- 21 Eki 2015
- 477
- 1
How To Effectively Prepare Your Method Prior To The Attack
Everything we do In life, has some type of strategic approach to get what we're after or achieve the goal that we're working with at the time, and without generating any thought as to how the task at hand will be accomplished, It's literally Impossible for It to head In the right direction. For Instance, If you've been Invited to a birthday party at a Iocation that you've never attended nor heard of before, and don't bother "planning" how you're going to get there, how do you exactly know where you'll be heading? I'll answer this for you- you don't and never will, unless of course, you "prepare your plan" by familiarizing yourself the directions beforehand. The "plan" Is the "method", that will allow you to execute the next course of action- In this case, to jump In your car and drive to the party with minimal hassle and disruption.
I've provided the above analogy, to give you an understanding about the Importance of Implementing methods before even thinking about your objective. Evidently, the very same principle applies when social engineering each and every entity and Irrespective of Its nature, size and complexity (If any), It's vital to have a calculated and very well formulated method In place prior to moving onto your attack vector. However, It's not as simple as selecting the first method that comes to mind. There are quite a number of elements that need to be carefully considered and analyzed, and when every angle has been covered by leaving no room for error, only then can you "effectively" use the method against your target. If you haven't worked It out already, this pertains to "company manipulation and exploitation", by tricking their representatives/agents Into Issuing refunds and/or replacement Items.
What prompted me to write this article, Is the fact that there are so many SE'ers, even those on an advanced level, who fail to recognize the significance and Impact that methods have on their SE, and then they wonder why It failed. Moreover, some social engineers are completely clueless of what It takes to SE as a whole. For Instance, around 30 minutes before I started writing this, I came across a post on the forum that I'm registered with that read: "I want to SE some PC parts, what's the best method to use?". Seriously? It's like me asking: "Why do some SEs work and others fail?". Now by no means Is It my Intention to belittle SE'ers of that type In any way, shape or form, but rather point out that It's absolutely crucial to prepare each method by fully evaluating It prior to utilizing It against a particular Item and the respective company thereafter. That's precisely the purpose of this article- to show you how to formulate any method with pinpoint accuracy but first, I'd like you to have sound knowledge of how methods operate, which brings me to my next point as per below.
What Are Social Engineering Methods?
When you're looking to social engineer online stores to the likes of Logitech, Amazon, John Lewis, Argos and so forth, once you've researched their terms and conditions, the very next step Is to create a "strategy" as to how you're going to execute your attack and manipulate their reps afterwards. That Is, you need a "plan" that will be used to guide your SE right from the get-go, and the "plan" Is the "method" and without It, your SE Is destined to fail. Naturally, It's the same with In-store (In person) SEing and every other entity that's vulnerable to human hacking. Every method Is the backbone of the SE, whereby It's used to support your attack vector, right through to circumventing everything that representatives throw at you, to finally solidifying the result In your favor- "a refund or replacement Item". There are quite a few to choose from such as the wrong Item received, boxing, missing Item, partial, DNA etc however (apart from the "DNA"), each one "must be compatible with the nature of the Item".
For example, let's say you're going to use the "missing Item method", by saying that upon opening the package that was delivered to you by the carrier, the Item that you ordered was not enclosed. Now If you're SEing a gaming laptop that weighs around 2.5 Kg, due to the cost & weight, I can assure you that your SE WILL fail with any company who complies with their claims management protocol. "How so" you ask? Well, when they open an Investigation and cross-check their very own dispatched weight against the weight that was recorded at the carrier's depot and a damage report was not raised (hence no signs of tampering) , both will match, therefore your laptop could not have been missing! On the other hand, If your Item was a portable SSD at 40 grams, It will not register a weight on consignment, thus It's not possible to verify whether It was Included In the shipment. Can you see why Item & method compatibility Is an Integral part of your SE? Good.
