Monday, December 27, 2021

The Infosec Tower of Babel

If you’re God then confusion makes sense. Making people say the same thing in different languages was effective risk management when it came to shutting down the Tower of Babel APT gang. All of the babbling fools had a problem. What if you saw a loose brick that a co-worker was about to step on, and he would surely fall to his death if he did? You yell out “STOP, the brick is loose,” but in his language you said, “Get me a sandwich” Well, he tried to. He even landed right in front of the cafeteria, but he never got up again. That’s the problem, if you don’t use the same words to describe the same thing, the you’ll never get your sandwich.

Time and time again in the infosec world I hear people call vulnerabilities exploits, exploits vulnerabilities, and call payloads either exploits or vulnerabilities. And so, as a public service, and to prevent you from incurring the wrath of God, I’m going to explain the differences between vulnerabilities, exploits, ad payloads while I tell you all about the windows vulnerability I found, how I exploited it, and the unexpected payload. Well, it wasn’t unexpected to my wife, but she knows what I’m capable of.

Check out my latest SecureIQLab blog at https://secureiqlab.com/vulnerabilities-exploits-and-payloads/

Friday, December 24, 2021

Amazon Caught Scamming Consumers - Cyber Criminals Are Good Teachers

As a public service, it would be really cool if you share this specific blog post you can copy and paste it. You don't have to send people here. You can put it on your own website if you want. I don't even care if I get atribution. It's not about promoting my blog, it's about holding scAmazon accountable.

Don't worry, no chain will be broken that results in galactic destruction if you don't share it. Just please consider sharing after you read the blog. If you have any questions, I'll be happy to answer them.

Thanks in advance

I’ve seen a lot of phish in my time. Sometimes they appear to come from Amazon, but this time the phishing attack was designed and delivered by Amazon. If after reading this you know of others who have had the same experience, please put them in touch with me. There may be grounds for a class action lawsuit.

Even though I talk about my experience, bear in mind that this Amazon scam was probably sent to thousands, if not tens of thousands of people, and almost certainly virtually everyone who tried to avail themselves of the offer were victims of Amazon's deliberate false advertising. This isn't just about me.

Moving on,

·       Calling the email I received from Amazon a “social engineering attack” is accurate

·       Calling the email I received from Amazon “deceptive advertising” is accurate

·       Calling the email I received from Amazon False advertising is accurate

·       Calling the email I received from Amazon a scam is also accurate

·       Calling the email I received from Amazon phishing is subjective, but conceptually accurate

Calling the email I received from Amazon a phish is somewhat subjective and based upon a definition of phishing that you may or may not disagree with. I can accept arguments either way, if you accept a definition that includes an email-based social engineering attack that designed to trick a person into doing something they wouldn’t, for the sole purpose of financial gain, then it is fair to say Amazon engages in phishing. Regardless, as you’ll see, Amazon, AKA Scamazon, used an email-based social engineering attack engage in false and deceptive advertising,  

Make no mistake. I am talking about a genuine Amazon email scam and not a different cyber criminal's scam. Amazon is better at it.

Let’s take a quick look at the incident I refer to. It’s different from other deceptive advertising related to one or more lawsuits that Amazon is facing.

This is the offer I received. Just like any scam email, there’s a glaring disconnect in the information. Still, I signed up for the business account. The following will show it was a social engineering attack and that Amazon never had any intention of honoring the offer.

The offer clearly states:  You will be eligible to redeem this offer 48 hours after business verification using promo code HOLIDAYAB40. It also says “Register & redeem today.” Since it does say “see terms for more information,” it’s conceivable that there would be a situation in which you would have expedited promo redemption abilities., but no, it was the old add urgency for immediate action con.

This is the message included as an inducement to get consumers to open business accounts. Amazon has studied the tactics of illegal scammers, and cherry-picked what they thought would work best for their specific application.

You might be inclined to say the inconsistent language was an error, but Amazon's customer service representatives leave no doubt that it is a scam by design.

