- 21 Eki 2015
- 477
- 1
How To Indirectly Social Engineer An Item
If you've been In the social engineering scene for quite a number of years, you'd be very familiar with what's Involved to "manipulate the person on the other end Into doing something that they're not supposed to do to begin with". This Is In fact the true meaning of SEing- regardless of what you're Intending to achieve. Be It pretending to be an agent from an electric company and asking your victim to read out their full name and date of birth (seemingly for verification purposes), thereby you plan to use their credentials to build an Identity, or simply gaining unauthorized access to a restricted building by assuming the role of an employee, they all have the same thing In common- and that Is "the method used to fulfill their objective" Irrespective of the outcome.
Methods are the backbone of every social engineering attack vector and play an Integral role In getting the job done, and If you haven't prepared It according to the nature of your target, then your SE Is destined to fail! It doesn't matter how well you've researched the entity In question by accurately collecting details In preparation for your attack. If you cannot formulate your method based on your (research) findings, then your SE cannot move forward. Period. If you haven't worked It out by the title of this article, what I'm referring to Is the new breed of human hacking, namely "company manipulation & exploitation", whereby you hit online retailers such as Costco, ASOS, Amazon and so forth to obtain refunds or replacements.
In order to do this with minimal complications thus allow your SE to run as smooth as possible from start to finish, your "research", "Information gathering", "method selection" and "Item suitability" must all be compatible and leave nothing to chance. However, we don't live In a perfect world and If you're reading this from an advanced SE'ers standpoint, you'll be well and truly aware about the complexities when trying to social engineer an Item that's either too risky, or Is very demanding and requires a huge amount of resources. For example, let's say you're planning to SE a 75 Inch 4K UHD Smart TV by using the "DNA" (Did Not Arrive) method. Given Its nature, there's practically no other method that will work- It's obviously too heavy for the "missing Item", too big to "box", highly unlikely for the "wrong Item received" and virtually Impossible to apply the "sealed box method" without showing signs of tampering.
And forget about the flawed so-called "FTID method"- we don't live In the 70s, whereby scanning systems do not exist and carriers base their deliveries solely on what's written on the shipping label, hence without a shadow of a doubt It will fail, so don't even think about using It! As such, the best and only option Is the DNA, but this also has Its fair share of problems. How so you ask? Well, there Is no way that the driver will leave a 2,500$ 75 Inch TV at your doorstep and unless you're using a drop house with a fake account and fictitious Identification & payment system, It will be extremely difficult for the SE to succeed. In situations like this, that's when you opt for the "Indirect SEing method" (to get the "Item you want" )- which Is so simple, that It's almost guaranteed to work each and every time. So what exactly Is this? Let's check It out now.
The Indirect SEing Method Defined:
When social engineering online stores regardless of their size and where they're located, I assume you have sound knowledge of the traditional methods used to get free Items, so there's no purpose In elaborating on their definition nor how they're structured. If you're somewhat new to SEing and unbeknownst to what they entail, please refer to my SEing encyclopedia. Getting to the point of this topic, those who know me well In the community I'm registered with, will be well aware of my recommendation when choosing a method which Is: "The method Is always based on the nature of the Item". In other words, you cannot pick anything that comes to mind, and expect It to work without considering how It will Impact the Item In a positive fashion. Only when you've made the correct decision, will the SE move forward.
That Is what's called a "direct SE"- where you're actually hitting the method against the respective Item without any form of Intervention. However, many SE'ers who've exhausted all options to the point of having the representative decline their claim In It's entirety, simply give up on the Item they're SEing and pursue something else. Let me tell you, that by no means Is this an Indication of a failed SE! Did you know, that In order to get the "Item you're after", you do not have to social engineer It directly? Well now you do, and the way It's done Is by using the "Indirect SEing method". This basically consists of SEing any product to the same value as the one you Initially wanted to SE. When It succeeds by way of obtaining a refund, you then "buy the Item you want".
All In all, you've SEd a random Item, obtained a refund, and purchased the one you want. As you can see, you are NOT directly social engineering the Item of choice, but rather performing the SE on an Item that Is extremely simple to refund and once the funds have cleared Into your account, you go ahead and "legitimately buy the Item that you originally wanted In the first place". Makes perfect sense, yes? I thought as much. I'd say It's safe to assume that you're wondering how to formulate the Indirect SEing method and execute the attack, so without further delay, we'll have a look at how It's done.
