The end of this post displays an e-mail I received while on the phone with Amazon trying to get a refund completed. As will become apparent, it is hard to see how I could have received this message ex an inside job by Amazon employees, since it contains a combination of information that would not be available otherwise, even by wiretapping. The phishing message was attempting to get me up upload government ID to an external site. Amazon’s customer service representative confirmed they never request government.
So this is a general warning never never never upload government ID in connection with a commercial transaction, and a further warning regarding Amazon refunds as Black Friday is on and the holiday season approaches.
Now to the details. I have to confess to dealing more with Amazon now that I am in Southeast Asia than when in the US. There are quite a few items that I cannot get here (particularly related to Macs, such as compatible USB keyboards; they are a comparative rarity due to price) and Amazon will ship from the US. However, there are also items I use that I find important that no one will send here. So on a recent trip to the US, I bought many things to carry back. Some I got on Amazon because other vendors would not give clear guidance on their shipping and typical delivery times to where I was.
I purchased two of the same item, from an Amazon vendor, to be sent my hotel. When I opened the exterior box, the inner boxes both had label on their outside saying they were the item ordered. Some reviews this product praised the inner packaging (the items were breakable) so I simply put these boxes in with the other checked luggage items.
When I opened them after my return, I found both contained different items from what I had ordered.
I made two calls to Amazon customer service. Both were via Vonage, as in VOIP, over a fiber optic line run in place of an old DSL line, with wired connections from phone to VOIP router, meaning a dedicated pipe. Each time I spoke to two reps, the first a general customer service agent who then had to send me over to a specialist.
The bottom line of the first call was that they would e-mail me a link to use to upload photos of the not-ordered items I had received. I got an e-mail after I did that saying it would take them about three days to review and make a determination.
When I had not heard back after 5 days, I called again. When I got through to the second rep, it seemed she had to go though some hoops to get the return authorized. She reported back that she had succeeded and that I should see the credit on my credit card in five to seven days.
Mind you, both times the only identifying information Amazon got on the phone from me was the order ID, which I provided in the hope to expedite matters, my name and they presumably saw the caller ID on my VOIP phone. They verified me by sending an authorization link by e-mail. Note the authorization link said something about my phone being a mobile phone (not true) in Washington state, and “generic” to boot.
I did not look at my e-mails while I was on the phone with the Amazon agent getting the refund approved. But after I got off, I saw the one with the text pasted below. Note is is from “no-reply@amazon.com”
Even though it has signs of bogosity, like “we noticed abnormal activity on your account,” and “Also, you will not be able to investigate this order issue further,” it had, in the very first line, the exact order number and that I had called Amazon for a refund [or replacement].
While it might be possible to have tapped the call to get the order number and the refund request, the only way to get that plus my e-mail address was via Amazon itself. And Lambert who knows Vonage concurs additionally that Vonage being hacked is very unlikely. So this looks to be an inside job.
I called Amazon to have a hissy. I said if this really was an Amazon request, no way, no how was I uploading government ID. They’d agreed to the refund and I would put in for a chargeback on my credit card. The agent reassured me that Amazon never asked for government ID and e-mailed me a link to send Amazon the fraudulent e-mail.
The idea that this is an Amazon inside job is not as remote as you think. I had a friend who had $25,000 removed from her Chase account via a series of >$200 counterfeit checks over a period of about a week. The thief had to have known Chase’s fraud triggers to pull this off, so a current or recent employee. The checks were honored despite individual check numbers being much larger than for any checks the customer had ordered. Many of the checks were for the same amount, cashed the same day. Yet 8+ checks a day over a series of days from a customer who did not use that many checks to begin with did not trigger an alert.
The customer did get all the money back, albeit having also to work around 10+ days of being locked out of the account.
So be warned! Needless to say, the copy below does not contain live links.
