Amazon Account Hacking

In a new blog post Dima Bekerman, security researcher at Imperva, explains how easily his Amazon account was broken into, likely as a result of him using similar passwords in different accounts—an annoying but common attack. However, what he originally thought was a run-of-the-mill account breach turned into a story about perpetrators using registration bots to launch a smokescreen—an attack method he found extremely interesting.

The full blog post, which includes tips on how to prevent these types of attacks, can be found here, however key takeouts are listed below:

• I initially had no idea my Amazon account had been breached. In fact, I only noticed that something was odd when I opened Gmail one night and found hundreds of registration confirmations to numerous services I’d never heard of. What’s more, I was receiving a similar email every few seconds. First, I noticed that the registration email usernames followed a clear pattern. Each used a random string of nine or ten letters followed by four numbers. Second, I saw that I was steadily receiving five new emails every minute. Both were clear signs of automation that used registration bots. When most of the noise had been cleared, I found an Amazon email hidden among the junk. It informed me that my purchase—one I hadn’t made—would be delivered within 24 hours.

So What Happened Exactly

• I’m pretty certain my Amazon account was breached some time ago, but the attackers hadn’t been able to do anything because my credit cards weren’t linked to my account. Once I got the gift card, however, they seized the opportunity. The card wasn’t stolen right away. First registration bots mass subscribed me to thousands of sites, thereby flooding my Inbox with registration confirmations. Afterwards, the attackers used my gift card hoping I wouldn’t see Amazon’s message amid all the junk.
• The attack was interesting because registration bots – typically used for brute force attacks – were employed to launch a smokescreen against a single user. I also noticed that the method the attackers used to launch the smokescreen was very similar to a DDoS reflection attack. Here, the perpetrator initiates a multitude of fake requests in the target’s name, who is then swamped with unsolicited responses.