Amazon Seller Account Hijack

My wife has just recovered her Hotmail and Amazon accounts after both were hijacked by a scammer seemingly located in Nigeria. It is still not clear to me how he managed to obtain the password to the accounts (my wif'e's mistake 1 - both were the same) but he must have been surfing amazon looking for a SELLER account with a webmail contact address and then targeted us somehow to get the password. We use Zonealarm firewall, McAfee security and Windows defender (no spyware detected on latest config files just carried out) so how he obtained the password is a mystery though my wife has a recollection of doing an Amazon product search and being presented with a LOGIN screen for AMAZON.COM rather than AMAZON.CO.UK as is more usual and she may have been phished.

Following the hijack, the hotmail account passwords and other verification details were reset from the inside so that we were effectively locked out, and it then took 3 days exchanging emails with Microsoft Livemail support to prove ownership and regain control. Meanwhile he immediately used my wife's Amazon seller account to put up details of widescreen flatpanel TVs for sale, requesting Western Union Money transfers from his respondents and corresponding with them on the Hotmail account using the name ALIN BARNA above my wife's actual email address (that should have been a warning to anyone corresponding to him, but there seemed to be about 10 people involved in transations at various stages - though most seemed to grow suspicious and eventually cease their dealings).

I know there's a lot of advice to people about not wiring money via Western Union, but not everyone has seen that and I think people want to trust Amazon seller accounts.

To their credit, amazon detected the activity quite quickly and stopped the accound but the correspondence continued on the hotmail account. Because he reset so much from the inside it was very hard, as you might expect, to convince Microsoft support that we were the rightful owners.

Thanks for sharing your story Ted1 which will be a helpful warning to other people. As you have discovered, with so many scammers out there it's a good idea to be extra cautious when dealing with any kind of online transaction including something as simple as having different passwords for different accounts, email addresses, etc.

Amazon product search and being presented with a LOGIN screen for AMAZON.COM rather than AMAZON.CO.UK as is more usual and she may have been phished.

Amazon own amazon.com too. However, it does sound like it was somehow phished.

Best advice for that is that when presented with a login screen and you're not sure, you can open a new tab (new window for internet explorer 6 users) type the site's url into the address bar (e.g. www.ebay.com www.amazon.com), then login knowing you're on their site, then go back to the previous tab / window and refresh the page, and you'll be logged in.

On the subject of how the password was extracted, we spent some time last night trying to recreate her browing history (starting from the Google toolbar search history) using the search she was doing on the day it happened. However my wife then remembered that she had followed a link in a junk email (arghhhhhh !!!!!). She may well have been directly targeted in this by the scammer who could have obtained the email address from her Amazon seller page. It would appear to me that she was specifically singled out for this treatment.

I'm kicking myself as well because I didn't reinstall SPOOFSTICK when I loaded IE7 earlier in the year. My wife now knows to check the spoofstick report on the website she is on in the browser toolbars when she is accessing a site. Previously she hadn't really understood what this meant or did for her.

For anyone not in the know... Spoofstick reports the actual name of the site you are on - and exposes spoofed sites. Check it out and perhaps load up this useful tool (available for Firefox and IE).

Hi Ted.

If it was a link in a junk email that phished your password, it's very unlikely that you were specifically targeted. Phishers take their chances and hope that somebody will be using the site that they're hunting passwords for. It's quite possible and even likely that a lot of people that they sent that one to wouldn't even have Amazon accounts. These phishing emails are mass-mailed in their thousands and it's only pure bad luck that you got caught.
Also be on the look-out for ebay and Paypal phishes (amongst others).

As for how the scammers got your email address? If it was put anywhere on the internet, they would find it. There is normally a scammer in the gang whose only job it is to search down emails. They have special programs called "spiders" which trawl the net looking for addresses.

Small consolation I know, but I hope it puts your mind at rest.

Best advice for that is that when presented with a login screen and you're not sure, you can open a new tab (new window for internet explorer 6 users) type the site's url into the address bar (e.g. www.ebay.com www.amazon.com), then login knowing you're on their site, then go back to the previous tab / window and refresh the page, and you'll be logged in.

That right there is the ticket. Never follow a link in an email even if you are 99% sure it's legit. You can always open a new window or tab and navigate to the site using your own links or typing in the URL. Also I wouldn't be 100% reliant on Spoofstick. It's good but software is always prone to being circumvented. Use it as a guide only. The best antiscamming tool is your gut instinct.

I have been thinking about this and a fairly obvious question arises.... why did this scammer bother to hack my wife's Amazon account and email address - why not simply create new ones of his own for his purposes ? Was he looking perhaps for some long term legitimacy or do Amazon perhaps carry out credit reference agency checks on sellers ?

Also, there have been password reset requests registered in the hotmail account! He must have been trying to get back in and try to reset the password to wrestle control of the account back to himself. We changed all the questions etc though. I'd like to have been a fly on the wall when he realised he'd been out manouevred.

I have been thinking about this and a fairly obvious question arises.... why did this scammer bother to hack my wife's Amazon account and email address - why not simply create new ones of his own for his purposes ? Was he looking perhaps for some long term legitimacy or do Amazon perhaps carry out credit reference agency checks on sellers ?

