Can you trust the reviews that appear for products offered by third-party vendors on Amazon? An open database discovered on Amazon’s servers reveals they can’t, and it poses a big problem for the company.
The cybersecurity experts at SafetyDetectives recently discovered an open AWS ElasticSearch database which contained a “treasure trove” of data related to organized fake reviews on Amazon. The database consisted of over 13 million records and 7GB of data, including direct messages between Amazon vendors and customers who provided fake review scores. In total, over 200,000 people are involved and the evidence points to this being an operation run out of China targeting both the US and Europe.
So how does it work? Amazon vendors involved in the scheme produce a list of products they want to generate five-star reviews for. Customers signed up to take part then purchase those items on Amazon and wait a few days after receiving them before posting their review. A message is then sent to the vendor along with a link proving the review is live and details of a PayPal account. The vendor then rewards the customer by refunding the purchase, but allowing the customer to keep the product.
As the refund is handled through PayPal, Amazon has no record of it occurring and therefore it has no reason to question the validity of the review. As far as its system is concerned, a legitimate purchase was made and a review was left in a timely manner. But for other customers considering purchasing the same product, they are unknowingly being deceived.
Amazon does moderate reviews, but the vendors performing this deception are well aware of the process and checks. The database also contained messages where customers are given rules to follow when creating a review. For example, a specific word count must be exceeded and in some cases a video is requested to accompany the text in a bid to make it look real and avoid a red flag from moderators.
Unfortunately for Amazon, and all online vendors for that matter, the fight against fake reviews can only ever be managed rather than solved. But data leaks like this certainly help show how organized the process is and the techniques used to avoid detection, which hopefully helps improve moderation systems.