Misconfigured Database Exposes 200K Fake Amazon Reviewers

Authored by infosecurity-magazine.com and submitted by Alpra_Creem

A misconfigured database has exposed what appears to be a major coordinated scheme by Amazon vendors to procure fake reviews for their products.

At team at AV reviews site SafetyDetectives found the China-based Elasticsearch server exposed online without any password protection or encryption.

The 7GB trove contained over 13 million records including the email addresses and WhatsApp/Telegram phone numbers of vendor contacts, plus email addresses, surnames, PayPal account details and Amazon account profiles of reviewers.

According to SafetyDetectives, fake review scams typically begin with vendors sending their reviewer contacts a list of products for which they would like a five-star review.

After leaving the review and sending the vendor a link, the reviewer will be paid via PayPal to compensate them for the product purchase and will be allowed to keep the product itself as payment. The reviews site claimed that the leak implicated around 200,000 individuals in such schemes.

The SafetyDetectives team discovered the database on March 1 and it was secured around a week later, although the researchers weren’t able to track down its owner.

“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors,” it explained.

“Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products. The server could also be owned by a large company with several subsidiaries, which would explain the presence of multiple vendors. What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.”

There’s also a potential data security and identity fraud risk for those whose information was exposed in the privacy snafu, SafetyDetectives warned.

ImGoneZero on May 9th, 2021 at 10:12 UTC »

What Amazon really should do is start cracking down on companies that try to offer you a discount, gift card, or free product for leaving a 5 star review

WhoThenDevised on May 9th, 2021 at 09:20 UTC »

I bought some Chinese headphones on Amazon and they were bad. Not absolute crap but worse than I expected based on the reviews. So I sent them back and wrote a review saying the same thing. After that the seller contacted me multiple times asking me to change my review. They were even willing to send a more premium model at no extra cost. So that's how they get the great reviews. I didn't take the offer, just bought Sony headphones.

roj2323 on May 9th, 2021 at 07:28 UTC »

Finally some good news about a data breach! Hopefully Amazon will quickly purge the fake reviews.