Having said that, there are couple of universal methods that can be used with just about any Item, namely the "DNA" and the "wrong Item received". What deems these as universal, Is the fact that every online retailer uses a carrier to deliver orders ("DNA"), and every company has goods to sell ("wrong Item received"), so they're not tied to any specifics. Allow me to briefly elaborate on this. The DNA Is used to say that the package you ordered "Did Not Arrive" at your premises, so unless your SEing a family home (so to speak!), the size & weight of the Item Is not relevant. As for the "wrong Item received", It pretty much speaks for Itself- you say that an Incorrect Item was In the package/box. All companies have an Inventory (stock) ready for distribution and given picking & packing errors are Inevitable, the nature of the Item to SE Is Insignificant. Every other method must be used accordingly and of paramount Importance, Is to be prepared for every probability, so let's check this out now.
Be Well Prepared For Every Probability:
Choosing a method that's well-suited to the Item you wish to SE Is one thing, but If you've been In the social engineering sector for many years to date, you'd be well and truly aware that not every SE goes according to plan. Sure, you will come across the occasional rep who's half-asleep on the job and simply approves your claim with very little to no questions asked but for the most part, there will be the need to tackle a few obstacles along the way. To significantly help minimize (and In many cases, eliminate) problematic Issues, as an SE'er yourself, It's Imperative to be "well prepared for every probability". Notice how I've used the term "probability" In the topic's title, and not possibility? There's a very good reason for this, and every social engineer should take It on board when formulating their method.
So what's the difference between the two? Simply put and In my very own wording, "possibility" Is something that 'may' happen, whereas"probability" Is something that's 'most likely' to happen. There's a big distinction with each one, and you'd certainly want to base events "that are likely" to have an Impact on your SE, thus "probability" Is part of this equation. I'll provide an example using the "sealed box method" as follows. If you're unbeknownst to this, SE'ers use It to obtain refunds by carefully unpacking the box, "placing something else Inside of equal weight" that's completely useless to the SE'er, and then sealing the box as per the manufacturer's state without showing any signs of tampering. Then, he will send It back to the company and given there's no Inconsistencies with the packaging, It will be scanned and placed back Into stock In readiness to be sold to someone else. The social engineer's account will be credited thereafter.
That's how the sealed box method works In a perfect world of social engineering, but SEing does have Its weaknesses that're beyond the SE'ers control and this Is when you need to prepare yourself with the "probabilities" that're are most likely to take place. For Instance, what happens If the company cross-checks the weight of your return and It doesn't match with the original Item In the sealed box? Or perhaps they open the box, only to find some random Item enclosed? If you can't justify the probability In question, then your SE will fail! When you think about It, It's really quite simple to manipulate and draw your own conclusions. In terms of the weight, the solution Is obvious- you'd pack something In the box that weighs the same as the original Item and regarding being questioned about the random Item enclosed, as far as you're concerned, you've received "someone else's return", such as another SE'er doing what you just did with the sealed box method! Because methods are not foolproof, when things go wrong, you must have a "backup plan" so we'll have a look at that next.
Every Method Must Have A Backup Plan:
If you're the type of computational user who's very well organized with how you store your sensitive files on your computer, Inclusive of making sure that your data Is safe & secure, I have little doubt that you'd have at least one backup on your USB stick or external SSD, correct? I thought as much. As a result, you have nothing to lose In the event of corruption, so from a social engineering standpoint, why Is It that you don't apply yourself In the same fashion by having a "backup plan" when your method doesn't work In your favor? As per the topic above, methods/SEs are not guaranteed to succeed each and every time and as such, your SE will prematurely come to an end- which Is a waste of time, money and resources. Unless of course, you can save the SE with an ulterior motive, by resorting to the "backup" that you've prepared beforehand.
Due to the array of traditional methods used, It's way beyond the scope of this article to cater for the lot but what I have done, Is documênted a few that every social engineer can relate to, as well as one particular gateway that's compatible with all of them. What you're about to read, pertains to your method failing due to representatives declining It and to keep the SE alive, you'll hit your backup by using a very calculated approach. To avoıd congestion, I've limited each topic to one paragraph, so without further delay, let's make a start.
