Amazon Prime Day

Today is Amazon Prime Day. CNN Money reports that the Amazon Prime Day sale is the “biggest global Amazon event ever”. If you spend a few moments navigating the news portals, you’ll find a number of articles related to Amazon Prime Day that cover topics ranging from what it is, weird things to buy  and even clams that it is the new corporate holiday in America.

When I saw Amazon in the news so much today, I could not help but think back to two recent posts discussing third party advertising on Amazon and the tricks and traps that lay within. I wondered if anyone at Amazon had perhaps stumbled upon my articles which point out the dangers of clicking on Amazon ads which send you to potentially harmful Google advertisers.

“Have things improved at all?” I asked myself.

To find out I challenged myself to find a malicious ad on the Amazon Web site on this holy of holy days. With millions flocking to deals a plenty, surely it wouldn’t be as easy to find bad players as it was last time? Turns out that it was not as easy as last time because instead of taking me 1 minute 6 seconds to find a bad player, this time it took me 1 minute 38 seconds. I guess I am out of practice.


Of interest is that the bad player this time around is just a tad more sophisticated. As usual, the rogue advertiser locks my browser and renders all sessions therein absolutely useless, a non-technical user has no means to get out of this, but this particular idiot gets another point because of the dialog designed to trick me into entering my credentials, oh my!!!!

I shouldn’t use the word “sophisticated” when referring to these morons, because they are not. These bad players are punks, rogues, vagabonds with entry level JavaScript skills and a basic understanding of computer security. Furthermore, they’re not untraceable nor are they undetectable. Schmucks of this nature are easy to detect and easy to expel. They don’t do anything significant to hide themselves which is basically an indication that it’s so easy for them that they don’t have to do any mitigations on their end at all. You may be saying to yourself “well iPensatori is making grand claims here, so he should prove it”, to which I offer this rebuttal: I’m not going to do your job for you.

Obviously this begs the question: who is protecting Amazon on their biggest event ever? Moreover, who is protecting the Amazon customer on the biggest Amazon event ever?

The trick with third party advertising is that everybody is supposedly protecting everyone. So in reality nobody is protecting anyone. Amazon thinks Norton is doing it.

amazon secured by norton ad

Norton says they’re doing a great job too:

amazon secured by norton - 2

But when presented with the video from this post, Norton may say “well we’re just protecting the site, we can’t be expected to scan the ads too, that’s Google’s job!”.

In an announcement declaring the ban on payday loans ads starting July 13, Google says they are also doing a great job protecting users from bad ads: “We have an extensive set of policies to keep bad ads out of our systems – in fact in 2015 alone, we disabled more than 780 million ads for reasons ranging from counterfeiting to phishing”.

Note the highlighted “our systems”, does this apply to third party advertising? If so, then why is Amazon so open to abuse? Again, this is not hardcore phishing gangs or well-financed, highly trained & sophisticated state-sponsored attackers, we’re talking about a bunch of moronic entry-level fraudsters here.

The bottom line is that there are bad players which are only a click or two away when you’re visiting Amazon’s site. I can find these players in less than two shakes of a lamb’s tail, so why can’t the organizations responsible for performing precisely this task do the same?