Account history and ratings are foundational for any successful e-commerce platform. If a buyer or seller has a lengthy track record of good feedback and high ratings, conventional thinking states, they must be trustworthy. Thus, both users and automated mechanisms use increased scrutiny for new accounts. But these assumptions and algorithms might be missing something important.
On the underground, there is a large market for what are known as “aged accounts.” In this attack chain, one actor opens an account, cultivates it with time and legitimate transactions, and then sells it on underground channels to another actor, who can use it for fraudulent purposes. Purchasing an aged account enables an actor to circumvent any verification processes for opening an account (such as a phone number or ID), and it allows them to use an already established and trusted account for various malicious purposes.
A recent analysis of the sale of aged accounts shows that this type of activity is gaining traction. Specifically, there has been a nearly 240% increase in the monthly average of underground posts mentioning aged Amazon accounts.
These accounts can be used for both selling and buying. In selling, an actor can simply use an account with good history and positive feedback to list and sell items without actually delivering anything (though this is complicated if the platform holds payment until delivery is confirmed). Also, malicious sellers can ship defective items or lure prospective buyers into purchasing the item outside of the platform and then not delivering the goods.
Even a seller without fraudulent intent can still use aged accounts; with so many vendors competing on massive platforms such as Amazon or eBay, it can be difficult for a new seller to rise above the rest to be noticed and trusted. By purchasing an aged account with long history and positive feedback, a new seller can gain a competitive edge.
Figure 1: An actor seeking an aged eBay account that will not lock when they list an item for sale
Furthermore, threat actors can use aged accounts in fraudulent purchasing, specifically refunding, in which a buyer claims and collects undeserved refunds.
Figure 2: An actor looking for aged accounts with intent to use them in refund fraud
A threat actor can use aged buyer and seller accounts together. In a post, an actor explained that the buyer account purchases an item from the seller and then requests a refund (presumably, reporting that the items were lost or damaged in shipment). The seller account then confirms the request, compelling the shipping company or insurer to cover the “problematic” delivery. Tellingly, they note to keep refunded amounts under $500 to avoid arousing the suspicion of the e-commerce platforms.
Figure 3: An actor claims to be in possession of 20 aged Amazon account, seeking tips on how to use them in refund fraud
Amazon accounts are the most popular aged e-commerce accounts. In the last two years, Cybersixgill discovered 6,862 posts on underground forums, markets, and messaging platforms discussing aged Amazon accounts. These discussions include posts of actors selling them (sometimes in bulk), seeking to buy, and explaining how to use them for fraudulent purposes.
The number of monthly accounts has risen significantly in recent months. From December 2020 until March 2022, there were an average of 163 monthly posts mentioning aged Amazon accounts in underground forums, markets, and communication platforms such as Telegram. There were also noticeable increases in advance of Prime Day in June and the shopping season in the fall.
However, the number of monthly posts skyrocketed to 378 in April 2022, and from May through November, there was an average of 553--a trend primarily driven by many new actors selling Amazon accounts on Telegram, several of which are dedicated to this specific activity.
We assess that this increase in activity indicates that aged accounts are instrumental in helping many actors achieve their goals.
Aged e-commerce accounts
As noted, Amazon accounts are, by far, the most popular aged accounts for sale. One actor pointed out that these accounts are a “team creation,” indicating that there is a sizable operation behind creating these accounts.
Figure 4: An actor selling aged Amazon buyer accounts that are a “team creation,” indicating a sizable operation behind opening them
While some accounts are only aged a year or two, other actors seek even older ones.
Figure 5: An actor seeking an Amazon account aged 11+ years
Most listings for aged accounts do not include a selling price, but mentioned prices are usually tens of dollars. For example, an actor selling 280 aged accounts aged 6+ years and generally with 7-10 transactions asked for $35 apiece.
Figure 6: An actor selling 280 accounts aged 6+ years and generally with 7-10 transactions for $35 apiece.
However, accounts with more transactions are more expensive. For example, an actor on Telegram asked for $2,000 for an Amazon account that had $63,000 in transactions:
Figure 7: An actor on Telegram selling an Amazon account that had $63,000 of transactions for $2,000
Other e-Commerce accounts
While aged Amazon accounts comprise most of the listings for aged accounts sold on the underground, other e-commerce platforms also appear. For example, in a Telegram post, an actor offered aged buyer accounts for Walmart, Etsy, Target, and Best Buy.
Figure 8: An actor selling aged accounts belonging to Walmart, Amazon, Etsy, Target, Bestbuy, LinkedIn, and Snapchat.
eBay is also a popular target. For example, in a post, an actor asked to purchase an aged and verified eBay seller account that would not be suspended when listing an item for sale. The actor even asked for the account’s cookies, likely so they could spoof the account’s original location, thus preventing the detection of anomalous behavior.
Figure 9: An actor seeking a verified eBay seller account
Another actor looked specifically for aged accounts belonging to traditional brick-and-mortar department stores, including Target, Kohl’s, Walmart, and Nordstrom.
Figure 10: An actor seeking aged department store accounts--Bergdorf Goodman, Target, Kohl’s, Walmart, and Nordstrom.
This actor is selling an aged Facebook Marketplace account for $45. The account is allegedly verified with “Facebook authorities.”
Figure 11: An actor sells a Facebook Marketplace account for $45. This account includes “activities and lots of friends” and is verified by Facebook
Finally, this actor inquires about buying an aged Alibaba account.
Figure 12: An actor inquires about buying an aged Alibaba seller account and if one can add fake transaction volume and comments.
Threat actors follow the money. Therefore, if we see increased supply and demand for a specific TTP on the underground, we can generally infer that actors are using it successfully. Thus, the boom in aged accounts for sale on the underground is quite indicative.
While we cannot predict precisely how actors are using these accounts, e-commerce providers and their users must be wary and vigilant. Consumers looking to purchase an item must look for red flags, such as an account that suddenly changed its inventory, or that is suddenly selling an excess of expensive items. Vendors on e-commerce sites, meanwhile, must understand the threat of refund fraud so they can identify it and take swift action.
However, the bulk of the responsibility falls on the e-commerce platforms themselves. They must monitor the sales of aged accounts on the underground to understand trends and TTPs, and they should introduce technical measures to detect when an account is sold from one user to another (beyond simply detecting a change in location, since often account sellers transfer the browser cookies as well). They must also introduce methods and procedures to detect retail fraud accurately, thus weeding out the bad actors from legitimate commercial transactions – with the ultimate goal of maintaining the trust and protecting their customers.