Cenzic 232 Patent
Paid Advertising
web application security lab

Amazonfail And Anti-Automation

If you haven’t heard about it, Amazon was hit by a pretty interesting attack a few days back, and I thought I should quickly talk about it. A guy named weev was upset that Amazon was pulling the adult content off the site because they were keeping gay and lesbian content. So he found himself a CAPTCHA breaking crew (presumably from this site since he mentioned it) and paid them to create a ton of accounts. Then he used those account to mark all the homosexual materials as offensive content. It took a while for Amazon to recover. You can find a lot of references to the event on Twitter.

So in looking at the scripts weev wrote, although simple they were very effective in the short term. It cause Amazon a lot of grief. There’s a new company called Silver Tail Systems that’s working on an anti-automation/anti-fraud system that would have caught this type of attack in a number of different ways. Namely things like IP address, failure to follow flows properly, HTTP headers, and so on - all leave pretty obvious signals to an automated process. Anyway, I thought it was an interesting attack. Certainly not something you see every day.

8 Responses to “Amazonfail And Anti-Automation”

  1. Dan Weber Says:

    Is weev’s technical description accurate? I’ve read reports claiming he’s making most of it up, because most of his posted bash code doesn’t actually work.

  2. RSnake Says:

    @Dan - I haven’t personally validated any claims he’s made, but I doubt if it’s much different than how he’s described it.

  3. vxbinaca Says:

    RSnake: Imagine my delight in waking up today, on a day off after a hard partying night, to read YOU mentioning weev. I found this place because he plugged you at Toorcon 2006.

    Now that you mentioned who it is, it does not surprise me he would do that. I have not read his LJ (http://weev.livejournal.com/) yet but he might mention something about it.

    If he did it to troll people, this was massively successful. If he did it as a statement of protest Amazon removing (or maybe a a religious group did what weev did only first) adult conent, he succeeded there too.

  4. peekay Says:

    Amazon claims “weev” had nothing to do with the issue:

    http://blog.wired.com/business/2009/04/hacker-claims-c.html

  5. Anathema Says:

    Have a similar thing on a site I’ve been testing.

    If you report any of the reviews on items on the site they get removed pending a moderator check on the item reported.

    So report and therefore remove all reviews except your positive one and all of the real ones about how bad it really is disappear.

    the item in question then gets a 100% positive rating.
    Its a design bug more than anything.

  6. ntp Says:

    It’s a fscking bash script. Get over yourselves.

  7. Alex Dodge Says:

    Late to the party, but: How great would it be if he’d used Mechanical Turk to break the CAPCHAs…

  8. Blu Aardvark Says:

    I’ve heard of this weev guy, apparently he likes to take credit for other people’s achievements.