Leaky database exposes fake Amazon product reviews scam

The database contained 7GB worth of data including fake Amazon product reviews and PayPal email addresses of scammers among other sensitive data.

Whoever uses Amazon makes up their mind about a particular product after checking out its reviews. But what if the reviews are fake and misleading?

The IT security researchers at SafetyDetectives discovered a China-based ElasticSearch server publicly available online without any security authentication. The researchers claim that this misconfigured database helped them unearth a well-organized scheme of Amazon vendors to produce fake reviews for their products on the website.

Database Contained Treasure Trove of Clues

Researchers observed that the server contained direct messages between Amazon vendors and customers regarding the provision of fake Amazon product reviews in exchange for free products. There were around 13, 124, 962 of these records, which amounted to 7 GB of data exposed in the breach.

SEE: New Amazon phishing scam stealing credit card data

This implies that over 200,000 people were involved in this unethical practice. The database included email addresses, surnames, reviewers’ Amazon account profiles, vendor phone and contact details on WhatsApp and Telegram, and PayPal account details.

Fake Amazon product reviews Scam- A Prevailing Issue

SafetyDetectives revealed that this scam begins when vendors send their reviewers a list of products and ask them to provide a 5-star review, a standard procedure in such scams. Their contacts purchase the products and leave a 5-star review on Amazon a few days later.

Once this is done, the contact sends the vendor a message containing a link to their Amazon profile and their PayPal account details. When the Amazon vendor confirms that the reviews have been accepted, the reviewer receives a refund via PayPal to avoid suspicion and keep the item they purchased for free.

Leaky database exposes fake Amazon product reviews scam

Fake Amazon product reviews, links to Amazon accounts, and contact details of Amazon vendors all exposed (Image credit: SafetyDetectives)

Database Is Now Secured

The database was discovered on 1st March and was secured around one week later. However, it is currently not clear who owns this database. Still, it becomes apparent that this is a prevalent issue that’s plaguing Amazon and the entire online retail industry.

The researchers believe that the server isn’t owned by Amazon vendors that are part of this scam but by a third party.

“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors. Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products,” researchers noted.

Or it could be owned by a large firm with different subsidiaries because multiple vendors were part of the database. One thing is clear, though, that whoever owns this server may be held responsible for violating consumer protection laws, and those paying for fake Amazon product reviews will be sanctioned for breaking Amazon’s terms of service.

Did you enjoy reading this article? Do like our page on Facebook and follow us on Twitter.


Source: HackRead

Leave a Reply