Scammers use established accounts to use their reputation as their base.
I'm not exactly sure if this is right but I think it is: Scammers use the accounts to pose as a buyer that has established, good feedback. Then they "buy" an item, perhaps a laptop. They send a check that's too large, write a "oops, my mistake" letter and ask for the difference via western union or moneygram. Because they appear to be a genuine ebay or amazon user that's been around a while, the person selling the laptop thinks it an honest mistake, sends the money and the laptop. Of course, the check bounces so the victim loses cash, his laptop and whatever he sent in cash.
Now if the scammer simply created a new account to do this, the seller is much more likely to be suspicious.

Another thing a scammer can do, with a login to ebay at least, is look up your address if you have stored it. They can then, for example, write you a very personalised email and play one of the many scams out there.

Thanks for the inputs and replies so far. There are plenty of pitfalls it seems - I work in computers and don't personally trade online as I know of many scams, but you are telling me stuff I had never suspected ! I will warn my wife further about the overpayment scam. That's real added value deception!

I had suspected that the scammer was from Nigeria and I think I said so in my first post - having been led to this conclusion by an email comment back to the hijacked account from one of the scammers correspondents who must have realised what was going on (!). However after checking the hotmail folder structure now we have the account back, I found that he had created himself 2 folders in the folder tree called FOI FACUTE and DE FACUTE FOI and these held processed emails to his victims. On checking this text in a translator it appears to be Romanian. Furthermore there are payment details providing an address in Rome, Italy for the Western union transfer - details as follows (I have changed our email address for obvious reasons):

The seller requests to be paid via Western Union® Money Transfer.
To submit the payment with Western Union® Money Transfer you have the following option:
Pay for the transfer with cash at a local Western Union® agent.
Click here to locate the agents in your area :
http://www.westernunion.com/info/agentInquiryIntl.asp
Once the payment has been sent, you have 2 options:
1. Email the payment receipt to the following address: Confirm Payment
2. Send the Western Union receipt by fax to Amazon Security: 39-1997-07071-5075
Send the payment details:
1) MTCN (Western Union Money Transfer Control Number):
2) Sender name :
3) Sender address :
4) City where you sent the money from:
5) Amount sent:
Then wait for the confirmation that the payment was received. Within 2 business days,
you will receive the tracking number for your product.
E-mail Address: [email protected]

Ship from Address:
Alin Barna
Via Ponzio Nr. 22
Rome
00060
Italy

Payment Address:
Alin Barna
Via Ponzio Nr. 22
Rome
00060
Italy

Please note: This e-mail message was sent from a notification-only address that cannot accept incoming e-mail. Please do not reply to this message.

I guess that name and address may well be false - does anyone know enough about Western Union funds transfer to know if he can claim any money sent under any name using the above information ?

Anyway - I suppose that the above text is useful for others to see so that they have an example of a scammer email reply requesting payment.

Yes, Alin Barna is Romanian: town: Alba blaj, email: [email protected], phone: 0740090110 and 0729885433. The Rome address is probably fake, he can claim the money anywhere in the world by presenting either an ID of that name or a bribe. There is a "Vasile Barna" listed in Rome (typical Romanian name) but that doesn't have to mean anything.

Georg:

Wow - how did you know that so quickly ? Is he a known and prolific scammer or are you just doing a directory lookup on that name which could be an innocent party with the same name ?

Is there any way that his actual victims can be given these details if I send them somewhere (noting that they are all listed in my wife'e email send list from the time that the scammer had control of her account). The police here in the UK have advised us not to respond to any emails from those he ripped off, but if they were to come from another source then that might help them both to understand the issue and potentially report it to their police if they have actually lost money ! My wife's account is their only hope of contact with the scammer - but they don't know that we now have the account restored back to us from Microsoft.

Wow - how did you know that so quickly ? Is he a known and prolific scammer or are you just doing a directory lookup on that name which could be an innocent party with the same name ?

I just looked it up, if he were a known and prolific scammer he'd probably use another name. On the other hand he doesn't have to take any precautions in Romania where he's reasonably safe from law enforcement. So I place my bets on the name being correct while using wrong address. That way he can pick up his WU transfer in Romania with his own ID without having to bribe. An IP address from his emails might reveal his whereabouts.

All of this is naturally speculation and starting point for further research and not safe for feeding his other victims with.

I saw this Amazon thread, so thought I'd add:

Beware friend requests e-mails. While I've never received a phishing e-mail disguised as a friend's request, one thing I don't like about the "friend requests" is when you open it, you see a link to click, and then the "sign-on" screen comes up. This makes it too easy for a scammer to use this "form" to send a fake friend's request, and then have a made up "sign-on" screen pop up, to capture your sign-on and password info. I hate announcing it here, if it hasn't happened, yet, but if I save a potential victim I hope I did my job.

When receiving a friend request (just got one yesterday) I always open a new window, and sign-on to be sure I'm on Amazon, then go to my profile to locate the new friend request.