- 21 Eki 2015
- 477
- 1
Every SE Has Four Elements To Complete
For the most part, exploiting the human firewall can be an arduous task to say the very least, with many obstacles to circumvent along the way until It ultimately works In the favor of the SE'er. Unless the person on the other end of the SE Is half-asleep or Is completely oblivious to the fact that he's being SEd, do expect to tackle quite a few unfavorable Incidents. To do this In an effective manner, It's paramount to know precisely what you're up against and not hit what I call a "blind SE", with no prior knowledge about the nature of your target. Now unless you're very familiar with the company and have been social engineering them many times over for a number of months or years, the first port of call, Is to grab every detail of relevance In readiness for your attack vector.
If you haven't already guessed, what I'm referring to Is SEing online stores to the likes of Amazon and similar Industries, with the Intent to obtain refunds or replacement Items. Of course, this also applies to Individuals when (for example) wanting to SE their password to their Facebook account, but for the purpose of this article, I'll be focusing on online retailers. On the grounds that you're reading this from an advanced social engineering standpoint, you'd be well aware that In order to get the job done right, It's Imperative to "research the company", "prepare your method based on your findings" and "execute your attack effectively" thereafter. However, there's one very Important commodity that the majority of SE'ers seem to neglect, and that Is "ending every SE on a good note".
I've been actively Involved In many communities discussing the art of human manipulation and upon sifting through thousands of comments, I cannot remember a single post that detailed the Importance of finishing the SE In an amicable-like manner. And then they're at a loss as to why the representative who assured them that a refund will be Issued within 3-5 business days, all of a sudden decided to decline the claim not long after the conversation came to a close. Perhaps "laughing and terminating the call abruptly" after being told the account will be credited, contributed to the rep's decision? Or maybe saying something along the lines of: "I can't wait any longer, put the money Into my credit card", played a major role In the failed SE?
Who knows, but I can assure you that either of the two would have a huge Impact on the outcome, Irrespective of who's on the other end of the conversation. Naturally, they're simply examples, but they clearly demonstrate that those type of Incidents, have a negative Influence on the result of the SE. It's also crucial to make sure that "suspicion Is not raised" when the last point of contact between yourself and the rep/agent has been finalized, and the way to do It, Is to "end the SE on a good note"- each and every time! I will show you exactly how to do this at the very end of this guide- for the reason that "every SE takes four steps to complete", so It's vital to get a grasp of how each one operates.
Now the four elements that I'm referring to are: "researching", "method formulation", "execution" and "ending", all of which go hand In hand respectively, and need each other to move forward to ensure the SE works In your favor. With the possible exception of "researching" (which you'll see why In the next topic), you cannot disregard any of them- doing so, may well and truly lead your SE In the opposite direction, namely an unsuccessful outcome. All four elements are designed to form the perfect Ingredients to help provide the best chance of success, so be sure to take the time to read each one thoroughly until you fully comprehend what's written. Okay, without further delay, let's make a start.
First Element: Researching Your Target
This Is where your SE begins, by navigating to the company's website and sifting through their terms- to gather Information such as (but not limited to) refund & replacement policies, who's responsible for loss of goods during transit, their warranty period and a lot more, Now If you know the company well and have SEd them multiple times for a number of months/years, then there's not much point In researching what you're already aware of. Having said that, It's good practice to have a quick look to see whether anything has changed and/or updated since your last SE. It's not only the "company" that must be researched, but also the "carrier" that services their deliveries. For Instance, If the company Is liable for loss of goods and the carrier Isn't, then you're not covered when using the DNA method.
Here's a few key points on what to look for, but do remember that this Is not a comprehensive list, but rather Intended to be used as a general guide. I'll begin with the "company", and then cover the "carrier". Do note, that you may not find some of what's listed below In their terms, hence you'll need to expand your research via other sources. In addition, you'll probably have to put your social engineering skills Into action, by making a phone call or shooting off an email to get what you're after.
