Home Security Social engineering Amazon shipping details

Social engineering Amazon shipping details


I must admit: It’s been some time. But this particular topic is not only interesting but also critically impacting some people’s privacy.

Some things are shocking: Can a big company such as Amazon put your details at risk? Can Amazon easily be social engineered?

As of today we know: Yes, and it’s even easier than you might have thought. Eric Springer who is running virtual instances over at Amazon (spending over $ 600 per month) wrote a blog post on how his Amazon account has been social engineered and how he noticed it.

Basically the attacker always used the same schema:

  1. Go to the Amazon chat or phone support
  2. Use an address within the same zip code (e.g. a hotel) to be verified
  3. Ask where the last shipment has been sent to
  4. Amazon will leak the address of the last shipment

Amazon should really implement something like a customer service security pin which can just be seen and set within the account. Looking forward to hear the response from Amazon.