Cyber Security researchers have discovered an unsecured database exposing a widespread scam in which Amazon customers write fake reviews in exchange for free products from Amazon vendors. An opsec-illiterate scammer has accidentally exposed more than 13 million data records via an open ElasticSearch database, relating to a large-scale fake review scam implicating independent Amazon vendors and users in unethical and illegal behaviour.
“The server contained a treasure trove of direct messages between Amazon vendors and customers… potentially implicating more than 200,000 people in unethical activities,” the researchers wrote. “While it is unclear who owns the database, the breach demonstrates the inner workings of a prevalent issue affecting the online retail industry.”
The data, which totals 7GB and relates to more than 200,000 individuals, was discovered by researchers working on behalf of antivirus specialists SafetyDetectives, who found found the server on 1 March 2021 and monitored its status over the next few days – it was locked down on 6 March. The unsecured server appears to be physically located in China but the data relates to individuals in both Europe and the US.
The database contained records involving roughly 200,000 – 250,000 users and Amazon marketplace vendors including user names, email addresses, PayPal addresses, links to Amazon profiles, and both WhatsApp and Telegram numbers, as well as records of direct messages between customers happy to provide fake reviews and traders willing to compensate them.
According to the team, the leak may implicate “more than 200,000 people in unethical activities.”
The database, and messages contained therein, revealed the tactics used by dubious sellers. One method is whereby vendors send a customer a link to the items or products they want 5-star reviews for, and the customer will then make a purchase.
Several days after, the customer will leave a positive review and will send a message to the vendor, leading to payment via PayPal — which may be a ‘refund,’ while the item is kept for free.
As refund payments are kept away from the Amazon platform, it is more difficult to detect fake, paid reviews.
Messages on the server included the fake reviewers’ Amazon and PayPal account details, and email addresses. Vendors’ email addresses were exposed, as well as their WhatsApp and Telegram contact info.
“Although a lot of people providing fake reviews likely know what they’re doing, we must also highlight how vendors don’t advertise that fake reviews are illegal,” the cybersecurity researchers said. “Unassuming people may have been targeted by Amazon vendors with the offer of free products in return for a review.”
“We want Amazon customers to shop with confidence knowing that the reviews they read are authentic and relevant,” an Amazon spokesperson commented. “We have clear policies for both reviewers and selling partners that prohibit abuse of our community features, and we suspend, ban, and take legal action against those who violate these policies.”