Back in February, I sat down around lunchtime in front of my laptop and noticed something strange happening with my inbox. Rather than the normal amount of emails, I saw that I had just under 1,000 new unread messages. Naturally, I started to panic.

I hopped on to our hosting account and quickly started a dialogue with the support team there and found that this was not a spam attack as I initially thought. What I was receiving were thousands of newsletter and form subscriptions. Some automated process was running and subscribing this email account to newsletter and contact forms all over the internet. It was fast and it was virtually unstoppable.

In just a matter of 2 hours, the primary inbox at work had received a little over 55,000 emails to the point where the only solution was to delete the email account entirely.

One positive note here was that the compromised email account was just a forwarding account. When the emails started to come through, I removed the other 2 addresses that this email sends to in order to stop them from getting flooded. Thankfully it was not one of our primary email accounts.

What is a subscription bomb?

I had never experienced anything like this myself, so I did some searching and out of all of the articles, this one “How Email Bombing Uses Spam to Hide an Attack” by Josh Hendrickson proved to be the most insightful.

You can read his entire article for yourself, but the points that stood out and applied to me specifically were the following:

• Our PayPal (both personal and work) and Amazon accounts had been hacked
• Malware/Trojans were hidden within Chrome via malicious extensions
• The email bomb was done to hide fraudulent activity within PayPal and Amazon
• The fraudulent activity was further covered up by moving the transactions and orders into an archive

What happened?

Once the PayPal and Amazon accounts were compromised, an order was placed for a Canon EOS 5D Mark IV Full Frame Digital SLR Camera Body in the amount of $2656.98.  The flurry of emails was masking the transactions so that my time would be spent trying to correct that, but in the meantime, the order would be placed and shipped without us being able to stop it. Amazon also has an option to archive an order, which means that it does not appear in your normal order history.  Once the order for the camera was placed, it was archived.  Not only would I be dealing with an email subscription bomb, but a quick scan of recent orders would not immediately show anything out of order.

Thankfully, I found the order, due to the article I linked above, and was able to call Amazon support and tell them about the fraudulent order.  While on the phone, I let them know that our accounts were compromised and that we did not place the order for the camera.  I also explained that the order had not shipped and that I was not familiar with the address where it was being shipped to.

So what did Amazon do? They went ahead and shipped the camera.

What did Amazon do to help?

It took a constant bombardment of calls, emails, and eventually, tweets for Amazon to take action and do anything remotely close to be considered helping.  As my frustration grew, so did my documentation of what was happening.

I called Amazon customer support (February 5th at 10:00 pm EST) and explained the situation and that I was unable to log in to my account. While on the phone, I reported to the customer support representative that my Amazon account had been compromised and that an order had been placed without my consent or approval. This order (Order #111-4381019-5162604) was placed and shipped to an address in Florida that I am not familiar with nor have I ever shipped to prior. To cover up the fact that this order had been placed, the hacker archived the order so that it would not immediately appear under “Recent Orders”. I advised the customer support representative that I had no knowledge of this order and that it was fraudulent. This was all done in a matter of hours after the fraudulent order had been placed and prior to it being shipped.

The customer support representative verified all of my information and asked if the account could be temporarily locked so that Amazon could investigate the fraud, to which I gladly accepted. I asked if I would receive an email notification about the issue and was told that I would.

On February 7th at 4:00 pm EST, I still had received no email or follow-up regarding the fraudulent order and my account was still locked. I called Amazon customer support and once again explained the situation and once again explained that order #111-4381019-5162604 was fraudulent. The customer support representative reactivated my account and told me that an email would be sent in regards to the fraudulent order.

Having never received an email or follow-up from Amazon, we contacted our financial institution (US Bank) to notify them of the fraudulent order and to cancel payment on it. For additional security, we asked our financial institution to cancel the card that was used and issue a new one.

On February 16th at 11:46 pm I received an email stating that my account was temporarily locked. The email further stated, “that your credit or debit card issuer received a report of unauthorized use of your card, and reversed a transaction placed on the Amazon account associated with this email address.”

