Security Experts:

Cybercriminals Target Amazon Third-Party Sellers With Password Reuse Attacks

Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account. It should be noted that this is not an attack against Amazon users, but against Amazon third-party sellers.

It would be wrong to say that Amazon is being hacked. Legitimate passwords are being used to access legitimate accounts. These passwords come from the billions of stolen passwords available on the internet. Where there is a fault, it is in users' continued tendency to use the same password across multiple accounts; and to rarely, if ever, change them.

The only real difficulty for the criminals is matching the stolen and reused password to the Amazon account -- and this is not hard. Since almost all services employ the user's email address as the username, it is merely a question of locating a third-party seller, finding the seller's email address, and trying the associated password from the list of stolen passwords. "The attackers are mining the rich seam of stolen credentials publicly dumped or traded in underground forums," ESET senior research fellow David Harley told SecurityWeek. "That way, they only need to match known credentials to Amazon account holders."

Even if the seller's email address is not known, it could possibly be obtained from Amazon itself. "If Amazon is the weak spot, perhaps the registration page?" suggested Sean Sullivan, security advisor at F-Secure. "The 'Create account' page looks like something that could be targeted with a list of addresses, from which could easily be noted those to result in a message of 'email is already in use'. Then you have addresses to try on the sign-in page."

The basic password problem was highlighted in a recent study by Thycotic, which found that even security professionals reuse passwords, use weak passwords, and don't change them over long periods of time. A password stolen from Yahoo years ago might well provide access to other accounts today -- including Amazon.

The result, according  to the Wall Street Journal, is that some sellers are losing thousands of dollars. "CJ Rosenbaum, a New York-based lawyer who represents Amazon sellers, says that more than a dozen of his clients have recently called to tell him they were hacked, a number of whom lost about half of their monthly sales of $15,000 to $100,000. They are asking Amazon for their money back, Mr. Rosenbaum said."

WSJ also reports that "some sellers say the hacks have shaken their confidence in Amazon's security measures." This isn't entirely fair -- all users should do more to protect their passwords: strong, unique passwords that are regularly changed. And wherever possible, two-factor options should be employed.

"It is critical for Amazon resellers to take advantage of Amazon's two-factor authentication to prevent this type of hijacking and phishing activity," comments Sophos' principal research scientist Chet Wisniewski. "All Amazon users should take advantage of this feature, but considering what third party resellers have at risk it is even more important. The easiest method to enable uses a time-oriented token you can load for free on your Android or iOS smartphone. The most popular app to use for this is Google's Authenticator app." Sophos has its own option that can be installed on Android or iOS and enabled in the Amazon or AWS account.

This is not to say that Amazon could not do more to protect its customers. In the desire to make things as easy as possible for customers, services like Amazon (and including almost all services from other ecommerce sites to social networks) do not enforce good password practices. Two-factor authentication is rarely required, and users are not forced to change passwords regularly. The bottom line, however, is that users need to better understand how to generate strong, unique passwords; and to regularly change them.

"There are several steps sellers can take to protect their accounts, including monitoring their account on a frequent basis, updating their password regularly and by using two-factor authentication," an Amazon spokesperson told SecurityWeek in an emailed statement. "If anything looks suspicious, sellers should reach out to Amazon immediately so we can investigate by contacting Seller Support via our urgent help feature in Seller Central. For more best practices, sellers can visit: https://www.amazon.com/gp/help/customer/display.html?nodeId=13832211#security

"There have always been bad actors in the world; however, as fraudsters get smarter so do we," the spokesperson said. "Amazon is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com"

*Updated headline and added commentary from Amazon spokesperson

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.