What to look for In the company's terms
Warranty Period- To establish when goods can be returned for a full refund.
Refund Policy- To Identify the grounds on which refunds are Issued.
Replacement Policy- To Identify the grounds on which replacements are Issued.
Carrier(s) Used- To Identify vulnerabilities with their delivery service.
Loss Of Goods- To establish who's responsible for loss of goods during transit.
Advanced Replacement- You can use a drop address for this.
Debiting Your Account- Check If they charge you for not returning the defective Item.
Return Center- Establish whether It's onsite or offsite. The latter Is better during busy periods.
What to look for In the carrier's terms
Do They Take Photos At The Premises- When using the DNA method.
Signature On Delivery- this will assist with the DNA method.
Do They Offer Non-Tracking- As per above with the DNA method.
Return Labels- Identify how they can be manipulated.
Damage Reports- Are they raised during transit. If not, It will help with the boxing method.
Shipping Insurance- Will help with the DNA and missing Item method.
Unacceptable Shipments- Will help when sending Items back that they refuse to accept.
Loss Of Goods- See If they take responsibility.
Inspection Of Packages- Do they have the right to open and Inspect all goods.
Delivery Options- Identify If you have a choice, when not delivered to your address.
Second Element: Formulating Your Method
I'd say that this Is the most crucial part of all the above-mentioned elements, namely because "the method Is the backbone of every SE", thus If you neglect to prepare It In an appropriate and effective fashion, then It's very likely that you'll experience major complications throughout your attack vector- along with a significant chance of failure. Simply put, an SE cannot move forward If the method has not been formulated and applied accordingly, and the question that users continue to ask me Is: "what method should I use when SEing Amazon?". Well, this Is similar to saying: "how long Is a piece of string?". If there are no specifics on hand, It's literally Impossible to advise, so If you're guilty of requesting assistance In that manner, you must provide (at the minimum) the Item's weight & dimensions.
As such and given that every method (excluding the "DNA" and In some Instances the "wrong Item received") Is based on the nature of the Item, as an SE'er yourself, you can make an Informed decision when selecting the one that's suitable. For example, let's say you're planning to SE a Core I7-9700K Desktop Processor with a weight of 45 grams. You'd avoıd using the DNA method, for the main reason that an Investigation will be opened with the carrier to cross-check their manifest, which needlessly complicates matters. Instead, you'd opt for the "missing Item method", whereby you claim that upon opening the package/box, the CPU was not enclosed. This could be the result of the warehouse department forgetting to pack the Item when picking your order, or the manufacturer doing the same by only dispatching the box with nothing Inside. Either way, this totally prevents an Investigation taking place.
Of course, you can alternatively use the "wrong Item received method", by saying that a different Item was received to the one you originally purchased. This Is done, by buying a very cheap Item (with a matching weight) from the same company using another account and sent to a different address. When the representative asks to return It, he'll scan It and see that It's part of their Inventory, hence assume that they did In fact dispatch the Incorrect product. As with the example above, this too, does not Involve an Investigation and Is equally effective as the missing Item method. Now the question with this (and every SE), Is: "what's the best method to choose?". Apart from what I've already mentioned pertaining to suitability, I always recommend to select the one that you're most comfortable and confident with. Evidently, that's provided there's more than one method on hand.
Third Element: Executing The Attack
Now that you've researched your target by gathering all the Information of relevance and prepared your method based on your findings, It's of the utmost Importance to execute your attack vector by using every detail (that you've collected and formulated) to your advantage. This will help ensure that your SE not only begins on a positive note, but also moves forward In the same direction all the way towards finalizing the claim In your favor- a successful refund or replacement. Because not every SE goes according to plan and given It's a commonality to experience Issues more often than not, particularly with high value Items, It's vital that "you take control and maintain the same level of authority" from start to finish.