I replied to this email and stated that the order in question was a fraudulent order and placed without my knowledge or consent while my account had been hacked. The reply from Shovona on February 17th at 11:13 am stated that “Card issuers usually resolve chargeback disputes within 30 days, but sometimes it can take longer. If you need more information or wish to cancel any disputes, please contact your card issuer.”

After replying to that email, once again attempting to report this order as fraudulent, I received back the same template form reply email that I received on February 16th regarding the chargeback.

On February 17th at 9:16 pm I called Amazon Support and asked to speak to someone in the Fraud Department. I was told that they do not answer phone calls and that any concerns would have to be addressed through the general customer support number. I explained my situation, again, and reiterated how many times I have called and emailed. I was told that the form to report fraud would be emailed and someone would contact me within 24 hours.

On February 18th at 2:43 pm I got another email explaining the chargeback. This was the exact same email I received on February 16th. Again, no acknowledgment of fraud. No form for me to submit to report the issue. To add to an already increasingly frustrating situation, Amazon was now telling me that in order to resolve this issue, I basically had to pay for the camera.

On February 18th at 3:20 pm I called Amazon Support and asked to report an issue of a fraudulent order. The customer support agent asked if I had submitted the online form to report the fraud and I explained that I had not because I have been unable to access the account. I also explained that I have called Amazon Support several times and been told the order was reported when it never was. Customer support said that they were filling out the form for me online on my behalf after verifying my address and contact information. I was told that someone would call me within 24 hours.

On February 19th at 10:51 am and on February 21st at 9:19 am I received the same emails stating Amazon was working with the card issuer to resolve the problem.

On February 23rd at 3:38 pm I called Amazon support to inquire about the status of my account and their investigation into the fraud. I was finally told that they were looking into the fraud and that their inquiry with the bank could take up to 30 days. I was told that on Monday, February 24th, I would receive an email from customer service, which I never received.

On March 5th at 10:50 am I called Amazon support to inquire about the status of my account and their investigation into the fraud. I was told it would be logged and transferred to the Buyer Risk department and that someone would be contacting me by phone or by email within a couple of hours. I was told that it could possibly take up to 24 hours to receive a reply. I was told this would be transferred to a specialty department for further investigation.

On March 10th, I got an email from Amazon stating that access to Prime services was being placed on hold and that my account would be canceled in 6 days if my billing info was not resolved.

With the email and phone route going nowhere, I took to social media.  I honestly hate when anyone complains about the smallest inconveniences on social media, but with all other options tried without resolution, my frustration boiled over and I started to tweet on a regular basis about my experiences.

It wasn’t until I started tweeting on a regular basis about these issues that I finally got some help.  However, even that took multiple efforts.  After venting on Twitter, someone from Amazon tried to give me a link to where I could submit a form for assistance.

I was a bit excited thinking that I might actually have been able to make some progress.  But true to form:

And like every other attempt, Amazon support did not reply to this or help.

Eventually, after a month of trying, over 30 phone calls, 9 phone calls, 8 emails, and I don’t even know how many tweets, I was able to get a form submitted and access granted to my account.  No mention of the order remained on my account.  It was like all of this had never happened in the first place.

How to protect against this?

1. If you run into this issue, contact your bank and cancel the card.  Amazon has structured its support in such a way as to prevent anyone from easily contacting them and resolving any issue.  It is clear to me that they are incapable of assisting customers with fraudulent orders and also have no ability for logging internal communications.  Customers are left on the outside looking in and each contact with support requires explaining the situation as it is the first time anyone at Amazon has ever heard of it.
2. Consider what email address you are using for your accounts with PayPal (Even Venmo, etc.).  Thankfully the email account I was using was basically a forwarder, so it was not extremely painful for me to kill that account and then create a new one.  Had this been an account that one of our team was using, then we would have been facing an entirely different scenario.
3. Enable two-factor authentication everywhere possible.  I thought this was done, but obviously not, so since this incident, I enabled it just about everywhere that I could.
4. Make sure you are running software to catch any potential virus.  I ended up using a suite of software solutions to get back on track.  One of the favorites was Malwarebytes.