_______
From: no-reply@amazon.com
Subject: Your Amazon.com order
Date: November 28, 2024 at 9:42:42 PM GMT+7
To: XXXXXXXXX
Reply-To: no-reply@amazon.com
Hello,
Thank you for contacting us regarding your order XXX-XXXXXXX-XXXX.
Because we noticed abnormal activity on your account, we need to verify your identity before we can consider your request for a refund or replacement. We may also request additional information before granting your request.
How will you verify my identity?
In order for us to verify your identity, upload a valid government-issued identity document on the secure customer portal. Note that the following link will expire after 6 days:
https://account-status.amazon.com/identity-validation
All personal information that you provide will be handled in accordance with our Privacy Notice. To review our Privacy Notice, go to “Amazon and Your Personal Information”:
https://www.amazon.com/gp/help/customer/display.html?nodeId=G68RWEYX26H3ZXJT
What happens when I submit my ID document?
We will review your order and your account and verify your identity through one our third-party service providers. Once you have submitted your information through the secure customer portal, it will take us 3 business days to determine an outcome. At that point, you can contact us to learn the outcome of the investigation.
What happens if I do not submit my ID document?
You may continue shopping on Amazon, but you will no longer be eligible for a refund on the order XXX-XXXXXXX-XXXXXXX. Also, you will not be able to investigate this order issue further.
Who can I contact if I need help with this issue?
You can contact us through your Amazon profile. To do so, go to “Amazon Customer Service”:
https://www.amazon.com/contact-us
Account Specialist
https://www.amazon.com
Imagine you are an Amazon employee, low pay, a lot of pressure to meet targets, little loyalty. And someone offers you a nice sum of money to share some data…
Or any number of other vendors, like cell phone companies.
One enterprising chap called right after I placed an order to switch to a new cell provider. He knew the order details and said that my account was eligible for a discount. All I had to do to complete that process was to buy some gift cards and send them in.
The provider fraud people said that he was likely an ex-employee with a contact still inside the company,
Makes you wonder how many actually buy those gift cards, or fall for similar scams.
“Makes you wonder how many actually buy those gift cards, or fall for similar scams.”
Enough fall for this to make it a very popular cyber-crime. Many people are naive enough to employ an internal “appeal to authority” in their thinking, especially in subjects related to socially designated “high intelligence” subjects.
That’s what I was going to say also – if the workers made a little more money perhaps they wouldn’t be as tempted to steal…
Moral standards always have a price-floor I see. Clearly politicians need paying much more – Italy has the highest paid politicians in Europe and therefore no corruption
Scholz is paid more than Biden and his chancellery is far bigger than the White House so Scholz is less likely to be corrupt than Biden
US Senators are well paid by Israel so have no need for bribes and Menendes had gold bars at home from his honest endeavours
I understand you viewpoint- rich men are the epitome of moral rectitude – and only the poor can afford to be ethically challenged. It is after all Social Class and Breeding
The lower orders are amoral and their social betters are refined and have moral character
Interesting. The links in the email all appear to go back to the amazon.com web server. if it was a non-corporate activity, I would have expected that there would be a non amazon.com link buried under the html link description which would contain amazon.com stuff.
If these are true amazon.com web pages then obviously what you were told by the agent clearly does not line up with the amazon.com web site.
Given the typos, I would expect that underneath, they are not pointing to amazon.com web pages.
it could be Amazon allows third-party sellers to require IDs for certain transactions?
https://search.brave.com/search?q=amazon+id+upload
Please do not contradict information in the post. I know you mean well, but you are leading readers away from possible explanations. You need to stick with the facts presented.
Amazon controls the customer relationship and set the terms of engagement. Amazon confirmed that government IDs are NEVER NEVER requested and that an e-mail of the sort I received was fraudulent. You need to start from the fact that this was a fraud and not try to dream up a scenario where it could be legit.
You mean when you order Apollo Gold pagers from Amazon website perhaps ?
I was told by Amazon absolutely not to click on any links but to send the message on to them.
It seems pretty clear that the actual URLs linked are not the same as the ones presented in the text of the message.
