I’d ordered some stuff from Amazon. I wanted to check my shipping status as I need to both be here when it comes and be out doing stuff otherwise.
A quick DuckDuckGo search had found the login for Amazon before, so… I typed, a page that was very familiar opened. I logged in to my account. “No Orders!” in the last 6 months. “No Gift Card Balance!”. WT?
It looked smelled and tasted like Amazon. On a quick read of the URL it looked about right. Yet it both knew me and didn’t now about me. Paranoia begins to set it. Well, actually, it’s always set at “You are the Systems Admin! They are ALWAYS out to get you!” because they are. Capture accounts of the guy with root access, you capture it all; so I’m used to being the prime target. Was this a bogus web site, designed to look like Amazon and via some small typo pop up a login window that looks good, only to capture your Username and Password? Had I been phished and pwned?
I immediately logged out, hit my history listing for a link where I knew I was just looking at products and clicked it. Logged in again as me. There was my order history, my $5 or so of gift card balance. All was good, increasing the odds the “other login” was bogus. I immediately changed my password (so that anyone who captured it now had a useless thing and could not change it locking me out while they “loaded up my card” with goodies.
Well, the account only points at a Walmart reloadable debit card that typically has $20 on it at any one time, so not a high risk in any case; but still; pwned (owned by a hack) is pwned and you don’t want to be that. Smug that I’d reacted in a minute or maybe less, I proceeded with the “must do” spousal requests.
Now, a couple of hours later, I got to do a more detailed look at just who was a what. Inspecting my browser history and CLOSELY comparing the URLs showed that the “quasi bogus” one was NOT amazon.com it was amazon.com.au and an Australian site. A series of web searches turned up pages saying there WAS NO Amazon.com.au… but might be one soon. Unfortunately, many had no date or updates. So was it real or bogus? Has “will be” aged into “has been for a while”?
Turning to the terminal:
I did an “nslookup” and “whois” on Amazon and on it.
EMs-MacBook-Air:Downloads chiefio$ nslookup amazon.com Server: 126.96.36.199 Address: 188.8.131.52#53 Non-authoritative answer: Name: amazon.com Address: 184.108.40.206 Name: amazon.com Address: 220.127.116.11 Name: amazon.com Address: 18.104.22.168 EMs-MacBook-Air: chiefio$ whois amazon.com Domain Name: AMAZON.COM Registry Domain ID: 281209_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.markmonitor.com Registrar URL: http://www.markmonitor.com Updated Date: 2014-04-30T19:24:35Z Creation Date: 1994-11-01T05:00:00Z Registry Expiry Date: 2022-10-31T04:00:00Z Registrar: MarkMonitor Inc. Registrar IANA ID: 292 Registrar Abuse Contact Email: firstname.lastname@example.org Registrar Abuse Contact Phone: +1.2083895740 Domain Status: clientDeleteProhibited https://icann.org/epp#clientDeleteProhibited Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited Name Server: NS1.P31.DYNECT.NET Name Server: NS2.P31.DYNECT.NET Name Server: NS3.P31.DYNECT.NET Name Server: NS4.P31.DYNECT.NET Name Server: PDNS1.ULTRADNS.NET Name Server: PDNS6.ULTRADNS.CO.UK DNSSEC: unsigned URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/ >>> Last update of whois database: 2018-03-28T15:28:08Z <<< For more information on Whois status codes, please visit https://icann.org/epp
So Amazon.com is registered via an intermediary of MarkMonitor Inc. OK…
EMs-MacBook-Air: chiefio$ whois amazon.com.au Domain Name: amazon.com.au Last Modified: 07-Nov-2016 10:19:54 UTC Status: clientDeleteProhibited Status: clientUpdateProhibited Status: serverDeleteProhibited (Protected by .auLOCKDOWN) Status: serverUpdateProhibited (Protected by .auLOCKDOWN) Registrar Name: MarkMonitor Inc. Registrant: Amazon Corporate Services Pty Ltd Registrant ID: ACN 082 931 600 Eligibility Type: Company Eligibility Name: Amazon Corporate Services Pty Ltd Registrant Contact ID: MMR-138740 Registrant Contact Name: Amazon Hostmaster Registrant Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs Tech Contact ID: MMR-28993 Tech Contact Name: Hostmaster, Amazon Legal Dept. Tech Contact Email: Visit whois.ausregistry.com.au for Web based WhoIs Name Server: pdns1.ultradns.net Name Server: pdns2.ultradns.net Name Server: pdns3.ultradns.org Name Server: pdns4.ultradns.org Name Server: pdns5.ultradns.info Name Server: pdns6.ultradns.co.uk Name Server: ns1.p31.dynect.net Name Server: ns2.p31.dynect.net Name Server: ns3.p31.dynect.net Name Server: ns4.p31.dynect.net DNSSEC: unsigned
OK, it is looking legit.
So most likely I just didn’t notice the appended .au in the URL and got logged into the Australian site. It knew about my login, but not about my USA order history.
So is this a new service and I’ve “stepped in it” prior to full launch? Is it a new service that is up and running but doesn’t share actual order and shipping data across continents? Is it a “dummy” being tested? I have no idea.
I’ve not gone back to explore it.
So why mention all this? Well, first, because it illustrates the kind of vigilance and awareness everyone ought to have. If something “isn’t quite right” you don’t ignore it, you react fast and block a potential attack. Secondly, it could illustrate how perfectly normal things can look suspicious especially if a bug (or just mis-feature) makes it possible to log into a remote account in a country other than yours, but not see your actual account data.
And of course, finally, so you can have a bit of a chuckle at my foibles while hopefully appreciating that yes, it can be a bit paranoid, but it’s still a good idea to react first, then research at leisure.
If anyone “down under” happens to know the status of Amazon.com.au (i.e. is it live and working) that would be interesting to know as a clarification point. I’m a bit too busy today to chase that down right now.