• Home
  • About Us
  • Contact
  • Advertise
  • Awards
  • Privacy Policy
  • Twitter
  • Facebook
  • RSS
TheDomains.com

Attacker gives Amazon fake details from a whois query, and gets real address

February 5, 2016 by Raymond Hackney

A former Amazon software developer had his account information given away by of all companies, Amazon.

It seems that this all started with domain registrations, for some reason Eric Springer used the address of a hotel instead of his own. He writes on Medium.com ” It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.”

Now I am not sure why he just wouldn’t pay for privacy but it seems like someone did a whois query and contacted Amazon with the bogus info and got Springer’s real info.

Springer found out about everything after receiving a thank you from Amazon for contacting them.

He details three separate attempts to get the last 4 digits of his credit card.

The article was summed up with some tips

After being the victim of these attacks for months, I’d like to make some recommendations for services:

  • NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
  • Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
  • Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
  • Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire

For users, be extremely careful with the information you share. Even big companies like Amazon can’t keep it safe, they’re far from the worst.

Filed Under: Amazon, Security

About Raymond Hackney

Raymond is a writer, domain trader and consultant based in Pennsylvania. Raymond is the founder of 3Character.com and TLDInvestors.com.

« Market Recap – Godaddy shares off 5.88%
Market Recap 2/5/16 Domain Stocks Get Whacked »

Comments

  1. Tony says

    February 5, 2016 at 4:53 pm

    Who is protection is quite expensive sometimes more so than a domain itself.

    There should be a one off fee to cover a portfolio.

    I know there are corporate services but theres plenty individuals with say 5-20 domains or so where the charges are just not economical.

    • janedoe says

      February 5, 2016 at 11:28 pm

      Some offer free privacy protection

      • Tony says

        February 6, 2016 at 4:03 am

        There are some but these are often 1st year promos that then shoot up in the following years. Others seem to price it in so not really frer. Also if need to transfer the domains they will ask for a years registration which may be much more than your current registrar. Then just to add to this if you’ve got domains using the new gtlds this can further complicate it.

        I’m open to any places you know of which may assist so please fire away.

    • Alexis says

      February 6, 2016 at 2:56 am

      There are many domain registrars that offer free WHOIS privacy. Here is a list (I am not affiliated with any of the websites listed):
      http://www.registrarowl.com/report_registrar_free_whois_privacy.php

      • John says

        February 6, 2016 at 3:09 pm

        do your own. Register a domain name, i.e, http://www.noneofyourfreakingbusiness.com, get a po box and make your whois reflect sometthing like

        domainname.com
        Private Registration
        PO Box 2016
        city/state/zip
        email contact, myinfois@noneofyourfreakinbusiness.com

        Your account can have your real name etc…….. I’ve done this for 12 years . Have not paid for privacy.

        Now Uniregistry offers free privacy, and moniker was $1.00 which was reasonable,, but they ruined that pplace IMO.


Recent Articles

  • Sedo weekly domain name sales led by ThisAV.com
  • CentralNic 2022 gross revenue of about USD728 million
  • Is The Rock going into politics? A couple domain name registrations point in that direction

Recent Comments

  • Charles on What is a fair sales commission rate?
  • zakaria on What is a fair sales commission rate?
  • Steve on What is a fair sales commission rate?
  • Steve on ChatGPT.net sells for $8,900 at DAN.com
  • Snoopy on What is a fair sales commission rate?

Categories

Archives

Copyright ©2022 TheDomains.com — Published by Worldwide Media, Inc. — Site by Nuts and Bolts Media