The latest holiday scam has online merchants sifting
through refund requests to separate out the fraudulent requests from legitimate
ones, according to security researchers at GFI Software. In this case, the
hackers are targeting Amazon.com orders.
The Amazon Receipt Generator is an executable file that
has been making the rounds on various forums, according to Christopher Boyd, a
GFI Software senior threat researcher. Anyone running the software can
create a forgery of an Amazon.com order receipt, he said.
It’s not actually malware, since the file doesn’t
actually do anything harmful on its own. But it is a social networking scam targeting
Amazon.com merchants.
"It’s a pretty good facsimile of a genuine Amazon
receipt," said Christopher Boyd, a senior threat researcher at GFI, in the company's
security blog. Scammers paid a lot of attention to the real thing, getting
details like the Total Before Tax and Sales Tax line items correct, Boyd said.
Scammers can send these forged receipts to an Amazon
seller to demand refunds for an order that was never placed.
As a scam, it casts a very small net, as it targets only
retailers selling products on Amazon, and will dupe only those taking the
receipt at "face value" and not checking the details, said Boyd.
"This type of fraud, perpetrated en masse, could result
in massive losses for retailers, especially during the holiday shopping
season," said Boyd.
However, Boyd noted the "careful" seller has "little to
worry about," since checking the records will show the order doesn’t exist. It the seller is concerned about a missing order, Amazon will be able to confirm that no purchase was ever made. The orange order
number might also be a place to start when investigating, since Amazon randomly generates those
numbers.
"Once you start digging into the details a little bit it
quickly falls apart," Boyd said.
However, the sellers need to remain on top of their
records, especially with the current holiday shopping season with high sales
volumes. The scam relies entirely on social engineering, with the seller being
too busy and wanting to address customer concerns promptly.
Social engineering relies on convincing people that
something is legitimate, instead of humans. These types of scams can be
particularly effective at tricking users and are currently on the rise.
According to a Barracuda Labs report this summer, there is an increase in the
number of "Twitter Crime" and Sophos researchers have been busy posting about
various Facebook scams. Users tend to think an e-mail from Uncle Walt
about a great new site is a real message, or a link from a friend is
safe. With the fake receipts, sellers have just been added to the list of
social engineering victims.
"After all, how many sellers would be aware somebody
went to the trouble of creating a fake receipt generator in the first
place?" wrote Boyd.
He expects the receipt rip-off to be popular over the
next few weeks, noting that there are other online imitations of the original
recipt generator available. "If a 'customer' seems a little peculiar,
ensure you take a good look at their receipt," he warned on the blog.
IT Security & Network Security News & Reviews News & Reviews 