If you hold your cursor over a URL for a few seconds, it will show the address the URL is pointing to. This works on a Mac, I’m not sure about other systems
I doubt it’s being the source, but the very same information is being available on your Macbook as well…
Based on the purchase and the refund request location differences, Amazon’s AI/Machine Learning (ML) accounts monitoring system may had triggered the request for government issued ID. That would be my guess without looking at the email header information and the actual links. The AI/ML system used for sellers, where government issued ID required, but may monitor buyers’ activity as well.
I’d call Amazon and have another “hissy”….
Sorry, you are incorrect. The fact that I contacted Amazon for a refund was NOT on my Mac. That was ONLY part of my calls. The e-mail asking me to upload photos did NOT have “refund” in it, it only had that I had called about “WRONG ITEM.” There was no mention of a refund, credit to me, or return.
I am with you on this and do suspect contract labour or fill-in staff. I have noted discreet transactions data being used by sources unconnected with the transaction and put it down to temporary staff filching databases for gangs.
Amazon does suffer data breaches like all IT firms and will keep mum about it. If all someone needs is Govt ID to manufacture complete payment means or bank loan applications it is clear you will be requested to provide it
It is fascinating how many try to persuade Yves just how paranoid it is to question. I am in a new world after the past 4 years of gaslighting and see only 30% population as having danger-awareness radar and self-preservation judgment. Maybe the Wachovskis have a point
if it is an option, perhaps Aliexpress, Temu, or Coupang offers similar products at similar total prices.
You generally can force their websites to display English for their non-US country specific sites.
Since it launched here in Oz last year, the popularity of Temu has skyrocketed and my wife uses it often, especially for stuff that you will never see on a shelf anywhere. So for Temu at least, displaying English is no problem and is automatic.
Far and away the best site in Thailand is Lazada. Temu is a new entrant, shipping from China.
There are many products that Thai customs won’t let in at all or are tariffed so heavily (like shoes at 100%) that online vendors won’t carry them.
Use https://centralops.net/co/DomainDossier.aspx and check Whois for account-status.amazon.com
Domain Name: AMAZON.COM
Registry Domain ID: 281209_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Queried whois.markmonitor.com with “amazon.com”…
Domain Name: amazon.com
Registry Domain ID: 281209_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.markmonitor.com
Registrar URL: http://www.markmonitor.com
Registry Registrant ID:
Registrant Name: Hostmaster, Amazon Legal Dept.
Registrant Organization: Amazon Technologies, Inc
*Sigh*
This does not prove anything except the scammers are not stoopid.
I was told NOT to test the links, which are live in the e-mail, but not, as indicated, in the post. I am highly confident that the actual embedded links are not the same as the URL provided. You can see how trivial it is to make that happen, with the regular complaints we get about “Wrong link” in Links.
Is it possible you were told NOT to test the links (which you seem to have agreed to) because amazon preffered you not to discover that they were in fact legitimate amazon links?
No, this is their advice in the security section of the Amazon site. I also consider that to be generally good advice.
Using a web browser I don’t normally use, I visited the link https://account-status.amazon.com/identity-validation and it asked me to log in to Amazon. I closed that, went directly to amazon.com and logged in, then went back to the identity validation link. It accepted me as logged in, is titled “Identity Verification” and reports that No identity verification requests are found.
This is clearly an Amazon-sponsored website feature, so it appears that the agent who reassured you that Amazon never asks for government ID was incorrect. That seems a simpler explanation that Amazon has rogue identity thieves who are capable of adding their own additions to the Amazon website.
Reddit says the address you have as a link is indeed a scam address, probably run by Amazon employees as I surmised. Or perhaps they intermittently misuse it internally?
https://www.reddit.com/r/amazonprime/comments/18bstpq/amazon_asking_for_id_possible_new_information_scam/
I called Amazon a second time and escalated. They said the e-mail was fraudulent, they would never ask for government ID or tell a customer they could not longer contact customer service about an order or refund. And it is obviously fraudulent because I made them ID me via the order # (I gave that for them to generate the verification e-mail) and told the automated prompts I was calling about “wrong order”.