The DNA Method
This Is an abbreviation of "Did Not Arrive" and as Its name Implies, the SE'er claims that the package that was delivered by the carrier driver, did not arrive at his premises/house. When using the DNA, It's very common for companies to open an Investigation, whereby they'll contact the carrier and cross-check their records to try and establish where the package Is, and why It didn't make Its way to Its destination. Whatever the reason may be, they can deem that the package was In fact delivered and If you've exhausted every option to no avail, there's nothing more you can do with the method Itself. However, that's not to say that your SE has come to a close- here's how you'll resurrect It. Call the rep and say that a family member accepted the package without your knowledge, and apologize for any Inconvenience caused. A week or so later (whilst It's still In their refund policy time frame), call back, say that you'd like a refund and use the "sealed box method" to return It. This Is your backup- the "sealed box method".
The Wrong Item Received Method
This method Is used to say that when the carrier delivered your package and you opened It thereafter, a different Item was enclosed to what you originally ordered. The good thing about this, Is that It's not weight-specific, meaning It (generally) doesn't matter how heavy your purchase Item Is nor Its size, but do use some common sense by being realistic about It. For example, If you're planning to SE a "85 Inch LCD Smart TV that weighs 48 Kg", It's literally Impossible that an Incorrect Item of that size & weight was picked, packed and dispatched! Now that you understand that, after contacting the company Informing them of the wrong Item, It's standard procedure to ask you to return It. Instead of sending back a stock Item of theirs, what you'll do Is use the "box method" by sending the package that's consistent with tampering, thus It gives the Impression that your Item was stolen during shipment. Depending on the nature of your Item, It can be used with or without dry Ice. The "box method" Is your backup.
The Leaking Battery Method
As opposed to both of the above methods, this has Its limitations with the type of Items that can be SEd, namely (and stating the absolute obvious) those that contain batteries to function. It works by saying that the Item you ordered was delivered with Its battery(s) leaking and due to the fact that this could've happened anytime from when the company dispatched It, to when you received It, It's not possible for their representative to state otherwise. In almost all cases, the rep will request Its return and because of the method's versatility, there's a couple of ways you can tackle this. The first Is to use the "disposed the faulty Item method", by telling them that you threw out the Item for health & safety concerns. Companies take health & safety quite serious, and that's what makes this effective. The second way, requires a little research on your end to find a company that uses a carrier who does not accept dangerous goods, hence they'll refuse to transport It. Both of those methodologies are your backup.
The Gift Method
I'll get straight to the point and reference the SE'er from a third-person point of view. Social engineers use this when (for example) claiming that the Item that was ("seemingly") purchased from the company, Is no longer working and they will then go through some troubleshooting steps. After the representative Is satisfied of the nonfunctional Item, In order to Issue a refund, he'll ask for the "POP" (Proof Of Purchase), however the SE'er obviously does not have It. To make It seem as though he's complying with their request, the SE'er will use the "corrupted file method", whereby he'll send a documênt In a file that does not work- with the Intention to put the rep at fault for not being able to open It. An online service like this, does the job well by rendering the file completely useless. No doubt the rep will ask to resend It, and the SE'er will send It In different formats, just to give the Impression that he's doing his utmost best to resolve the matter. By being adamant and persevering with the SE, the rep will finally give In and approve the claim. The "corrupted file method" Is the backup.
Using PayPal
The main reason SE'ers use PayPal as their preferred payment system, Is because It protects their purchases by offering "Buyer Protection". This means that If something goes wrong with the purchase (which It seemingly will!) such as the package did not arrive or a different Item was received, PayPal will try and correct It. SE'ers use this for the "DNA" and "wrong Item received method", and PayPal names both as "Item Not Received" and "Significantly Not As Described" respectively. When using either method, you'd first file a "Dispute", where yourself and the seller try to come to a solution. Evidently, you won't resolve It and the dispute then gets escalated to a "Claim", and that's when PayPal takes over and decides the outcome. That Is, If a refund should be processed Into your account. If you've executed your SE by leaving very little to no room for error, you'll find that their decision will work In your favor. "PayPal" Is your backup for both the DNA and wrong Item received method.
