Data Security Law Blog

Amazon Sellers Hit With Phishing Scheme

Hackers have managed to break into the accounts of 100 sellers at Amazon.com. The hackers funneled money from the seller’s accounts—either from sales or loans—into their own bank accounts after stealing seller credentials. It is not clear how much money was stolen in the incident.

Hackers figured out a way to change the account details for the affected sellers on Amazon’s Seller Center, and then siphoned away the funds to their own bank accounts. The breach took place more than six months ago, between May and October 2018, but was disclosed after Amazon filed a redacted document in a U.K. court concerning the incident, in an attempt to gather more information about the attack.

Amazon’s lawyers asked a court in the U.K. for access to seller account statements housed with Barclays and Prepay Technology Ltd. (owned by Mastercard) to permit them to further “investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing.”

It has not been confirmed precisely how the hack was accomplished, except that it appears to have been a “spear phishing” attack: sending emails from a known or trusted source to induce the recipient into divulging credentials or other sensitive information. Amazon sellers are reported to have signed into their accounts after receiving a link or other prompt to log in from the phishing email, which allowed the hackers to steal their credentials. According to Security Boulevard, spear phishing attempts on Software-as-a-Service (SaaS) like PayPal and web-based email services are now the most common targets for this kind of fraud.

Spear phishing scams have become more common modes of attack. Even the IRS has warned businesses to be on the lookout for spear phishing, as the agency has seen an uptick in attempts against businesses, “payroll companies . .  . even tax preparers.” 

In the past, there have been reports that hackers with Amazon seller credentials have posted fake items for “sale” on a seller’s page, collecting the sale price for themselves. If the “fake” item is purchased and not delivered, the customer would request a refund, and Amazon generally will charge back the purchase price to the seller. Much of the news coverage concerning this incident has reminded purchasers of the proverbial warning that if a sale looks too good to be true, it probably is. Additionally, experts advise that Amazon sellers should immediately change their account password, even though the group targeted by hackers was relatively small. 

It’s likely that some of Amazon’s own funds were affected by the incident. Amazon Capital Services, which loans funds to select Amazon sellers, issued more than $1 billion worth of loans to its sellers in 2018. Amazon loans cannot be applied for, but are by invitation only after sellers have a one-year track record with the retail giant. At this time, it’s not been confirmed how much of Amazon’s funds might have been affected by the breach.

We’ll continue to follow this developing situation.