Amazon has spent years rooting out fake reviews and other seller scams from its e-commerce platform. But the latest discovery from security researchers at SafetyDetectives found what appears to be a sophisticated scheme by Amazon vendors to procure fake reviews for their products.
SafetyDetectives's cybersecurity team found a China-based Elasticsearch server of direct messages between Amazon vendors and customers running fake review schemes in exchange for free products. In total, the 7GB treasure trove contained over 13 million records, including the email addresses and WhatsApp/Telegram phone numbers of vendor contacts, plus email addresses, names, PayPal account details, and Amazon account profiles of reviewers, impacting approximately 200,000 people.
The information on the sever outlined standard procedures by which Amazon vendors would procure fake reviews for their products.
These Amazon vendors send to reviewers a list of items/products for which they would like a 5-star review. The people providing the 'fake reviews' will then buy the products, leaving a 5-star review on Amazon a few days after receiving their merchandise.
Upon completion, the provider of the fake review will send a message to the vendor containing a link to their Amazon profile, along with their PayPal details.
Once the Amazon vendor confirms all reviews have been completed, the reviewer will receive a refund through PayPal, keeping the items they bought for free as a form of payment.
The refund for any purchased goods is actioned through PayPal and not directly through Amazon's platform. This makes the five-star review look legitimate, so as not to arouse suspicion from Amazon moderators.
In some cases, there may be an additional payment – based on the scale of the services provided by the person posting fake reviews. However, we didn't find any examples of this in the exposed server.
The SafetyDetectives team discovered the database on March 1, and it was secured later that month. The researchers weren't able to track down its owner.
"Given the extent of the records and vendors included in the database, it's possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors," the team said.
Amazon does moderate reviews, but the vendors performing this deception can skirt around platform rules. Data breaches like this help show people that reviews on Amazon cannot be trusted.