Over 200,000 people affected by Amazon review scam data leak
A database used to operate an Amazon fake reviews scam has leaked in a data breach, with the data trove revealing personal data for at least 200,000 people.
The reviews on Amazon have been plagued by fake reviews for quite some time, with fictional high-scoring testimonials propping up the score of products to make them look good on the online retailer's pages. A data breach allegedly shows some of the workings behind one of the scams, as well as hinting at the scale of the problem.
The scam operates by Amazon vendors sending lists of products to reviewers that they wish to receive a five-star review for. The reviewers then buy the items and provide a five-star "review" for it on Amazon.
The reviewer then sends a message back to the vendor, containing a link to their Amazon profile and PayPal details. The reviewer then receives the refund, and gets to keep the product they "reviewed" as payment, as well as an extra cash reward in some cases.
Security researchers from SafetyDetectives uncovered an open ElasticSearch database linked to one such operation on March 1, 2021. More than 13 million records, the equivalent of 7 gigabytes of data, were hosted in the open, without any form of password protection or encryption.
The database included email addresses as well as WhatsApp and Telegram phone numbers for vendors taking part in the scam. Messages linked to reviewers had directly and indirectly identifiable personal data, including over 75,000 links to Amazon accounts and profiles, PayPal account email addresses, other email addresses, and "fan names" believed to be usernames, but could contain names and surnames.
Vendors were also provided email addresses of reviewers to contact, including 232,664 Gmail addresses, though that also includes duplicates. In total, including Amazon vendors compromised via contact details, it is estimated by the researchers that between 200,000 and 250,000 people were affected.
While the server was based in China, it seems the leak may have primarily affected Europe and the United States, though the details could easily apply to any country in the world. The owner of the server is unknown, but it is anticipated that if discovered, they could be subject to punishments from consumer protection laws.
Vendors paying for fake reviews may also face sanctions from Amazon itself for breaking its terms of service. Individuals reviewing products could face penalties, depending on their country of residence and whether law enforcement or regulators are interested in prosecution.
Fake reviews are a major problem for any digital storefront, and this includes Apple. In February, a wave of fake reviews prompted criticism of Apple for not doing enough to combat them, while in April, one app scam was found to be grossing over $1 million in revenue per month.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
The reviews on Amazon have been plagued by fake reviews for quite some time, with fictional high-scoring testimonials propping up the score of products to make them look good on the online retailer's pages. A data breach allegedly shows some of the workings behind one of the scams, as well as hinting at the scale of the problem.
The scam operates by Amazon vendors sending lists of products to reviewers that they wish to receive a five-star review for. The reviewers then buy the items and provide a five-star "review" for it on Amazon.
The reviewer then sends a message back to the vendor, containing a link to their Amazon profile and PayPal details. The reviewer then receives the refund, and gets to keep the product they "reviewed" as payment, as well as an extra cash reward in some cases.
Security researchers from SafetyDetectives uncovered an open ElasticSearch database linked to one such operation on March 1, 2021. More than 13 million records, the equivalent of 7 gigabytes of data, were hosted in the open, without any form of password protection or encryption.
The database included email addresses as well as WhatsApp and Telegram phone numbers for vendors taking part in the scam. Messages linked to reviewers had directly and indirectly identifiable personal data, including over 75,000 links to Amazon accounts and profiles, PayPal account email addresses, other email addresses, and "fan names" believed to be usernames, but could contain names and surnames.
Vendors were also provided email addresses of reviewers to contact, including 232,664 Gmail addresses, though that also includes duplicates. In total, including Amazon vendors compromised via contact details, it is estimated by the researchers that between 200,000 and 250,000 people were affected.
While the server was based in China, it seems the leak may have primarily affected Europe and the United States, though the details could easily apply to any country in the world. The owner of the server is unknown, but it is anticipated that if discovered, they could be subject to punishments from consumer protection laws.
Vendors paying for fake reviews may also face sanctions from Amazon itself for breaking its terms of service. Individuals reviewing products could face penalties, depending on their country of residence and whether law enforcement or regulators are interested in prosecution.
Fake reviews are a major problem for any digital storefront, and this includes Apple. In February, a wave of fake reviews prompted criticism of Apple for not doing enough to combat them, while in April, one app scam was found to be grossing over $1 million in revenue per month.
Stay on top of all Apple news right from your HomePod. Say, "Hey, Siri, play AppleInsider," and you'll get latest AppleInsider Podcast. Or ask your HomePod mini for "AppleInsider Daily" instead and you'll hear a fast update direct from our news team. And, if you're interested in Apple-centric home automation, say "Hey, Siri, play HomeKit Insider," and you'll be listening to our newest specialized podcast in moments.
Comments
It analyzes the quality of Amazon reviews.
I've been pleased with my purchase experience since I began using it.
Easy to use, but as with all things, your mileage may vary.
Fake reviews--not to mention fake products--undermine Amazon's business. As it stands, there are many products I will not buy on Amazon from third party sellers when it's an item with a known history of counterfeits, which could be anything from razor blade cartridges to products from high end designers. I know that even when Amazon is the seller, it's not completely immune from counterfeit products, but at least I know that's unintentional and not part of its business model.
I also will not buy any non-brand name product, even with great reviews, until after I check them through Fake Spot--it's not foolproof, to be sure, but it's better than nothing. The vast majority of times, I find that great reviews for non-brand names fail a Fake Spot analysis, and I'm always pleasant surprised when even a "B" rating is returned for accuracy.
I just recently had a problem. I buy machine tools and measuring equipment for my shops. Mostly NOT from Amazon, but I do buy small stuff. I saw a listing for a small measurement tool from a high quality American manufacturer, PEC. It was for a blemished tool. Manufacturers often sell slightly blemished tools if the blemish is minor and doesn’t affect the tool other than for looks. Most tools become blemished shortly after you buy them anyway, so I thought I’d buy it.
the company did send me an e-mail saying they would refund me the money if I sent it back to them, using the e-mailed label. I said I wasn’t going to spend all that time doing it. They finally agreed to send me half my money, and I could keep the product. Now, they know that if they make good for that customer, no further action by Amazon will be taken. But several people who had been taken in by this didn’t seem aware that they could fix their problem, and that’s what scammers count on. Meanwhile, they did send a couple of people the right tool, to show that that’s what they really meant to do all the time.
so sure, do we really think they care about the fake reviews? Ha!
the result? Apple made it public. At least 90% of Apple branded small products sold on Amazon were fakes! 90%, people. I suspect that’s where a lot of those trash Apple branded cables come from. And likely, it’s not just Amazon. Other places such as eBay, and even some major retailers are selling these fake products. I only buy Apple branded products direct from Apple, never anywhere else.
but Belkin has been known to have this problem too. We’re even seeing major, trusted Chinese brands being copied by other Chinese companies with fake copies.
the only thing that will force companies to stop allowing these problems is if it’s legislated. If Amazon, and other companies, such as eBay, Etsy and others are forced to pay the customer each and every time they have a problem with a scam, or fake review, then they would work out which was more expensive for them, fixing the basic problem, or paying customers the cost of the product.
if this causes some people who do this, or who are thinking of doing this, from actually doing it, then it’s served some useful purpose.