The Amazon marketplace which generates at least $50 billion in sales a year from the millions of sellers has become a retail economy by itself. This has meant that cyber crime against those marketplace sellers is potentially a very lucrative operation, often possible without even being in the same country.
We've been noticing dozens of stories from hacked sellers on various forums. Here are some of the most recent ones:
- DESPERATE - $220,000 Was Stolen from My Amazon Account
- Hacked Account for USA Seller .. $134,000 sent to Croatia
- Seller account compromised ($100k+ sent to unknown bank account)
- Help! Seller Account Hacked, $86,300 sent to unknown account in Croatia
- Help my Amazon Seller Account has Been Hacked - $70k Payment sent to Hacker
- Amazon Hacked, Bank Account Changed, 79K$ Settlement Going to Bogus Acct
Many of the affected sellers are sizable businesses. The seller missing the $220,000 bi-weekly payment has sales of $5-10 million a year.
The issue here is not wether hackers are successful at defrauding Amazon, but the amount of time it takes for sellers to receive their money, and the impact this has on their cashflow. Most of these sellers found themselves having to wait for weeks to get the issue resolved. One of the sellers we talked to said:
"The hack affected our Amazon.com, Amazon.ca and Amazon Payments disbursements. All three of them were held for a month, which totaled nearly $70,000. It was definitely a cash flow issue which caused us to delay payments to a few of our vendors. Thankfully, we were healthy enough as a company to make it a month without that money."
The fact that changing bank details to a foreign bank account doesn't raise any flags is alarming. Many systems wouldn't let changing crucial details like the business and bank information without multi-step verification. Amazon is working on this, but it's been surprising to see how long it has already taken given the dozens of public cases.
Meanwhile we've been hearing stories about Amazon Germany where Amazon has implemented automated protection for sellers, but has made it too strict. Sellers found themselves locked out from their accounts after updating bank details information, or even just logging in from a new computer. This protection is clearly meant to catch fraudulent activity, but has backfired on legitimate sellers. Sellers also found that it would take days or even weeks to get the account back to normal.
So while in the US the issue has been lack of automated security checks, in Germany they were implemented to be too strict. Amazon is a technology company looking to find a technology solution to this, but we'd rather see them allocate more staff to handle seller support issues.
We first became aware of the hacked sellers issue in March when we wrote Fraudsters Are Using Hacked Amazon Seller Accounts to Scam Buyers. We then wrote:
"During the past few days we detect roughly 75 new scam sellers every day, out of which 20 or so are previously dormant, and now hijacked accounts."
Security expert Brian Krebs in How Cybercrooks Put the Beatdown on My Beats said "The sad reality is that hacked Amazon seller accounts have been available for years at underground shops for about half the price of a coffee at Starbucks." He then added:
"...it’s likely to have been from a site like SLILPP, a crime shop which specializes in selling hacked Amazon accounts. Currently, the site advertises more than 340,000 Amazon account usernames and passwords for sale.
The price is about USD $2.50 per credential pair. Buyers can select accounts by balance, country, associated credit/debit card type, card expiration date and last order date. Account credentials that also include the password to the victim’s associated email inbox can double the price."
At $2.50 for an Amazon account, the possible ROI is big. Not all of them are seller accounts, but accounts can be filtered by seller status too. Having then obtained a list of accounts, a hacker can either use the seller account for scamming, or if it's an active seller try to steal their payments.
There are many ways sellers can better protect themselves against this (if you are one, enabling two-factor authentication is the first step), but hackers will continue to try to get around them. Phishing attacks targeted at sellers have become very common lately. Crime is moving online in most industries, and sellers on Amazon is one of the targets. Businesses need to actively monitor their security practices, and train staff to avoid jeopardizing the whole business.
Previously thieves had to break in to brick-and-mortar stores or warehouses, and grab what they could carry. Imagine paying $2.50 and walking away with $220,000 without leaving your house.