A former Amazon software developer had his account information given away by of all companies, Amazon.
It seems that this all started with domain registrations, for some reason Eric Springer used the address of a hotel instead of his own. He writes on Medium.com ” It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.”
Now I am not sure why he just wouldn’t pay for privacy but it seems like someone did a whois query and contacted Amazon with the bogus info and got Springer’s real info.
Springer found out about everything after receiving a thank you from Amazon for contacting them.
He details three separate attempts to get the last 4 digits of his credit card.
The article was summed up with some tips
After being the victim of these attacks for months, I’d like to make some recommendations for services:
- NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
- Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
- Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
- Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire
For users, be extremely careful with the information you share. Even big companies like Amazon can’t keep it safe, they’re far from the worst.