This rep let slip that there have been a lot of problems with the site (!!!!)
Wow! You have uncovered an enormous scandal. And thank you so much for checking again.
Creating such a link requires the cooperation of several different teams within the site engineering organization, and none of those changes could be done without internal tickets, audit logs, and most likely email and/or messaging among the people involved. I don’t have inside knowledge on the engineering organization responsible for amazon.com, but I am very familiar with aspects of AWS upon which it is based, and it’s impossible to make such broad changes without executive direction. Each change requires the appropriate security credentials within the system, and the holders will only allow them to be used in response to specific, documented, approved orders. The question is, at what level was this authorized?
(If done fraudulently by a small group of conspirators, it will be the biggest all-time breach of security in IT, ever.)
If I may advance a hypothesis that fits the facts, someone within Amazon decided that requesting government IDs was a good idea, and they had the authority to direct amazon.com site engineering to implement this feature. However they concealed its existence from the customer service organization. If true, that would be very stupid, because how long could it stay concealed?
How perfect to break this on Black Friday as well, perhaps their busiest day of the year.
Another tell re the bogosity of the e-mail is that the government ID request requires a response in 6 days.
The earlier request for the photos to substantiate the wrong order had a 30 day deadline.
I don’t have an account on Reddit or Hacker News, but if you do, it would help to push it out there as a hypothesis, of the WTF sort as opposed to a hard conclusion.
I think this is actually a legitimate, automatically generated email and that the second rep either misspoke or wanted to avoid the confrontation.
The provided URL links to a legitimate Amazon webpage and I couple this with some knowledge that Amazon has tried to curtail refund fraud in recent years that spawned from their previously quite generous refund policies.
No it does NOT link to a “legitimate Amazon web page”. See my reply above. Reddit confirms this is a scam.
The rep warned that the landing pages often look just like Amazon.
Aura says the way to see if e-mails that look like they are from Amazon are legit is to look in the Messages folder: https://www.aura.com/learn/amazon-email-scams. Your method is not fail safe.
No it does not. See my reply above. Reddit confirms this is a scam.
The rep warned that the landing pages often look just like Amazon.
Aura says the way to see if messages from Amazon are legit is to look in the Messages folder: https://www.aura.com/learn/amazon-email-scams
The message posted above is absolutely NOT in my Messages folder, confirming that it is fraudulent.
I don’t know how a Mac might work, but on my old windows 7 machine I can right-click on a suspect link or URL to display its actual path.
Not the same thing, but inside corruption. Here’s a BNSF container train looting inside job that got caught. The thieves knew which container had the 1,278 pairs of Air Jordans, valued at $311,832, but didn’t know about the GPS tracker inside. Either Nike or BNSF has leakers looking at shipping way waybills for individual containers.
Three men charged in theft of Air Jordan shoes from BNSF train
once can also copy the link address and then paste it into a text editor.
I have a browser I never use for browsing (or anything), which I use to test links and see where they go.
The link in the email does go to a legitimate Amazon web address. “amazon.com” is owned by Amazon, and so is (due to how DNS works) everything under it (including “account-status.amazon.com”). It has a legitimate X.509 certificate issued by the same Certificate Authority that Amazon uses for the base domain name — Amazon themselves (they are their own CA).
Going there while not logged in asks me to login to my Amazon account, and takes me to Amazon’s login page that my password manager prefilled for me because it is the legitimate login form. Going there while I am logged in says “No identity verification requests found. There are no identity verification requests pending review”.
Furthermore, no e-mail claiming to be from amazon.com is going to land in the inbox of any half-decent e-mail service provider without being sent by Amazon’s systems; this due to their SPF and DMARC records.
It is extremely likely that your refund request triggered an automated identity verification attempt and one of the CSRs you called simply didn’t know about it and/or overruled it. This isn’t a scam; just bureaucracy.
No, you REALLY do not get it.
THERE IS NO LINK WHATSOEVER IN WHAT I POSTED. Your claim is garbage in, garbage out.
You do NOT have the links in the e-mail. You have the TEXT of the e-mail.
The e-mail I received had embedded links. All of the text URLs in the e-mail were links. Just about no one would copy and paste the URL from the text. They would click on the link.
For security, I did not create a version of the post that carried them over (I could do that in WP with “Visual” w/o my opening them but I was told by Amazon absolutely not to touch them. They could easily download malware. I did not want to take that risk, let alone expose readers).
They do not have to and cannot be assumed to be identical to the text shown.
FFS, all the time I generate links where the displayed text and the URL are not the same. Have a look at today’s Links for >55 examples.
The ONLY way to be sure if a message originated with Amazon is to check Accounts & Lists>Your Messages.
I read the dodgy parts of the e-mail to 2 reps: the government ID request, the demand for action in 6 days, and the claim I could not further “investigate” the order if I did not provide ID. Each said all three elements were fraudulent and clearly contrary to Amazon policies. The second rep even seemed genuinely upset.
Keep in mind re your idea about refund “abuse” is that customers have stronger rights on their credit cards than pretty much any vendor provides. The notion that Amazon is being mistreated, as opposed to is screwing up on a larger scale than before, is laughable.
Your claim about the legitimacy of e-mails purporting to be from Amazon is even more of a howler. In my inbox, right now, 30 e-mails in the last 24 hours purporting to be from Amazon. Due to all the messages about the refund and the fraudulent e-mail, 8 of the 30 are actually from Amazon.
If I go back a full week, to 11/22, I have 59 messages purporting to be from Amazon, only one of which is bona fide.
My apologies, there has been some miscommunication here.
When your blog post stated that there were no “live links” in the e-mail you included at the bottom, I assumed that to mean that you copied the e-mail but did not make the links clickable in the blog post. What you actually meant was that you copied the text of the e-mail, but did not copy the links.
You should probably elaborate on that a bit to let people reading know that the link actually went elsewhere, as there have been quite a few people in the comments before me doing e.g. WHOIS on Amazon’s legitimate domain because that’s what the link text you posted points at.
The usual infosec convention is to copy the links but mangle the URI scheme; http(s) becomes hxxp(s). This lets researchers follow the links in a safe and controlled manner, but protects users who don’t know any better, because hxxp and hxxps are not IANA-registered URI schemes that e.g. web browsers would know how to handle.
With this in mind, I have a new theory for what’s going on, and it still isn’t Amazon at fault (but this is just a theory). When you are a seller on Amazon, you get notified when one of your customers opens a return for one of their purchases from you. This notification includes the order number. My theory is that an unscrupulous seller is taking return notifications and using them to phish their customers.
To your statement of an inbox filled with e-mails claiming to be from Amazon; there is a VAST difference between an e-mail merely claiming to be from “Amazon”, and an e-mail with an envelope from (return path) domain of “amazon.com” (which SPF and DMARC combined would prevent, as I described).
SPF prevents senders impersonating the envelope from (i.e. if you intend to send someone a message with an envelope from of anything@amazon.com, you must be using one of the mail servers located in amazon.com’s SPF record), and DMARC requires the envelope from and message From: header (i.e. what you’re actually looking at is the “sender”, if your e-mail service provider is doing you the great disservice of not displaying the actual return path as well) to “align” (i.e. be under the same domain). Either of these alone achieves nothing, but in combination they do prevent sender impersonation. Some great resources on this subject are located at [1][2].
Amazon does have both SPF and DMARC set up correctly; no-one can land an e-mail in your inbox with a From: of anything@amazon.com unless either (1) it was Amazon’s mail servers that sent it, or (2) your e-mail service provider is not bothering to check for these records, which would be grossly negligent in 2015 and inexcusable in 2024.
