The latest holiday scam has online merchants sifting through refund requests to separate out the fraudulent requests from legitimate ones, according to security researchers at GFI Software. In this case, the hackers are targeting Amazon.com orders.
The Amazon Receipt Generator is an executable file that has been making the rounds on various forums, according to Christopher Boyd, a GFI Software senior threat researcher. Anyone running the software can create a forgery of an Amazon.com order receipt, he said.
It's not actually malware, since the file doesn't actually do anything harmful on its own. But it is a social networking scam targeting Amazon.com merchants.
"It's a pretty good facsimile of a genuine Amazon receipt," said Christopher Boyd, a senior threat researcher at GFI, in the company's security blog. Scammers paid a lot of attention to the real thing, getting details like the Total Before Tax and Sales Tax line items correct, Boyd said.
Scammers can send these forged receipts to an Amazon seller to demand refunds for an order that was never placed.
As a scam, it casts a very small net, as it targets only retailers selling products on Amazon, and will dupe only those taking the receipt at "face value" and not checking the details, said Boyd.
"This type of fraud, perpetrated en masse, could result in massive losses for retailers, especially during the holiday shopping season," said Boyd.
However, Boyd noted the "careful" seller has "little to worry about," since checking the records will show the order doesn't exist. It the seller is concerned about a missing order, Amazon will be able to confirm that no purchase was ever made. The orange order number might also be a place to start when investigating, since Amazon randomly generates those numbers.
"Once you start digging into the details a little bit it quickly falls apart," Boyd said.
However, the sellers need to remain on top of their records, especially with the current holiday shopping season with high sales volumes. The scam relies entirely on social engineering, with the seller being too busy and wanting to address customer concerns promptly.
Social engineering relies on convincing people that something is legitimate, instead of humans. These types of scams can be particularly effective at tricking users and are currently on the rise. According to a Barracuda Labs report this summer, there is an increase in the number of "Twitter Crime" and Sophos researchers have been busy posting about various Facebook scams. Users tend to think an e-mail from Uncle Walt about a great new site is a real message, or a link from a friend is safe. With the fake receipts, sellers have just been added to the list of social engineering victims.
"After all, how many sellers would be aware somebody went to the trouble of creating a fake receipt generator in the first place?" wrote Boyd.
He expects the receipt rip-off to be popular over the next few weeks, noting that there are other online imitations of the original recipt generator available. "If a 'customer' seems a little peculiar, ensure you take a good look at their receipt," he warned on the blog.