Hackers are targeting the growing population of third-party sellers on Amazon.com, using stolen credentials to post fake deals and steal cash.
Continue Reading Below
In recent weeks, attackers have changed the bank-deposit information on Amazon accounts of active sellers to steal tens of thousands of dollars from each, according to several sellers and advisers. Attackers also have hacked into the Amazon accounts of sellers who haven't used them recently to post nonexistent merchandise for sale at steep discounts in an attempt to pocket the cash, those people say.
The fraud stems largely from email and password credentials stolen from previously hacked accounts and then sold on what's dubbed the "dark web, " a network of anonymous internet servers where hackers communicate and trade illicit information. Such hacks previously have favored sites such as PayPal and eBay, but Amazon recently has become a target of choice, according to cybersecurity experts.
"Hacking Amazon is becoming...increasingly a big deal," said Juozas Kaziuk nas, chief executive of Marketplace Pulse, a business-intelligence firm focused on e-commerce. "The value to be gained is bigger as Amazon grows."
While the precise scope and financial impact of the Amazon attacks is unclear, some sellers say the hacks have shaken their confidence in Amazon's security measures. Such third-party merchants are critical for Amazon's retail business, with more than two million sellers on the site accounting for more than half of its sales, including more than 100,000 sellers who each now sell in excess of $100,000 annually.
An Amazon spokesman said the company "is constantly innovating on behalf of customers and sellers to ensure their information is secure and that they can buy and sell with confidence." The company withholds payment to sellers until it is confident customers have received their orders, and guarantees a full refund if a product doesn't arrive or isn't as advertised. Sellers who lost money will be made whole. "There have always been bad actors in the world who try to take advantage of consumers for financial gain; however, as fraudsters get smarter so do we," the spokesman added.
CJ Rosenbaum, a New York-based lawyer who represents Amazon sellers, says that more than a dozen of his clients have recently called to tell him they were hacked, a number of whom lost about half of their monthly sales of $15,000 to $100,000. They are asking Amazon for their money back, Mr. Rosenbaum said.
Lightning X Products Inc. had $60,000 evaporate from its Amazon account last month, said Andy Spivey, product manager of the Charlotte, N.C.-based bag maker. Mr. Spivey said Amazon notified him of suspicious activity, but by the time he logged in, the bank account info had been changed.
Lightning X has gone through its emails and scanned its systems for an attack. "We're not sure how they gained access to the account," Mr. Spivey said. Amazon told him Friday the money will be returned, he said.
Hacks of dormant Amazon seller accounts in particular have increased since mid-March, to more than 20 some days from the low single-digits earlier this year, according to Marketplace Pulse, which monitors seller activity on e-commerce sites.
In many cases, criminals create thousands of new listings for electronics or other goods at half price and mark them for four-week shipping, hoping to collect payment before Amazon realizes.
Margina Dennis, who rarely uses her seller account, discovered she had been hacked late last month when she started to receive notifications to ship Nintendo Switch videogame systems. She notified Amazon immediately that she hadn't listed the device, but Amazon still tried to charge her for unreceived items, she said.
"This has been a nightmare," said the makeup artist, who said Sunday afternoon she was still waiting for resolution.
Amazon declined to comment on individual sellers.
Handmade jewelry seller Amy Jennings faced a similar plight when thousands of notifications for sales of fraudulent items ranging from gun holsters to Easter eggs pinged an app on her phone, draining the battery. She could see customer complaints, but hackers had locked her out of her account. Amazon told her it is investigating, she said.
Cybersecurity experts say that in some cases the hackers have been buying account information from previous hacks of other companies. More than 2.6 billion email addresses and passwords have been stolen in total from companies including Adobe Systems Inc., Myspace, and LinkedIn Corp., according to warning website Haveibeenpwned.com.
Those credentials typically sell for between $1 and $3 apiece, sometimes accompanied by hacking tutorials.
Experts said protecting against such fraud is relatively simple. Sellers should be using unique passwords and enable two-step verification, which sends a telephone prompt before allowing a login, said Alex Holden, chief information security officer of Hold Security LLC, a firm that specializes in location stolen online credentials.
Mr. Holden also advises sellers set Amazon notifications for email alerts anytime anything is changed on the account. In the new world, passwords are "the keys to your shop," he said. "You don't lose them, because you get burglarized."
Experts also suggest consumers beware if a popular item -- such as the Nintendo Switch -- seems priced too good to be true. Shoppers should watch out for suspiciously low prices, a high number of negative reviews and sellers that haven't received a new review in months or even years, they said.
Write to Laura Stevens at email@example.com and Robert McMillan at Robert.Mcmillan@wsj.com