4

My wife's Amazon account was hacked yesterday. She discovered the purchases, changed her password to both gmail and Amazon, and enabled Amazon's 2-step verification (2FA) through SMS on her phone and figured the matter was done. However 3 times now the malicious actor has disabled Amazon's 2SV without her receiving a single text from when they are logging in. Amazon also seems to require providing a OTP when attempting to change any security settings, including disabling 2SV. The last of these occurred overnight while her laptop was shut and presumably asleep. Amazon does send e-mails stating that 2SV has been disabled, but that is her only warning that fraudulent purchases are about to start again.

She's completely on the Apple ecosystem with only a MBP and an iPhone 11 which are behind a Unifi firewall with no ingress allowed to those machines. I don't see any malicious processes running on her MBP, and she has not installed anything recently that did not come from the App Store, and her phone is definitely not jailbroken. I can't completely rule out something running on either her physical devices, but it seems unlikely.

How is someone able to disable Amazon's 2FA without the specified 2FA device receiving ANY notification? I feel like I've ruled out everything except someone with physical access to Amazon's systems which seems crazy. Is there something I'm missing? Something else I should try?

Edit: On recommendation of another website we disabled SMS 2FA and switched it to voice. Less than an hour later it was disabled again. I'm completely stumped.

Edit 2: We finally had Amazon fully disable my wife's account. She received an e-mail stating that to re-enable the account, she would need to call a number and speak to a live representative. Sometime during the night the hacker got her account re-enabled (unsure if they actually talked to someone) and resumed making fraudulent purchases. They still have not bothered to change her e-mail address (which is odd!) but when re-enabling the account they changed the password so we're truly locked out at the moment.

Because we never logged in, it rules out a leaked session token, but it's still possible that her MacBook was being remotely controlled in the middle of the night. I was not logging any network traffic thinking it wasn't needed while the account was disabled.

Final Edit: We were able to talk to another Amazon rep on the phone, and had them disable the account. This time the account did not get re-enabled. Unsure if the hackers just gave up, or if they were unable to get reps to re-enable. We left it disabled for about 3 weeks, then called and had them re-enable the account. It's over a year later and we've had no issues since. Unfortunately no resolution, but I'm inclined to believe the hack was happening on Amazon's side.

