Sunday, May 09, 2021, 12:18 PM EDT
Data Breach Exposes Fake Amazon Reviews Scam Implicating Thousands Of Unethical Behavior
Last week, cybersecurity researchers discovered an open Elasticsearch database that exposed an extensive fake Amazon reviews scam ring. The database contained millions of direct messages between Amazon vendors and upwards of 200,000 customers willing to provide fake reviews in exchange for free products. It is presently unknown who owns the database, but it shows the nasty underbelly of some Amazon vendors and online retail.
The SafetyDetectives cybersecurity team’s discovery of this Elasticsearch database proved to be incredibly interesting and valuable as it outlined how Amazon vendors went about getting the fake reviews. The team reported that Amazon vendors send to reviewers, or an intermediary company, a list of products they would like 5-star reviews for. Then, the people providing the reviews are sent a link to buy the product and leave a review as a “verified purchaser.” Afterward, the vendor will check the review and provide a refund to the reviewer over PayPal, making it very hard for Amazon to track.
The data found by the team equated to around 7GB on the completely open and exposed Elasticsearch server, with the personal data of people providing fake reviews as well as guilty Amazon vendors appearing in messages throughout. Vendor information such as email addresses as well as WhatsApp and Telegram phone numbers were exposed, while bogus reviewers had email addresses and usernames, which often contained real names and surnames, and upwards of 75K links to personal Amazon accounts. Overall, it is estimated that around 200,000 to 250,000 people from around the world are affected by or involved in this leak and scam ring.
Interestingly, the SafetyDetectives team were unable to identify the owner of the Elasticsearch server and therefore “could not notify the company in question regarding this security issue.” However, it was discovered that the server was secured several days later, which made it inaccessible by any other interest.
Aside from the security issue, as the SafetyDetectives post explains, “whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.” If Amazon happens to get their hands on this data, the etail giant will have an easy time taking out vendors and accounts running this scam to boost product reviews illegitimately.
Ultimately, it would be good to see this takedown happen as vetting quality products on Amazon can sometimes be difficult, especially with fake reviews skewing real life experiences with products.