Hackers are targeting merchants who sell goods on Amazon’s marketplace.
According to reports in the Wall Street Journal, the last several weeks have seen cybercriminals change bank deposit information on Amazon accounts of active sellers in order to steal tens of thousands of dollars from each, according to several sellers and advisers. Amazon sellers have also been reporting their accounts have been hacked by criminals to post nonexistent merchandise on. These are sellers who have not been actively using their accounts of late — and whose portals are being used to sell fake goods at a deep discount so that the crooks in question can pocket the cash.
The fraud seems to be the net result of other hacks — password credentials lifted and resold on the dark web and sold to criminals who then use them (because consumers often recycle passwords with little to no variation) to hijack other accounts that consumers may have. PayPal and eBay have both faced similar hacks of late — though these days Amazon is a favored target, particularly as its “third party marketplace” grows.
“Hacking Amazon is becoming…increasingly a big deal,” said Juozas Kaziukėnas, chief executive of Marketplace Pulse, a business intelligence firm focused on eCommerce. “The value to be gained is bigger as Amazon grows.”
How widespread the Amazon attacks are is emerging, though the wave of expensive hits lately have made sellers worry about how good Amazon's security measures actually are.
Amazon currently has two million sellers and third party merchants in its marketplace — which collectively bring in more than half of its sales. There are reportedly over 100,000 sellers who make over $100,000 per year.
According to a company spokesperson, “[Amazon] is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence.”
Amazon's spokesman also noted that the firm withholds payment to sellers until it is confident customers have received their orders, and guarantees a full refund if a product doesn’t arrive or isn’t as advertised. Sellers who lost money will be made whole.
“There have always been bad actors in the world who try to take advantage of consumers for financial gain; however, as fraudsters get smarter, so do we,” the spokesman added.
The lawyer for the Amazon sellers, CJ Rosenbaum, notes that over a dozen merchants have sought his aid since being hacked. Most complain of losing about half of their monthly sales and are looking for Amazon to refund their money.
Lightning X Products Inc. is one of the firms hit in the hack — it saw $60,000 evaporate from its Amazon account last month, said Andy Spivey, product manager of the Charlotte, N.C.-based bag maker.
Mr. Spivey did say Amazon tried to warn him of suspicious activity — but by the time he responded to the warning and logged on, it was already too late and his bank account info had been changed.
“We’re not sure how they gained access to the account,” Mr. Spivey said. Amazon told him Friday the money will be returned, he said.
Spivey is a bit unusual in that he is an active seller on Amazon — the more popular hack certainly is on dormant Amazon accounts. The standard method there is to create thousands of new listings for highly favored (and highly priced) goods like electronics. Those goods are then marked down and marked for four week shipping. The goal is to collect the ill-gotten cash before Amazon catches on.
Over 2.6 billion email addresses and passwords have been stolen in total from companies including Adobe SystemsInc., Myspace, and LinkedIn Corp., according to warning website Haveibeenpwned.com — which means hackers have plenty of places and options for stolen passwords and personal data on the web. Those credentials usually sell for between $1 - $3 a pop.
The easy defeat for this fraud is to treat passwords like keys — use unique ones for every “door” into one’s digital life and set up two-factor authentication, so as to make it harder to gain access even if a hacker does have a password.
Experts also suggest consumers beware if a popular item — such as the Nintendo Switch — seems priced in a way that's too good to be true — suspiciously low prices are often a sign of hacking.