Mordred
  • 183
  • 8
  • 2
    AFAIK the answer is currently unknown. Of course Amazon's fraud detection could be *a lot* better - it's unlikely that a customer will change the email address in the middle of the night and immediately purchase something. Some cool down period could work wonders. – Martin Schröder Jun 09 '20 at 17:27
  • @ReinstateMonica-M.Schröder is this a common problem then? My searches have not returned a ton of relevant information. – Mordred Jun 09 '20 at 18:13
  • You should be logging traffic to find out which device (if any) on your network is sending traffic when it happens. If you can see that's it's connecting to a C&C server you can probably block that until you can find out if or where malware is installed. – user Jun 09 '20 at 18:21
  • Interesting. Sounds like a bug on Amazon's side. But out of curiosity, the attacker is only disabling the 2fa then placing an order? They are not changing the email on the account? Might I suggest making a new Amazon account with a different email. Usually an attacker will stop once detected because they know their future orders will be cancelled. Have any fraudulent orders been completed? If this is continues it suggests a different motive. – 8vtwo Jun 09 '20 at 18:45
  • "Something else I should try?" Have you contacted Amazon about this? What did they say? – Anthony Grist Jun 09 '20 at 18:49
  • I was able to disable 2FA on my Amazon account without entering the code from my Authenticator app after selecting the "Don't require OTP on this browser" option when logging in (on Edge, a browser I don't use and have never previously logged into my Amazon account using). The 2FA settings on the Amazon account should list all devices where OTP isn't required, and there's also a button that supposedly will require it on all devices, so take a look at those. – Anthony Grist Jun 09 '20 at 19:02
  • More testing: It's possible to disable 2FA even if you didn't use the "Don't require OTP on this browser" option when logging in, so if the attacker is still logged in - and there's no way to force a logout of all devices on Amazon, as far as I can tell, and I don't know if changing the password invalidates all current logins - then they can probably just do that. The supposed listing of devices that don't require OTP also seems to not work. – Anthony Grist Jun 09 '20 at 19:09
  • @AnthonyGrist Amazon's [recommendations](https://www.amazon.com/gp/help/customer/display.html?nodeId=201890100) are to just change your passwords, so assuming they know what they're talking about that should force other devices to logout. They also say to [deregister](https://www.amazon.com/gp/help/customer/display.html?nodeId=201357520) devices, so I'm not sure if they do know what they're talking about. – user Jun 09 '20 at 19:13
  • @8vtwo They did not change the e-mail address but my wife just told me that at one point they were able to change the 2FA phone number. So somehow they're able to bypass 2FA potentially through a session token, change the phone number and then disable 2FA? Just kinda guessing though. – Mordred Jun 09 '20 at 19:15
  • @user It's possible that the recommendation is based on how they *think* their security works, rather than on how it actually works. The 2FA page says that to maintain account security you may still be asked for the OTP for some actions, but apparently disabling 2FA isn't one of those. – Anthony Grist Jun 09 '20 at 19:15
  • 1
    @AnthonyGrist We contacted Amazon and they were mostly unhelpful but finally locked her account for 48 hours which we wanted. At this point they hackers are only stealing from Amazon because I had my wife remove all credit cards from her account. The hacker has been "returning" items we've legitimately bought, getting an instant refund gift card and spending that balance. – Mordred Jun 09 '20 at 19:18
  • @AnthonyGrist The first thing we did was have her change her password on both Amazon and Google. She swore up and down that she had just enabled 2FA but when we checked it was disabled, so that's how we discovered they were able to bypass/disable. I made sure that no devices are set to be exempt from 2FA, but again if her session tokens are being leaked somehow it probably wouldn't matter. It would be helpful if Amazon showed a "computers logged in" view, but again... that would be too helpful. – Mordred Jun 09 '20 at 19:22
  • @user I enabled a tcpdump on my security gateway restricted to the laptop, but it was after the fact (and after Amazon locked the account). I've geolocated a bunch of IPs, but none are outside the US, and I'm seeing VERY few calls to Amazon related IPs. Might be legitimate, might be from a C&C server, but I can't differentiate right now as I don't have timestamps to go off of. I did check Chrome history and there's no activity showing in the middle of the night when we know they disabled 2FA and ordered $400 of gift cards. I don't believe her Google/gmail has been compromised. – Mordred Jun 09 '20 at 19:25
  • @Mordred If there's a keylogger it will be pretty hard to tell since it could be sending the data while she's using it. It would also allow them to log in remotely with a different device, assuming Amazon doesn't have any protection against that. – user Jun 09 '20 at 19:28
  • 1
    @user Well the protection against that should be the 2FA. Assuming there is a keylogger, they'd have to first control her device to disable 2FA from Amazon there and then sign in on a remote device. – Mordred Jun 09 '20 at 19:30
  • 1
    From what @AnthonyGrist was saying, it doesn't look like Amazon's 2FA is working like a typical 2FA. It's possible that the "don't require 2FA on this browser" option persists through password and 2FA changes as well. – user Jun 09 '20 at 19:35
  • I've done all the testing I have time to on this, but it looks like changing the password does require logging in again to access account-related pages (and probably others, I just tried re-accessing the "Your account" page). In theory, changing the password and enabling 2FA should be sufficient, unless - as @user theorised - the "don't require OTP" option persists through that change, and the attacker can still get access to the new password somehow. – Anthony Grist Jun 09 '20 at 19:43
  • 2
    Update: The hackers were able to get my wife's disabled account re-enabled, which according to the e-mail she got last night, supposedly required actually talking to someone at Amazon on the phone. They've also changed the password to something else and so we're truly locked out at the moment, although they didn't bother changing her e-mail address so she's still getting purchase notifications. It's unclear if the account was re-enabled from her computer (using a C&C server?) as I didn't have network logging turned on since her account was already disabled. – Mordred Jun 10 '20 at 17:37
  • Sounds to me like the hack may be going on on Amazon's side, not yours. If they managed to reactivate her account without calling Amazon, then for sure IMO. This actually happened to me on eBay and they ordered some items which eBay just told me to keep. I talked to someone in IT and she actually said that they didn't really know how it was being done and that my account had not even been compromised. (She said that I didn't really need to change my password but I could if I wanted to.) – Ron Kyle Jun 11 '20 at 13:59
  • Did you check in the Gmail settings that the mail your wife receives does not get forwarded to another address? The fact that the email address has not been changed on Amazon suggests the hacker needs it. Btw, it is normal to be able to disable 2FA without using an OTP, for example by contacting customer service, as there should be a way to disable 2FA if you loose your security device. – Tony Jun 14 '20 at 06:42
  • @Tony Yes, we've checked multiple times that her Gmail is not being forwarded anywhere. Also there are no filters being applied (which I would assume they'd typically do to prevent being discovered). It's possible they're able to contact customer service and continually pretend to be my wife in order to get them to disable 2FA... but I'd think that having to talk to customer service 3-4x in a 24 hour period because you've "lost" your security device might raise some red flags. Who the hell knows though. – Mordred Jun 14 '20 at 06:56

1 Answers1

0

To be clear: this is a guess. However, it occurs to me that, running on the Apple ecosystem like that, there's one account which is in the security-critical path but which you did not mention checking the security of: your (wife's) Apple ID account. If the attacker got into that, then they could potentially use iMessage to access incoming SMS in real time, or get them from the phone on demand. They could also potentially delete them from the phone so you wouldn't know. I don't know if there's an equivalent for calls - I'm not primarily an Apple user - but it wouldn't surprise me. Breaching somebody's Apple ID account as a way to get access to their messages is a known attack pattern, and one of the reasons why SMS-based authentication is not very secure.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • That is an interesting theory, and one I don't remember investigating at the time. I haven't heard of the ability for someone else to receive your phone calls as well before, but maybe that's possible and could potentially explain some of the weirdness. – Mordred Nov 05 '21 at 15:35