Thursday, May 9, 2019
Redacted UK legal documents filed by Amazon in November 2018 and now publicly available provide insight into a fraud campaign that targeted Amazon's Seller Central platform from May through October 2018. During that time, criminals succeeded in hacking the bank accounts of approximately 100 merchants selling on Amazon.
The extent of damages is not yet known, nor is the identity of the fraudsters responsible. Highlighting the difficulty of identifying thieves hacking automated platforms, lawyers for Amazon asked a judge presiding in a London court to allow them to search account statements at two financial institutions where the hackers are believed to have transferred funds: Barclays Plc and Prepay Technologies Ltd.
Amazon lawyers stated in the company's court filing that it required the documents "to investigate the fraud, identify and pursue the wrongdoers, locate the whereabouts of misappropriated funds, bring the fraud to an end and deter future wrongdoing."
While it has not yet officially been determined how thieves were able to change bank details of the victimized sellers, Amazon stated it believes the sellers succumbed to phishing attacks through which they provided hackers with their account details. This enabled the fraudsters to abscond with funds in the accounts and redirect incoming funds to their own accounts at Barclays and Prepay Technologies. Both monies received through sales and funds from loans Amazon made to sellers were stolen.
It remains undetermined how much was stolen from the nearly 100 merchants victimized, but the sum could be considerable. Amazon stated that in 2018, it provided over $1 billion total to sellers through its Amazon Capital Services. Loans are in the form of advances on future sales, and merchants have one year to pay them back.
In "Email-related fraud threats grow," Patti Murphy, senior editor at The Green Sheet, wrote, "Retailers are the most at risk for phishing – one of the most popular types of Internet fraud. According to Symantec, one in every 690 emails received at retailing companies in 2015 were phishing attempts. At finance, insurance and real estate firms, phishing accounted for one in every 2,200 emails. Few, if any, spammers work alone, and the criminal enterprises they ally with have grown increasingly sophisticated, just like the technologies they exploit. For example, advanced phishing kits trade online for between $2 and $10 and require little technological savvy to operate, the Symantec report noted."
Murphy added that according to Symantec, any business would err to think today's sophisticated security technologies and controls will shield them from phishing attacks, as long as they "rely on the capability of its employees to detect advanced and targeted phishing campaigns."
Greater awareness among merchants, large and small, of threats they are facing would go a long way toward reducing losses to fraud. So would use of stronger credentials. "Strong credentials are the best defense against online traps and phishing attacks," Nehal Mehta, president at GeoAcl LLC and Rainbow Password, told The Green Sheet in January 2019. "However, the process of creating complex passwords should not be stressful or burdensome." For example, a large password may be difficult for a hacker to guess but can also be difficult for a user to manage and remember. "We believe in simplicity and what we call password hygiene," Mehta added.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.