A fake Amazon review scheme has been uncovered after scammers left a misconfigured database open to the internet.
The exposed server contained 7GB of data, amounting to over 13 million records. These included contact details for vendors, including email addresses and phone numbers, along with the surnames, email addresses, PayPal accounts and Amazon profiles for product reviewers.
In total, around 75,000 Amazon accounts and over 230,000 Gmail addresses were discovered. Factoring in other email accounts and duplicate emails, this potentially implicates between 200,000 and 250,000 people in the scam.
The China-based Elasticsearch server, which lacked any encryption of password protection, was discovered by cybersecurity researchers at SafetyDetectives. They discovered the database on March 1st. After monitoring the server, it was secured on March 6th.
The team outlined how the scam works.
Vendors provide the reviewers with a list of products they want a five-star review for. The fake reviewers then buy the requested products and leave a five-star review on Amazon after receiving their goods.
Once done, the reviewer messages the vendor with a link to their Amazon profile and their PayPal details. The reviewer then refunds the reviewer through PayPal, with the purchased items forming their payment.
The leak included details explaining how reviewers can avoid detection, such as waiting between five and seven days before providing a review, and ensuring it meets a certain word length.
Since the refund goes through PayPal and not directly through Amazon’s platform, it makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators, SafetyDetectives noted.
While the scams are illegal, the researchers noted that some of the vendors paying for the reviews may not be acting in bad faith. The scammers present themselves as a legitimate business advertising “free product trials” as part of a “Reviewer Reward Program”.
However, the act would still violate Amazon’s terms of service, which could see the company suspend vendor’s account.
The researchers said that while it is unclear who exactly is behind the scam, the breach reveals insights into how Amazon review scams work.
“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors,” the group said in a statement.
“What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.”
- DIGIT Deal Roundup Column | April 2021
- Are smart cities a vision of the future, or just another security nightmare?
- HSBC Voice ID system cuts telephone banking fraud in half
Fake Amazon reviews have been an issue for years. A Which? investigation from earlier this year discovered websites that were selling fake five-star reviews. The ten websites offered different packages, including bulk rates that sold 1000 reviews for £8000.
In addition, some of the sites boasted that their fake reviews could earn a product an ‘Amazon’s Choice’ in as little as two weeks. The investigation warned that five of the sites had made over 702,000 reviews.
While Amazon has been battling to contain fake reviews, both the Which? and SafetyDetectives investigations demonstrate the scale and persistence of the problem.