Massive and sophisticated fake review scam unearthed on Amazon - report

10 May, 2021 20:01

Scammers on Amazon are using a complex system to obtain fake 5-star reviews for their products, avoiding detection by using different forms of payment so the purchase seems as normal as any other, a watchdog site has found.

A whopping 13 million records of Amazon users and vendors participating in the colossal con job were discovered by SafetyDetectives, a cyber security team that stumbled on the trove of data on an unsecured ElasticSearch database last week.

The leak amounted to some 7 gigabytes of data, all told compromising the privacy of some 200,000 people.

Those curious about the identities of the vendors involved could find not only email addresses, but also WhatsApp and Telegram numbers. Emails were often shared as well.

Also on rt.com Ransomware used in cyber attack on one of US’ largest fuel pipelines

On top of all that data were reportedly 75,000 links to pages of Amazon review sellers, PayPal account details (required to send the money in the last stage of the scam), email addresses and so-called “fan names” — presumably to provide the veneer of legitimacy for any business lacking in such.

Supposedly based in China, the network would send lists to their buyers of products they wanted a five-star review for. The users would obediently write up the review upon buying the product, allowing them to keep the product in the bargain. After leaving a five-star review, they would message the vendor with a link to their review via PayPal — notably not the payment processor they had initially used to purchase the item in the first place. Instead, the user would receive a “refund” via PayPal, being made whole for the cost of the product they initially bought.

In some cases the process was more complex, SafetyDetectives observed, claiming any “third party” in question could be operating as a middleman between the vendors and the receivers, “reaching out” to potential reviewers and potential buyers alike.

The identities of those responsible for the fake network have not yet been discovered. When it was first found in March and secured later that month, researchers believed it was based in China, given the fact that users communicated largely in Chinese over the ElasticSearch platform, but this was not confirmed. Should that be the case, Chinese fraudsters could be whacked with a fine as high as $7.6 million (5% of the company’s profits from the previous year).

Fraudsters conscious of their malfeasance could be hit with punishments as high as $100 million if Americans were victimized, while Europe’s GDPR privacy law could target the business in question with fines of 20 million euros. Europeans would in turn be protected by the GDPR euros against the database’s owner for mishandling their data.

While it can be difficult sometimes to distinguish between a new Amazon seller and a con artist luring in partners for their scam, SafetyDetectives argued that the latter could be filtered out by merely analyzing the reviews on Amazon. Most would be identical or similar but would often include a description suggesting the business had been around for some time - while the Amazon clone would only include very new profiles, perhaps hoping no one would notice.

Many of those people whose Amazon accounts are being used to run such scams are totally unaware of how they’re being manipulated; others, desperate to find a product they believe is completely out of stock (as happened during the mask frenzy of early 2020) will want to believe in a fraudulent product rather than trust their common sense.

SafetyDetectives has urged them to pay more attention. Still other cases stem from “customers willing to provide fake reviews in exchange for free products

Also on rt.com After ‘peeing in bottle’ gaffe, media reveals Amazon’s INTRUSIVE orders to drivers on ‘acceptable level’ of personal grooming

While having one's username hijacked on Amazon for nefarious purposes is bad enough, the amount of information Amazon often asks for or has on file is not difficult to reverse-engineer into an actual person, raising significant risk of identity theft.

Serial fake-reviewers may receive a wide range of punishments, up to $10,000. The severity of the punishment depended on which jurisdiction was investigating and whether they were found to be knowingly selling reviews or if they were 'misled'.

Big online marketplaces are failing to contain the issue, and in doing so are failing to ensure the safety of their customers” from the “thriving economy of deception,” SafetyDetectives said in a post on their blog.

If you like this story, share it with a friend!