Hackers are targeting the growing
population of third-party sellers on Amazon.com Inc., using stolen
credentials to post fake deals and steal cash.
In recent weeks, attackers have
changed the bank-deposit information on Amazon accounts of active sellers to
steal tens of thousands of dollars from each, according to several sellers and
advisers. Attackers also have hacked into the Amazon accounts of sellers who
haven’t used them recently to post nonexistent merchandise for sale at steep
discounts in an attempt to pocket the cash, those people say.
The fraud stems largely from
email and password credentials stolen from previously hacked accounts and then
sold on what’s dubbed the “dark web,” a network of anonymous internet servers
where hackers communicate and trade illicit information. Such hacks previously
have favored sites such as PayPal Inc. and eBay Inc., but Amazon
recently has become a target of choice, according to cybersecurity experts.
“Hacking Amazon is
becoming…increasingly a big deal,” said Juozas Kaziukėnas, chief executive of
Marketplace Pulse, a business-intelligence firm focused on e-commerce. “The
value to be gained is bigger as Amazon grows.”
While the precise scope and
financial impact of the Amazon attacks is unclear, some sellers say the hacks
have shaken their confidence in Amazon’s security measures. Such third-party
merchants are critical for Amazon’s retail business, with more than two million
sellers on the site accounting for more than half of its sales, including more
than 100,000 sellers who each now sell in excess of $100,000 annually.
An Amazon spokesman said the
company “is constantly innovating on behalf of customers and sellers to ensure
their information is secure and that they can buy and sell with confidence.”
The company withholds payment to sellers until it is confident customers have
received their orders, and guarantees a full refund if a product doesn’t arrive
or isn’t as advertised. Sellers who lost money will be made whole. “There have
always been bad actors in the world who try to take advantage of consumers for
financial gain; however, as fraudsters get smarter so do we,” the spokesman
added.
CJ Rosenbaum, a New York-based
lawyer who represents Amazon sellers, says that more than a dozen of his
clients have recently called to tell him they were hacked, a number of whom
lost about half of their monthly sales of $15,000 to $100,000. They are asking
Amazon for their money back, Mr. Rosenbaum said.
Lightning X Products Inc. had
$60,000 evaporate from its Amazon account last month, said Andy Spivey, product
manager of the Charlotte, N.C.-based bag maker. Mr. Spivey said Amazon notified
him of suspicious activity, but by the time he logged in, the bank account info
had been changed.
Lightning X has gone through its
emails and scanned its systems for an attack. “We’re not sure how they gained
access to the account,” Mr. Spivey said. Amazon told him Friday the money will
be returned, he said.
Hacks of dormant Amazon seller
accounts in particular have increased since mid-March, to more than 20 some
days from the low single-digits earlier this year, according to Marketplace
Pulse, which monitors seller activity on e-commerce sites.
In many cases, criminals create
thousands of new listings for electronics or other goods at half price and mark
them for four-week shipping, hoping to collect payment before Amazon realizes.
Margina Dennis, who rarely uses
her seller account, discovered she had been hacked late last month when she
started to receive notifications to ship Nintendo Switch videogame systems. She
notified Amazon immediately that she hadn’t listed the device, but Amazon still
tried to charge her for unreceived items, she said.
“This has been a nightmare,” said
the makeup artist, who said Sunday afternoon she was still waiting for
resolution.
Amazon declined to comment on
individual sellers.
Handmade jewelry seller Amy
Jennings faced a similar plight when thousands of notifications for sales of
fraudulent items ranging from gun holsters to Easter eggs pinged an app on her
phone, draining the battery. She could see customer complaints, but hackers had
locked her out of her account. Amazon told her it is investigating, she said.
Cybersecurity experts say that in
some cases the hackers have been buying account information from previous hacks
of other companies. More than 2.6 billion email addresses and passwords have
been stolen in total from companies including Adobe Systems Inc., Myspace,
and LinkedIn Corp., according to warning website Haveibeenpwned.com.
‘[Passwords are] the keys to
your shop...You don’t lose them, because you get burglarized.’
—Alex Holden, chief information
security officer of Hold Security LLC
Those credentials typically sell
for between $1 and $3 apiece, sometimes accompanied by hacking tutorials.
Experts said protecting against
such fraud is relatively simple. Sellers should be using unique passwords and
enable two-step verification, which sends a telephone prompt before allowing a
login, said Alex Holden, chief information security officer of Hold Security
LLC, a firm that specializes in location stolen online credentials.
Mr. Holden also advises sellers
set Amazon notifications for email alerts anytime anything is changed on the
account. In the new world, passwords are “the keys to your shop,“ he said. ”You
don’t lose them, because you get burglarized.”
Experts also suggest consumers
beware if a popular item—such as the Nintendo Switch—seems priced too good to
be true. Shoppers should watch out for suspiciously low prices, a high number
of negative reviews and sellers that haven’t received a new review in months or
even years, they said.
Click
here for the original article from Wall
Street Journal.