Research & Preparation Example:
As you're aware, the objective of the Indirect SEing method, Is to SE an Item that has a very high chance of success, have the representative Issue a refund and purchase the one you want thereafter. Because of this, there are no hard and fast rules as to the company you plan to social engineer nor the Item Itself, but what I suggest Is to opt for an online retailer that you're very familiar with, as well as a method that suits your skill set. Also, select a gateway of communication that you're confident with- be It email, phone call or (where available) live chat. Collectively, these entities will significantly Increase the likelihood of a successful outcome, so It's Imperative to make the right decision with each and every one of them.
To help you along the way, I shall provide my own example, which you can use as a general guide and manipulate It accordingly when the time comes to prepare your SE. For the purpose of this article, I'd really like an LG 75 Inch 4k UHD LED TV to the value of 2,050$- however I know that directly SEing this, will be an arduous task. As a result, I've found something that's a lot easier to SE, namely a white gold 2.6 Carat diamond engagement ring priced at 1,990$. "I will refund this, and buy the TV!". It only weights around 75 grams, so I have a couple of suitable methods- either boxing the company, or the missing Item method. Although they're different In how they are formulated & executed, the Intention of both are much of a muchness, so I've chosen the latter- the missing Item method.
Due to the ring only weighing 75 grams, It will barely register a weight on consignment, thus my choice of method Is Ideal. As with every SE, "research Is of the utmost Importance prior to preparing & executing the attack", so I've done exactly that and have Identified that "John Lewis" thoroughly check their picking, packing and received goods when using the missing Item method, so I've totally disregarded them. I know for a fact that "Argos" have CCTV cameras actively monitoring orders In their warehouse, therefore they're also out of the question. As such and stating the obvious, I've decided to hit "Amazon"- I've dealt with them on countless occasions so I have a pretty good Idea of what to expect.
The Indirect SEing Method In Action:
Now that I've gathered every detail of relevance, this Is where the action begins. I've ordered the diamond engagement ring, and It was delivered and signed for by a household member. Given I'm not using the "DNA" (Did Not Arrive) method, signing for the package has no Impact whatsoever, so I'm good to proceed with my attack vector. Around 15 minutes later, I've contacted a customer service rep ("sounding very distressed!") and advised that upon opening the package, the box was there however the ring was not enclosed. He checked my order, confirmed that It was delivered to the correct destination and then said that because of Its value, an Investigation will be opened to determine why the Item I paid for wasn't received. I'm well aware that "an Investigation Is part of company protocol", hence there's no cause for concern on my end.
Behind the scenes, they've taken the weight of the ring Into account, and then they've liaised with the carrier by checking what's recorded at their depot's weighing facilities- just to see If the Item was In the package whilst sitting In their storage area awaiting delivery. The ring however, Is extremely light (only 75 grams) and because It did not register on the carrier's manifest, the company's Investigation Is deemed Inconclusive. The SE has succeeded, yes? Not quite, It's not as easy as that! A couple of days later, they've sent a statutory declaration for me to sign and return, stating that "the Information contained In this application form Is true and correct to the best of my knowledge and belief".
As opposed to an affidavit, unless a statutory declaration Is signed In the presence of a Justice of the Peace, It Is not a legally binding documênt and In this case, they simply requested me to sign and send It back. This suited me perfectly fine, particularly for one major vulnerability In the documênt being: "To the best of my knowledge and belief". In other words, as far as I'm concerned, I've told the truth and put pen to paper "To the best of my knowledge and belief!". It doesn't matter whether I've fabricated/falsified my claim. According to the stat dec, I believed I was truthful at the time of signing It. After many more phone calls and emails back and forth, Inclusive of being passed from one representative to another, the company was satisfied that my order (the "ring") was not fulfilled and credited my account for the cost of the purchase price. Following this, I've bought the "LG 75 Inch 4k UHD LED TV" with the refunded amount- obviously from a different online store. A job very well done Indeed.
In Conclusion:
Judging by the social engineering example above, I'm sure you agree that there's not much Involved with the "Indirect SEing method", and you may be thinking why the Information leading to the SE Itself was provided. Well, I'm the type of SE'er who exhausts all avenues and covers every angle to help solidify the SE In your favor. I'd rather post too much Information (of relevance), than not enough, thereby you can make an Informed decision to either take everything on board, or filter details that're suited to your SEing environment. Do remember that "research", Is of paramount Importance before even thinking about formulating your method, so unless you know the company well, make sure that this Is the first thing you do with each and every SE.
Excerpted
