Safety Detectives, a cybersecurity company, has discovered an interesting Open Access Elasticsearch database that exposed a scam organized to post fake reviews on Amazon in exchange for discounts or free products.
This database, with a total weight of 7 GB, was exposed when no one claimed the ElasticSearch server where it is hosted, possibly of Chinese origin. For now, it is unknown who created it (although It could be a third party that put suppliers and users in contact). And, furthermore, less than a week after being discovered on March 1, the server was no longer available open.
This is how these kinds of scams work
However, the data it contains is pure gold for those who seek to understand the inner workings of this kind of plot: contained more than 13 million direct messages between Amazon providers and approximately 200,000 users willing to make the fake reviews. In such messages, the providers show their email addresses and phone numbers (linked to WhatsApp and Telegram accounts).
The information found shows how providers send review creators Listings of those products for which they would like to get five-star rated reviews, along with details such as the minimum number of words or recommendations on the number of days to wait between the purchase and the publication of the review so as not to attract the attention of Amazon moderators.
Said users (to those who, according to the messages reveal, the suppliers have presented this process as a perfectly legal business) buy the item through Amazon, leave the review with the agreed score and then send the supplier a message with a link to their Amazon profile… and their PayPal details (email address included).
Thus, once the company has verified the publication of the review, pays the money paid in the first instance by the user through the payment gateway. This way, the review looks legitimate and users end up getting a free product.
What consequences could this plot have come to light?
The numerous data exposed in the messages could now allow Amazon to take action against suppliers and users for violating their terms of service... not to mention that the national authorities could punish the violation of consumer protection laws where they exist: in the United States, for example, this kind of tactics can sanction companies of more than 10 million Dollars.
In the case of Amazon, this allows the e-commerce giant withhold money from pending transactions from affected vendors, publicly reveal their identity (with the reputational effect that this would have) and even terminate your seller accounts with immediate effect on the platform.
Although there is no official confirmation of the relationship between the two events, popular gadget brand Aukey has recently been disabled as a seller on the Amazon platform, and both companies have kept secret about the reasons for this, as echoed by our colleagues at Xataka.
On the other hand, fraudulent reviews could be (and probably will be) deleted, and the score given in them will no longer be taken into account when generating the average score for each product. Although action could also be taken against users themselves, Amazon's policy is primarily aimed at taking action against providers who take advantage of its platform.
Of course, if at any point the identity of the owner of the server where the database was hosted becomes known, you could also face sanctions from data protection authorities of all countries whose citizens or companies had a presence among the leaked data.
Via | Safety Detectives
Image | Based on an original by Ajay Juresh via Flickr