A Misconfigured Database Exposes 200k Fake Amazon Reviewers

A fake Amazon review scheme has been uncovered after scammers left a misconfigured database open online.

Despite Amazon’s many efforts, the exposed server reveals that fake reviews are still a widespread problem in regard to online shopping.

photo of Amazon building

Discussing the server further, it actually ended up containing 7GB of data, which amounted to over 13 million records, which included contact details for vendors, including the email addresses and phone numbers, alongside the surnames, PayPal accounts, and Amazon profiles for product reviewers.

When we boil down to it, 75.000 Amazon Accounts, as well as over 230.000 Gmail addresses, were discovered.

When you factor in the other email accounts as well as the duplicate emails, this potentially implicates around 200.000 people in the scam.

The China-Based Elasticseasrch server, which has lacked any encryption, or password protection at all, was discovered by the cybersecurity researchers over at SafetyDetectives.

They actually managed to discover the database on March the 1st, and after monitoring the server, it was secured on March the 6th.

The team actually outlined how the scam itself works, where the vendors provide the reviewers with a list of products that they want a five-star review for.

The fake reviewers will then buy the requested products, and leave a five-star review on Amazon after receiving their goods.

Once this process is completed, the reviewer messages the vendor with a link to their Amazon profile as well as their PayPal details.

They then receive a refund through PayPal with the purchased items forming their payment.

The leak included details that explained how reviewers can avoid detection, and this includes the process of waiting between five to seven days before providing a review and ensuring that it meets pre-specified word lengths.

The group stated: Given the extent of the records and vendors included in the database, it’s possible that the server is not owned by the Amazon vendors running the scam. The server could be owned by a third party that reaches out to potential reviewers on behalf of the vendors. What’s clear is that whoever owns the server could be subject to punishments from consumer protection laws, and whoever is paying for these fake reviews may face sanctions for breaking Amazon’s terms of service.

Since the refund is conducted through PayPal, and not directly through Amazon, it makes the five-star review look legitimate, and this leads to no suspicion at all from Amazon moderators.

While the fact of the matter is that the scams are illegal, the researchers noted that some of the vendors that end up paying for reviewers may not be acting in bad faith. This is due to the fact that the scammers have presented themselves as a legitimate business advertising “Free Product Trials” as part of a “Reviewer Reward Program”.

The act would still however violate Amazon’s terms of service, which would see the company suspend the vendor’s account.


Follow Host Advice on Facebook.