Hackers have zeroed in on the growing number of third-party sellers on Amazon Marketplace, reportedly using stolen logins to swipe thousands of dollars from some merchants.
In recent weeks, hackers have ramped up their attacks by taking over dormant accounts and changing the bank account information. They’ll then post nonexistent merchandise at bargain prices, make the sell and collect the cash, according to a report in the Wall Street Journal.
Buyers can get a refund, but the scam hits sellers hard, since they’re on the hook for reimbursing customers who never received their merchandise.
Related: Amazon Refunding up to $70 Million for Kids’ In-App Purchases
Margina Dennis, a professional makeup artist in Rutherford, NJ, told NBC News she still has more than one hundred emails to answer from angry customers who are wondering why they never received a Nintendo Switch hackers posted from her account. That’s in addition to the tens of thousands of dollars in debt she is now contesting after her account was compromised.
“This has been mentally, emotionally, so trying and the level of frustration trying to deal with them,” Dennis said. “Basically their response is, ‘We received a notice and we’ll get back to you when we get back to you. We can’t tell you when or if.'”
The issue came to Dennis’ attention when she said she received hundreds of emails from buyers complaining they never received the Nintendo Switch the ordered from her account.
Amazon sent Dennis a note on March 29th saying she may have been hacked, however she said she had to wait days for her account to be taken down since the hacker changed the password and she was unable to log in.
“I know people who have been dealing with this longer than I have and it is all falling on deaf ears,” Dennis said.
She added, she would never shop or sell on Amazon again, “if it’s the last thing on Earth.”
The company is working to make sure sellers like Dennis don’t have to handle the financial burden of the hacks, a person familiar with the matter told NBC News.
Amazon spokesman Erik Fairleigh told NBC News in a statement that the company, “is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence on Amazon.com.”
“There have always been bad actors in the world; however, as fraudsters get smarter so do we,” he said.
Amazon’s statement also suggested people monitor their accounts on a regular basis and turn on two-factor authentication, sending a code to their phone and adding an extra layer of security.
The hacks appeared to stem from stolen credentials from other places that were then sold on the dark web.
Hackers then likely used a method called “credential stuffing,” trying out stolen or leaked usernames and passwords on other different popular websites to try to login there too, Jeremiah Grossman, chief of security at SentinelOne told NBC News.
“This particular attack is almost two decades old. You shouldn’t allow a merchant account to sit dormant for long,” Grossman told NBC News.
Amazon’s Marketplace has two million sellers — and an estimated one hundred thousand pulling in six figures, making it a “juicy target and complex to manage from a security point of view,” said Matthew Gardiner, a cybersecurity strategist at email security company, Mimecast.
“Whomever bears ultimate responsibility for the Amazon attacks, what seems clear is that the security controls in place are not sufficient for the risk,” he said.