SafetyDetectives Cybersecurity Team wrote an article titled Amazon Fake Reviews Scam Exposed in Data Breach (6 May 2021).
« The SafetyDetectives cybersecurity team uncovered an open ElasticSearch database exposing an organized fake reviews scam affecting Amazon.
The server contained a treasure trove of direct messages between Amazon vendors and customers willing to provide fake reviews in exchange for free products. In total, 13,124,962 of these records (or 7 GB of data) have been exposed in the breach, potentially implicating more than 200,000 people in unethical activities. »
« How the Process Works
The information found on the open ElasticSearch server outlines a common procedure by which Amazon vendors procure ‘fake reviews’ for their products.
These Amazon vendors send to reviewers a list of items/products for which they would like a 5-star review. The people providing the ‘fake reviews’ will then buy the products, leaving a 5-star review on Amazon a few days after receiving their merchandise.
Upon completion, the provider of the fake review will send a message to the vendor containing a link to their Amazon profile, along with their PayPal details.
Once the Amazon vendor confirms all reviews have been completed, the reviewer will receive a refund through PayPal, keeping the items they bought for free as a form of payment.
The refund for any purchased goods is actioned through PayPal and not directly through Amazon’s platform. This makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators. »
« The server appeared to be located in China, and it is thought the leak affected citizens from Europe and the USA (at a minimum). In reality, the leak could have affected individuals from all corners of the world. »
« *Records that were unrelated to messages between vendors and reviewers were written in Chinese, which is why we assume the owners of the server were located in China. »
« We were unable to identify the owner of the ElasticSearch server. As a result, we could not notify the company in question regarding this security issue. Nonetheless, the server was secured a few days later, making it inaccessible to outside parties. »
« Third-parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products. »
« In several countries, paying people to conduct fake reviews is an illegal practice that damages the rights of consumers. If a company purchasing fake reviews is based in the United States, it would face lawful action from the Federal Trade Commission (FTC). Using deceptive marketing tactics could land a US-based vendor with a heavy penalty of more than $10 million. »
« Fraudulent reviewers with thousands of fake reviews to their name can pay penalties of more than $10,000, and they could even receive a jail sentence. The severity of these punishments would depend on whichever jurisdiction is in control of the investigation. »
« SafetyDetectives.com is the world’s largest cybersecurity review website. The SafetyDetectives research lab is a pro bono service that aims to help the online community defend itself against cyber threats while educating organizations on how to protect their users’ data. The overarching purpose of our web mapping project is to help make the internet a safer place for all users. »
Articles of Interest 