A former Amazon software developer had his account information given away by of all companies, Amazon.
It seems that this all started with domain registrations, for some reason Eric Springer used the address of a hotel instead of his own. He writes on Medium.com ” It’s just a fake address of a hotel that was in the same zip code where I lived. I used it to register some domains, knowing that the whois information all too often becomes public. I used the same general area as I lived, so that my ip address would match up with it.”
Now I am not sure why he just wouldn’t pay for privacy but it seems like someone did a whois query and contacted Amazon with the bogus info and got Springer’s real info.
Springer found out about everything after receiving a thank you from Amazon for contacting them.
He details three separate attempts to get the last 4 digits of his credit card.
The article was summed up with some tips
After being the victim of these attacks for months, I’d like to make some recommendations for services:
- NEVER DO CUSTOMER SUPPORT UNLESS THE USER CAN LOG IN TO THEIR ACCOUNT. The only exception to this, would be if the user forgot the password, and there should be a very strict policy. The problem is, 9999 times out of 10000 support requests are legitimate, agents get trained to assume they’re legitimate. But in the 1 case they’re not, you can completely fuck someone over.
- Show support agents the ip address of the person connecting. Is it a usual one? Is it a VPN/tor one? etc. Give them a warning to be suspicious.
- Email services should allow me to easily create lots of aliases. Right now the best defense against social engineering seems to be my fastmail account which allows me to create 1 email address alias per service. This makes it incredibly difficult for an attacker when they can’t even figure out your email.
- Please make whois protection default. Mine leaked because a stupid domain I didn’t care about had its namecheap whois protection expire
For users, be extremely careful with the information you share. Even big companies like Amazon can’t keep it safe, they’re far from the worst.
Tony says
Who is protection is quite expensive sometimes more so than a domain itself.
There should be a one off fee to cover a portfolio.
I know there are corporate services but theres plenty individuals with say 5-20 domains or so where the charges are just not economical.
janedoe says
Some offer free privacy protection
Tony says
There are some but these are often 1st year promos that then shoot up in the following years. Others seem to price it in so not really frer. Also if need to transfer the domains they will ask for a years registration which may be much more than your current registrar. Then just to add to this if you’ve got domains using the new gtlds this can further complicate it.
I’m open to any places you know of which may assist so please fire away.
Alexis says
There are many domain registrars that offer free WHOIS privacy. Here is a list (I am not affiliated with any of the websites listed):
http://www.registrarowl.com/report_registrar_free_whois_privacy.php
John says
do your own. Register a domain name, i.e, http://www.noneofyourfreakingbusiness.com, get a po box and make your whois reflect sometthing like
domainname.com
Private Registration
PO Box 2016
city/state/zip
email contact, myinfois@noneofyourfreakinbusiness.com
Your account can have your real name etc…….. I’ve done this for 12 years . Have not paid for privacy.
Now Uniregistry offers free privacy, and moniker was $1.00 which was reasonable,, but they ruined that pplace IMO.