I did read the terms and conditions. They also contradict the email. The terms and conditions say that the promo code must be redeemed within 48 hours of verification rather than after 48 hours. I did try to redeem the offer less than 48 hours after verification, and that resulted in a message indicating that the code was not valid. Obviously, the bold print in the email was correct and the code would be valid 48 hours after verification, right? Wrong. Figuring that the email was accurate I waited until after 48 hours passed to try again. Still, I got a message saying that the code was not valid. There was demonstrably never any intention to ever honor the offer. The deception regarding when the promo code could be used would have scammed every single person who tried to use it in accordance with the email offer.

I reached out to “customer service” and was advised that I had waited too long to redeem the offer. At this point an honest company, obviously not Amazon, would have honored the offer when they discovered they were at fault for the confusion. But it wasn’t confusion, it was a craftily planned, and well-executed scam. Amazon customer service even indicated that the information I gave them is accurate. There can be no denying that there was never any intention on Amazon’s part to honor the offer.

Aside from reaching out to Amazon’s CS (criminal service) Department, I have reached out to Amazon’s general counsel (David Zapolsky) to see if he condones this illegal behavior. I have not received a response yet, however he may be out on vacation. It is that time of year. I have also reached out to and Amazon’s Neil Lindsay to see if Amazon wants to provide a statement from them to include in this blog. Until November 2021, Neil was the SVP of Amazon Prime and Marketing before moving into the role of SVP of Health and Brand. If it’s not his department he’ll know which Amazon department to congratulate for the successful scam. The day that Nathan Strauss in Amazon’s corporate communications department viewed my LinkedIn profile, I reached out to him and offered to let Amazon provide a statement for the blog. We’ll see if they decide to.

Meanwhile, it is clear that Amazon is deliberately scamming consumers. It’s in their DNA.

If you know somebody who has been scammed by Amazon, please have them contact me. It would be good to aggregate data about Amazon’s false advertising and social engineering attacks to pass along to the FTC. You could of course tweet “I was scammed by @amazon too @FTC.” This will ensure the FTC sees at least some of the extent of Amazon’s illegal activities. There is a distinct possibility that Amazon will claim it is an error and send out new promo codes AFTER holiday sales are over. Doing so would be how Amazon tries to convince the FTC that it was an honest error and increase profits based upon the success of the scam. Amazon wanted to get people to sign up for business accounts, but not be able to use the promo code while major sales were happening, if ever. It saves Amazon a lot of money to scam now and say "oops later". Of course if I'm wrong, Amazon will replace the promo codes with 50 to 60 percent off in order to compensate their scam victims properly, but don't count on it. Jim Morrison is more likely to host next year's Grammy Awards ceremony than Amazon is to do the right thing.

I can be contacted at @randyab on Twitter, or https://www.linkedin.com/in/randy-abrams-ba24391/. I have a LinkedIn Premium Membership, so you should be able to message me even if we aren’t connected. You can leave a moderated comment for me here, either commenting on the post or for a private conversation, but Google’s notification of comments seems to be hit and miss.

Before wrapping up, let me show you one other example of Amazon’s dirty tricks. Look carefully at the images below.

Did you notice the 512MB (yes megabyte) card in the list? Amazon is counting on the phenomenon of the eyes seeing what is expected. The card is inexpensive enough that many people won’t bother with returning it, and if they didn’t use it right away, they can’t return it. The reason that 20% of the reviews of the card are one star is because people were deceived by Amazon’s dirty tricks.

This lawsuit is closely related to the dirty trick shown above. 

https://www.paloaltoonline.com/news/2021/03/30/amazon-settles-claims-of-false-advertising-unfair-competition-for-2m

So, this holiday season be as you are diligently watching out for phishing attacks and other scams, don't fall for Amazon promotional offer scam.

The views and opinions presented are my own, reflect Amazon's practices, and do not reflect the views and opinions of my employer. My views and opinions in this matter are probably the same views and opinions as most, if not all people who received the same Amazon scam email.

Randy Abrams

Amazon’s best buddy