The cybersecurity team at SafetyDetectives, which conducts antivirus reviews, uncovered a database leak that appears to have exposed more than 200,000 people involved in a scam where Amazon vendors exchanged free products for fake reviews.
The issue of fake product reviews, where sellers seek to gain an edge over competitors by boosting their rankings, has been a persistent one on the marketplace that Amazon has been battling.
SafetyDetectives said the open ElasticSearch server contained more than 134 million messages between Amazon vendors and customers willing to provide fake reviews in exchange for free product. The leak was discovered on March 1 and monitored until the server, believed to be in China and not associated with participants in the scam, was secured on March 6.
According to SafetyDetectives, the scam worked by having 3P sellers send potential reviewers a list of products for which they were seeking five-star reviews. The reviewers would then buy the product and post the review. Once it was verified by the seller who was sent a link to the reviewer’s Amazon profile, they would be reimbursed for the purchase through PayPal, not through the Amazon platform.
“(Processing payment through PayPal) makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators,” SafetyDetectives noted in a blog post.
The 13 million-plus records, more than 7GB of data, were exposed when the server “was left open without any password protection or encryption,” the group said. This included personal data of both the sellers and the reviewers, such as email addresses, Whatsapp and Telegram phone numbers.
“Contact details were given to the potential fake review providers to continue communications outside of the services where these leaked interactions had taken place,” the group said. As many as 250,000 may be involved in the fake review scam.
Leaked data included information that could be used to personally identify individuals, including Amazon accounts and profiles, PayPal account details, email addresses and user names that often contained first and last names.
Reviewers were given specific criteria to follow in order to avoid the scrutiny of Amazon’s fraud detection by making the reviews appear legitimate. This included waiting a few days before publishing a review, making the reviews longer and providing details to be included in them.