could not get a printout of the dialogue, because the attackers contacted Amazon on the phone and they did not have a record. I thought with horror that now the attackers managed to get the last digits of my credit card. As it turned out later, the fears were not in vain.
This time, Amazon finally betrayed my trust in them (or rather, already three times!). I did everything in my power to provide the necessary protection for the account. But this turned out to be a hopeless affair.
At the moment, I am already in the process of closing my account on Amazon and migrating to Google services, which seem more resistant to such attacks.
I would like to advise users to be extremely careful with the information that they post on their accounts. After all, even a giant like Amazon cannot provide adequate data protection from various hacker attacks.
The original of this post and you can find on Eric's blog .