[1] https://www.proofpoint.com/uk/threat-reference/spf
[2] https://www.proofpoint.com/uk/threat-reference/dmarc
While your theory about the third party seller is interesting, them getting the order number does not = them getting my e-mail address.
I cannot imagine a company as driven to protect/promote its platform would ever give the third party vendor the means to contact the customer (well save by snail mail, which is not avoidable if the product is sent by the vendor, as opposed through an Amazon warehouse). Amazon will drive all communications through the platform and not allow the vendor to be able to talk directly to the customer and cut Amazon out.
One time I ordered a Keurig coffee machine from Amazon. I received 2 identical Keurigs, delivered by UPS. Several days later I received a request via email asking me to return one of the Keurigs. The request was from the seller acknowledging their mistake and appealing to my good nature to hopefully, do the right thing. The appeal was made to me, by name, directly and was outside of typical Amazon correspondence.
I wonder if there might be a wider issue here. More than once I’ve received spam purporting to be from X very shortly after a real transaction with the real company X, with timing and/or content suggesting it was not coincidental. By memory, PayPal and DHL. I’ve never seen this reported in the media, and a quick search doesn’t turn up much.
I’ve never had this happen but do not doubt that occurs.
But this happened during a phone call, not on the heels of a transaction confirmation.
I have also received such “shadow” phishing — although not often. I suspect that bots are regularly being infiltrated into e-commerce servers and tracking internal communications until they are swept-out. I keep a separate credit card and email address for use with e-commerce merchants.
I recall from my many years as a criminal prosecutor that credit card and e-commerce companies were very publicity-shy about the 7-10 percent of transactions that were fraudulent at that time. They would categorically refuse to cooperate with law enforcement out of fear of destroying public trust in their platforms. They simply built the quick refund and charge-off into their profit structure and high merchant fees.
I have to say, Yves, that in some ways I am more surprised by some of the comments, suggestions and alternative explanations directed at you. Your post is quite clear, and anyone who knows and follows NC knows how meticulous you are, one of the reasons I read your posts. And, when you need assistance you openly ask for it when you don’t have domain expertise.
Interestingly, many years ago we were in Park City on a family ski trip. Somehow someone got my AMEX card number and after a short test used it to purchase $65,000 in lift tickets (you read that number right). It was done overnight while we were sleeping. In those days lift tickets were still paper and wire-wickers and effectively cash. AMEX told us that as we were in a resort town what almost certainly happened was a server in a restaurant took down our number and was the culprit. Other than a few phone calls it didn’t cost us anything. From that point of we manage our credit cards very differently to minimize the impact of fraud and theft.
Best Buy did this to me two years ago. I was trying to send money to a friend living behind the Putin Curtain and a “fake” employee tried to help me with a concerted effort to get me to send money to her Paypal account which she would then forward to my friend.
The employee had a fake racist name and was remarkably persistent. Reported it to Best Buy security and got crickets.
When leadership is corrupt, everything else falls apart. This is the falling apart part of the show.
Meanwhile, Amazons workers across 20 countries, including the United States, are striking against what the organizing labor union calls anti-worker and anti-democratic practices:
https://www.cbs42.com/news/amazon-workers-on-strike-from-black-friday-to-cyber-monday/
Re: Amazon never asks for government ID
This doesn’t appear to be true everywhere according to this page, which is for Amazon Egypt but looks legit according to the certificate record:
https://www.amazon.eg/-/en/gp/help/customer/display.html?nodeId=TfcdRh70ESGEN6O7bq
Seems to be only Egypt as I couldn’t get any hits on other domains.
Doing a bit more digging, Amazon Egypt is apparently a third party (Souq) that was acquired by Amazon a few years ago and reskinned to look like all the other Amazons. It is not within the scope of Amazon’s SOC audit reports.
Might be completely irrelevant but I thought it was interesting.