Amazon Vendor Scams

If you listen to “What the Hack with Adam Levin,” you may already know this story. During the week before Donald J Trump’s Presidential inauguration, there was a ransomware attack on the D.C. police’s closed-circuit camera system. A frantic investigation involving multiple, international law enforcement agencies, including the Secret Service, tracked down the attackers in Romania, but not before mistaking an innocent Amazon shopper in the United Kingdom as the culprit. 

The dots connecting the D.C. ransomware attack, the compromised computer in the U.K. and the Romanian cyber criminals? A single purchase on Amazon.com of a literal (culinary) smoking gun. While it may seem like money laundering, it’s a bit more complex. The criminals were using stolen credit card numbers to buy real merchandise, and then fence it at an attractive price through Amazon vendor accounts. They then used their ill-gotten gains to pay for Ransomware as a Service software, which they used to extort money from random targets–including the presidential inauguration. 

How can Amazon.com purchases be tied to cyber crime?

Amazon.com accurately describes itself as “Earth’s biggest store.” The online retailer offers more than twelve million products. If merchandise isn’t available directly from Amazon, it can often be purchased through its network of independent merchants. Prices and delivery times may vary, but to end customers, the process is seamless. 

Amazon’s vendor offering unfortunately provides criminals with a way to tap into stolen credit card credentials. The Romanian gang accessed compromised credit cards via the dark web, used the stolen credit card to buy items from legitimate vendors, and then sold the purchased items online to legitimate customers. It’s tempting to call it money laundering, but what we’re actually talking about here is “credit laundering.”

The scam takes advantage of another seamless consumer experience: the fraudulent charge. Most of us have had fraudulent charges pop up on a credit card, and have forgotten about it as soon as we re-entered the new number in whatever online accounts were connected to the compromised account. Credit card companies have learned how to deal with fraud, and the losses are built into their profit and loss calculations. If a product is bought with a stolen credit card, the credit card company or the seller pays for the transaction. The customer receives their order, and the criminal has real money where once they had someone else’s untapped credit. 

You can hear more about the the Romanians behind the attack discussed on “What the Hack”. But if you want a thumbnail sketch: The bumblers didn’t know they had targeted closed-circuit cameras that were integral to the security of a presidential inauguration. They were just doing their busy-bee criminal thing, and flew into a Secret Service-powered bug zapper. 

How Can You Avoid Funding International Crime?

Unfortunately, there’s no easy way for customers to identify this sort of scam. A vendor doing business, accepting legitimate payments and delivering the ordered item is hard to recognize. The only possible hint will be a cheaper retail price. Since the merchandise was purchased with a stolen credit card number, it can be fenced at a better price. 

Most customers will never know unless they happen to find themselves connected to a high-profile ransomware attack by international law enforcement operations. 

The best advice is to stick with products sold directly via Amazon.com (or other major online retailers) or to shop at local brick and mortar stores.