Picture credit: https://flic.kr/p/EHyc8
Picture credit: https://flic.kr/p/EHyc8

Dima Bekerman, security researcher at Imperva, has blogged about how easily his Amazon account was broken into.

The researcher claims this is likely as a result of him using similar passwords in different accounts - “an annoying but common attack”, said Bekerman.

However, what he originally thought was a run-of-the-mill account breach turned into a story about perpetrators using registration bots to launch a smokescreen—an attack method he found extremely interesting.

Bekerman wrote: “I initially had no idea my Amazon account had been breached. In fact, I only noticed that something was odd when I opened Gmail one night and found hundreds of registration confirmations to numerous services I'd never heard of. What's more, I was receiving a similar email every few seconds.”

Explaining how he noticed the pattern of registration, Berkerman explained: “I noticed that the registration email usernames followed a clear pattern. Each used a random string of nine or ten letters followed by four numbers. Second, I saw that I was steadily receiving five new emails every minute. Both were clear signs of automation that used registration bots. When most of the noise had been cleared, I found an Amazon email hidden among the junk. It informed me that my purchase—one I hadn't made—would be delivered within 24 hours.”

Bekerman opined that his Amazon account was likely breached some time ago, but the attackers hadn't been able to do anything because no credit cards were linked to his account.

However that swiftly changed: “Once I got the gift card, however, they seized the opportunity. The card wasn't stolen right away. First registration bots mass subscribed me to thousands of sites, thereby flooding my inbox with registration confirmations. Afterwards, the attackers used my gift card hoping I wouldn't see Amazon's message amid all the junk.”

Bekerman claims the attack was interesting as registration bots – typically used for brute force attacks – were employed to launch a smokescreen against a single user. He said: “I also noticed that the method the attackers used to launch the smokescreen was very similar to a DDoS reflection attack. Here, the perpetrator initiates a multitude of fake requests in the target's name, who is then swamped with unsolicited responses.”

“I hope this story encourages everyone to remain alert about any unusual activity they encounter online. For me, what originally resembled an email spam attack was actually a way to conceal a theft. This just goes to show that with cyber-crime, things aren't often as they appear,” said Bekerman.