An opsec-illiterate scammer has accidentally exposed more than 13 million data records via an open ElasticSearch database, relating to a large-scale fake review scam implicating independent Amazon vendors and users in unethical and illegal behaviour.
The data, which totals 7GB and relates to more than 200,000 individuals, was discovered by researchers working on behalf of antivirus specialists SafetyDetectives, who found found the server on 1 March 2021 and monitored its status over the next few days – it was locked down on 6 March. The unsecured server appears to be physically located in China but the data relates to individuals in both Europe and the US.
“We were unable to identify the owner of the ElasticSearch server,” the team said. “As a result, we could not notify the company in question regarding this security issue.
“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors. Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products.
“The server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors.
“What is clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.”
The process of procuring fake reviews on Amazon that was exposed in the leak works as follows. The vendors send to people who are prepared to leave fake reviews a list of products for which they would like a five-star review on Amazon. These people then buy the products and leave the review, at which point they send a message to the vendor containing a link to their Amazon profile and, crucially to the scam, their PayPal details for a “refund”. They get to keep the product they bought.
By actioning the refund process through PayPal, said SafetyDetectives, the process makes the review appear legitimate, and avoids arousing attention from Amazon’s moderators.
The data relating to the vendors included contact details, email addresses, and telephone numbers linked to WhatsApp and Telegram accounts used to communicate with reviewers. The data related to the fraudulent reviewers included multiple items of personally identifiable information (PII) including 75,000 links to their Amazon accounts and profiles, PayPal account details, 232,664 Gmail addresses, and usernames – many of which contained real names.
As the activity is against Amazon’s terms of use – and is unlawful – it is unlikely that any of the victims will have any form of official recourse. However, some of them may have been inadvertently tricked into taking part in the scam, said SafetyDetectives.
“Although a lot of people providing fake reviews likely know what they’re doing, we must also highlight how vendors don’t advertise that fake reviews are illegal,” the team said. “Unassuming people may have been targeted by Amazon vendors with the offer of free products in return for a review. Vendors use ‘professional’ language to present the offer as legitimate trade, utilising phrases like ‘testing’ and ‘free product trials’ when they message prospective reviewers. This is certainly the case in the database we detected.
“Without knowledge of marketing law, Amazon terms of service or the wider impact that fake reviews can have, some individuals may think nothing of collaborating with an Amazon vendor to conduct a fake review.
“When considering those who are implicated in this breach, and the impacts they could face because of this exposure, we should be mindful that some of these reviewers have been misled themselves.”
The vendors involved can be sanctioned in a number of ways, usually by having their Amazon accounts terminated permanently, and pending earnings withheld by Amazon. The reviews themselves will be removed from any product page found to contain them, and that product will not be able to receive reviews or ratings in the future.
Amazon also retains the right to name and shame the vendors involved and may pursue legal action against them in jurisdictions where paying people to leave fake reviews is illegal. In the US, for example, the Federal Trade Commission provides for maximum fines of over $10m for using deceptive marketing tactics.
The individual reviewers involved may also be legally prosecuted. In the US, fines can be as high as $10,000 and some have received prison terms, although if the reviewer can provide evidence that they were duped, punishments may be lighter.
The owner of the server, if identified, would naturally face investigations under various legal regimes, including the General Data Protection Regulation (GDPR).
More on the SafetyDetectives investigation, including guidance on how to spot fake reviews and prevent data exposure in similar breaches, can be read on the firm’s disclosure blog.