Credit Card Chargeback
In the event PayPal decides to decline your claim and on the grounds you have a credit card linked to your name, you can perform what's called a "chargeback", by contacting your credit card provider and asking them to reverse the charge on your account. They will then get In touch with PayPal who will request further Information from you, such as proof of purchase & shipment details, all communication between yourself and the seller, transaction Info and so forth. PayPal then forwards everything to your credit card provider for review. As a result, It's the "credit card provider" who makes the final decision as to whether you should receive a refund, regardless of what PayPal has to say! But what If you don't have a credit card? Well, there Is an alternative named a "bank reversal" which serves the same purpose, meaning a request Is made to your financial Institution to obtain a refund. The good thing about chargebacks and bank reversals, Is that they're not tied to any methods, hence they can be used when all else fails. This Is your backup for any SE.
Select The Method You're Confident With:
When social engineering a particular Item, there are so many methods to choose from and for the most part, each one Is based on the Item Itself, namely Its weight & dimensions. For example, you cannot "box a company" with something that weighs 20 Kg and Is around 90 x 70 x 70 cm In size- It's just too big and too heavy. Even If you use "dry ice" to substitute the weight, It's not possible to calculate "the exact time" It takes to sublimate from the collection point, to the carrier's storage facilities and by the time It reaches Its destination. Moreover (with the above dimensions), signs of tampering will be Instantly noticed by the carrier driver on pickup, thus will release him from liability and your SE will fail. Now If you're comfortable with the box method but cannot find a suitable Item to SE, you'd obviously need to pick another method, but don't just select anything that comes to mind.
Every SE'er has their own strengths and weaknesses, therefore I always recommend to opt for a method that you're very confident In preparing against the Item you're planning to SE. Allow me to elaborate on social engineers who have a lack of confidence. Many do not like using the "DNA" (Did Not Arrive) method, purely due to the possibility of the carrier driver paying them a visit and asking questions about the delivery. In this Instance, the slightest bit of doubt can affect their ability to plan, judge and prioritize their decision-making with the DNA, which will most likely ruin the entire SE. The message Is pretty clear- If the method that you've selected Is causing some form of negativity to the point of Impairing your judgment, then choose another one that you're proficient In formulating. This will make the difference between your SE prematurely ending, to ultimately succeeding.
How To Choose A Suitable Method:
I always stand by my statement of: "the method Is based on the nature of the Item", and aside from the DNA and wrong Item received that are classed as universal methods hence not Item-specific, It's of the utmost Importance to select one suited to the Item of choice. How so? Well, let's say you've placed an order for only three Items with a combined weight of 90 grams, and you're looking to use the "missing Item method on the lot". It's very unlikely that the warehouse made a picking & packing error on every Item and as such, If the company Investigates It (which they most likely will), then your SE will definitely fail. In this case, you'd opt for the "DNA method" by saying that the carrier did not deliver the entire package. That scenario Is entirely believable and can be easily justified If you did not provide a signature, nor did the driver take photos of your home's entryway (where the package was dropped off).
Before choosing your method, the first thing you need to consider Is the size and weight of the Item. This will give you a very good Idea of what Is/Is not suitable, thus will allow you to make an Informed decision when selecting the method accordingly. There are no hard and fast rules as to what's deemed appropriate, but rather based on common sense and good judgment. For Instance, you wouldn't SE a Bose Home Speaker 300 that weighs almost 1 Kg using the "partial method", would you? It's blatantly obvious that If the company liaises with the carrier by cross-checking their records, the weight will definitely show up on their end and as a result, the speaker was Included In the consignment when delivered to you. Also for obvious reasons, It would be ridiculous to social engineer a chair with the collapsed dimensions of 90 x 88 x 80 cm by using the "box method"- signs of tampering will be Immediately noticed at the collection point. The equation Is pretty simple- use your discretion by being realistic about the method against the Item.
In Conclusion:
Upon reading this entire article, you may be under the Impression that It's quite an arduous task to select and formulate your method, Inclusive of making sure that the Item Is well-suited, but nothing could be further from the truth. It's a very simple process! The reason I've gone Into so much detail, Is because I'm the type of SE'er who leaves nothing to chance and covers every angle to ensure that my readers can maximize their success rate with each and every SE. Evidently, not every topic will relate to your environment and those that do, may need to be manipulated according to your needs, so be selective with what you decide to take on board.
Excerpted
