The database contained 7GB worth of data including fake Amazon product reviews and PayPal email addresses of scammers among other sensitive data.
Whoever uses Amazon makes up their mind about a particular product after checking out its reviews. But what if the reviews are fake and misleading?
The IT security researchers at SafetyDetectives discovered a China-based ElasticSearch server publicly available online without any security authentication. The researchers claim that this misconfigured database helped them unearth a well-organized scheme of Amazon vendors to produce fake reviews for their products on the website.
Database Contained Treasure Trove of Clues
Researchers observed that the server contained direct messages between Amazon vendors and customers regarding the provision of fake Amazon product reviews in exchange for free products. There were around 13, 124, 962 of these records, which amounted to 7 GB of data exposed in the breach.
This implies that over 200,000 people were involved in this unethical practice. The database included email addresses, surnames, reviewers’ Amazon account profiles, vendor phone and contact details on WhatsApp and Telegram, and PayPal account details.
Fake Amazon product reviews Scam- A Prevailing Issue
SafetyDetectives revealed that this scam begins when vendors send their reviewers a list of products and ask them to provide a 5-star review, a standard procedure in such scams. Their contacts purchase the products and leave a 5-star review on Amazon a few days later.
Once this is done, the contact sends the vendor a message containing a link to their Amazon profile and their PayPal account details. When the Amazon vendor confirms that the reviews have been accepted, the reviewer receives a refund via PayPal to avoid suspicion and keep the item they purchased for free.
Database Is Now Secured
The database was discovered on 1st March and was secured around one week later. However, it is currently not clear who owns this database. Still, it becomes apparent that this is a prevalent issue that’s plaguing Amazon and the entire online retail industry.
The researchers believe that the server isn’t owned by Amazon vendors that are part of this scam but by a third party.
“Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors. Third parties might post a picture of the product in a Facebook or WeChat group, asking for reviews in return for free products,” researchers noted.
Or it could be owned by a large firm with different subsidiaries because multiple vendors were part of the database. One thing is clear, though, that whoever owns this server may be held responsible for violating consumer protection laws, and those paying for fake Amazon product reviews will be sanctioned for breaking Amazon’s terms of service.