For Instance, on one occasion I called a company and claimed that my Item was not working and after going through a few routine troubleshooting steps, the representative was satisfied that a refund was warranted. In order to do this, he asked me to take a photo of the nonfunctional Item and to Include a handwritten note- just to verify that what I was saying was true and correct. However, I didn't have the Item! As such, I used the "corrupted file method", by sending a file that wasn't functional. To cut a long story short, he was very stubborn, refused to budge and kept Insisting on sending the file. I did not allow his requests to dictate the course of my SE, hence I took control and kept sending the corrupted files In a different format- to give the Impression that I'm doing my best to resolve the matter. I also expressed my frustration as to why he couldn't fulfill such a simplistic task. After pushing him to the absolute limit, he finally reached breaking point and credited my account.
The moral of the story, Is that "I was the one who called the shots" by being In control of the entire situation and Irrespective of what he demanded, I was always one step ahead! The same principle applies to yourself when SEing any company on any level. Do not take "no" for an answer and prematurely end your SE, but rather be assertive of your actions and behavior, regardless of what Is expected of you. Do remember that "the human mind Is the weakest link In the security chain", therefore anyone can be manipulated to comply with whatever It Is you're hitting them with. If you've executed your attack by having an authoritative figure all the way through, then you've come to the stage of having your funds reimbursed or a replacement Item sent. There Is however, one more thing to take care of, and that's "ending your SE on a good note", so we'll have a look at that now.
Fourth Element: Ending On A Good Note
Although many SE'ers do not Incorporate this as part of their social engineering toolkit, In order to solidify the result of the SE by not raising suspicion and leaving nothing to chance, It's Imperative to "end It on a good note". In other words, you need to be absolutely sure that your claim has been finalized without any possibility of It being reversed. For example, how many times have you heard (or personally experienced) that a refund confirmation was Issued either via verbal agreement or In writing, only to find that a few days later the representative decided to decline It? If you've just started SEing and haven't run Into this as yet, It could happen at any moment and by the time you've figured out what went wrong, It'll be too late to do anything about It.
So why Is It that reps approve claims, but sometime later they've changed their mind and decide to be the biggest pain by disapproving It? There are no hard and fast rules as to why this happens, namely because every SE Is based on Its merit but If you give them reason to alter their decision, such as not ending the SE amicably, then they will decline It with no justification whatsoever. Allow me to elaborate on this. Let's say that you're going through a very lengthy and complex claims process, whereby you're being aimlessly passed from one representative to another, shooting off emails without receiving a response and your chat sessions are prematurely terminated. This behavior Is extreme, yet typical of companies who Intend to refuse refunds/replacements.
Around 3-4 days later, you've received confirmation that your claim has been approved, and your account will be credited for the full cost of the purchase Item. Given that you're obviously very frustrated with the way you've been treated, you've replied with: "Hurry up and give me the money". Or alternatively, you've laughed by saying: "I got you In the end, thanks for the cash". How do you think the rep will react? He definitely won't be happy with the first response and If you've used the second one, It will certainly raise suspicion- enough to reverse his decision. Clearly, you can see that ending the SE on a good note Is paramount, each and every time. All It takes to secure the deal, Is to say: "Thank you, have a nice day". All In all, It's their loss and your win, so be sure to politely finalize your end of the conversation.
In Conclusion
I do hope you've read every word and absorbed It to the fullest extent of your learning capacity. If you haven't, go back to where you left off and continue from that point forward. I'm saying this, because every element needs each other to formulate a flawless start to your SE, as well as ensure that It runs as smooth as possible whilst It's In progress- right until the final stage of locking In the result In your favor. As mentioned In the first element of "researching", If you've SEd the same company countless times, you can skip It but things may have recently changed with their protocols/guidelines, so I strongly suggest that you have a quick read prior to tackling the second element of "formulating your method". In closing, you now have the tools and knowledge to perform a very effective SE, regardless of whom you're targeting and how difficult they appear at the time.
Excerpted
Son düzenleme:
