Independent sellers listing products on Amazon – the world's biggest online marketplace – have reportedly been targeted by hackers who are using stolen credentials from other major data breaches to log into vendor accounts, alter payment details and post fake deals.
Hackers are changing the bank deposit information of sellers' accounts and have already stolen "tens of thousands of dollars", the Wall Street Journal reported on 10 April. The attackers are also posting "non-existent" goods for sale at huge discounts to lure in victims, it added.
In one case, New York-based lawyer CJ Rosenbaum, who is representing Amazon sellers who claim to have been hacked, said his clients lost between $15,000 and $100,000 worth of sales. While the full scope of the cyberattacks is unclear, the malicious activity on some accounts has reportedly spiked since mid-March.
On its website, Amazon describes third-party sellers as offering a "variety of new, used, refurbished, and collectible merchandise". It warns users against sending funds directly and typically withholds payments until customers are happy with their purchase.
However, in the hacking scheme, crafty criminals are listing sought-after tech products – including the recently-released Nintendo Switch – for up to half price, claiming that shipping will take up to four weeks. This is a bid to collect payment before Amazon realises it is a fraudulent transaction.
In response to the findings, an Amazon spokesperson said: "There have always been bad actors in the world who try to take advantage of consumers for financial gain; however, as fraudsters get smarter so do we." The statement said the firm is "constantly innovating" its approach to security.
It is believed the hackers are obtaining the stolen emails and passwords from other huge troves of data leaked from hacked big-name companies. Last year, a slew of these incidents came to light, with technology giants including Dropbox and Yahoo falling victim to cyberattack.
After such data is stolen, it is routinely traded on the dark web via underground marketplaces specialising its selling databases, drugs and other illicit goods. Internet users who continue to re-use old passwords and fail to use multi-factor authentication remain at risk, experts warn.
In July last year, Mic reported that a hacker had claimed to have stolen Amazon account information of 80,000 users, however the firm later denied it was breached. The year prior, in November 2015, the company issued a widespread password reset and issued a security warning to some users.
IBTimes UK contacted Amazon for comment however had recieved no response at the time of publication.