Skip to main content

Featured

SE'ing Encyclopedia

Updated: 10/11/2021:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

Tracking Number SE'ing



How To Use The Tracking Number For SEing Purposes.      

With regard to hitting online stores to the likes of Amazon, Argos, ASOS and so forth, Intermediate & advanced social engineers predominantly focus on how to "research the company", "select & formulate an appropriate method" and "execute the attack flawlessly". Some SE'ers also "end the SE on a good note"- just to help ensure the outcome works In their favor. There's no doubt that all the above quoted terms, play an Integral role In making sure the SE gets off to a very good start and keep It consistently flowing In the right direction until the claim Is finalized In a successful outcome. It's of the utmost Importance to put "research", "method preparation" and "an effective attack vector" as part of your social engineering toolkit- as It will make all the difference between success and failure.

I'd say It's very safe to assume that you're aware of the fact that all the above relates to "company manipulation and exploitation", whereby representatives are SEd Into performing actions that they're not supposed to do, namely generating refunds and sending replacement Items at no extra cost. If you've just started social engineering In this capacity, I strongly recommend checking out my guide named Beginner's Guide To SE'ing prior to moving forward with this article. What you've just read thus far, Is "the company side of things", meaning you research them, prepare your method, launch your attack and deal with the reps thereafter. But have you given much thought Into "Incorporating the movement of your package Into your method", as It's being transported by the carrier service? If your answer Is "No", then It's vital to absorb every bit of detail from this point forward. 

What I mean by "Incorporating the movement of your package Into your method", Is that In order to effectively formulate It against the nature of your SE, some methods require you to know precisely where your package Is as It's being delivered, and when It's due to arrive at your premises or at another address where the delivery will be accepted. For example, let's say you're using the "DNA" (Did Not Arrive) method and you're pretty sure that the carrier driver will be taking photos of your home when he drops off your package. As such, It's paramount to have knowledge of  exactly "when he will be arriving"- otherwise your SE Is destined to fail. Don't worry, I've elaborated on this a little further down the page In the topic appropriately named "The Carrier Taking Photos".

So how do you establish the whereabouts of your package during transit? You guessed It, you'd use "online tracking" to check the status of your shipment  by entering your tracking number, and use It to your advantage when preparing a method that relies on It to succeed. That's the objective of this tutorial- to utilize the tracking system that's provided by carrier services and Identify where your package Is, hence you will have ample time to prepare your method and ensure It's well and truly applied BEFORE the driver arrives and the package reaches Its destination. Rest assured, once you begin reading the methods after the next topic, this will make perfect sense! First and foremost, It's Important to familiarize yourself with what a "tracking number" Is and how It works, so let's check It out now.       

What Is A Tracking Number?

Given there are so many carriers/postal services (and the like) and the fact that they operate differently to some degree, It's beyond the scope of this post to cover the lot, so what you're about to read Is not based on any specifics and should only be used as a general guide. I'll try and simplify It as best I can. When you buy something from the Internet and waiting for It to be delivered, In order for It to make Its way to the correct address (your home), It needs to be Identified throughout Its journey and the way It's done Is by assigning a "tracking number" to the package, namely on the shipping label which also contains a barcode. The tracking number can be revealed when the barcode Is scanned. Each number Is unique and no two are the same, thus there's no room for error when pinpointing which tracking number belongs to what package.

Every carrier has their own algorithm when generating tracking numbers, so the length varies with each service. For example, at the time of writing, "DHL has a 10 digit number", "UPS Is set at 18" and "FedEx Is 12"  but Irrespective of their length, they all serve the same purpose- tracking consignments. Here's how a local delivery basically works. Remember: "This Is generally speaking and not based on specifics". The driver will pickup your package at the collection point and "scan the barcode". This will Instantly record the consignor (sender) and consignee (receiver) details. At some stage during the day, he'll take It to the depot and "It will be scanned for the second time". When It's scheduled for delivery, "once again, the driver will scan It" and then place It In his van. Finally, when the package reaches the drop off point (example: your house) "It will be scanned for the last time"- which confirms that It made Its way to the correct address.

If you've kept count on the amount of times the package was scanned, you'd know that It's "4 In total" and If you've used or read the flawed so-called "FTID method", you now know why this biggest piece of garbage has a significant failure rate unlike any other method In the SEing sector. More on the FTID crap towards the end of this article. Back on-topic, due to the scanning process, the shipping Information Is automatically recorded on the carrier's network, which gives you the opportunity to see how It's progressing In (near) real-time. To do that, just "enter the tracking number Into their website", and you can keep an eye on It and determine when It's due to arrive. As mentioned In the third paragraph of this tutorial, "some methods require you to know where the package Is and when It will be arriving", so without further delay, let's make a start.    

The Carrier Taking Photos:

Before I begin, do note that this solely relates to using the "DNA" (Did Not Arrive) method, whereby you say that the package you're expecting to be delivered by the carrier, did not arrive to your home. Of course, you did receive It, but you're stating otherwise for SEing purposes. There are a few ways that carriers confirm shipments as delivered to the correct address, such as a signature on receipt of goods, an "OTP" (One-Time Password) given to the driver, or "photo verification" by taking a snapshot of where the package was left. At the time of this guide, "DPD" who services many retailers that Includes Amazon and ASOS, Is one carrier who (for the most part) takes photos Instead of asking you to sign their handheld device. They do It by using one of two of the following options.

The first, Is by leaving the package at the exterior of your home, by selecting a particular location that will be Identified as belonging to you. A commonality with most drivers, Is to place the package at (or near) the front doorstep and when they take the photo, they also make sure that the "house number" Is clearly visible. And If you say that you didn't receive It, they'll use the photo as evidence to "try" and decline your claim, but believe me, It's absolutely useless!  "How so" you ask? Well, anyone could've walked by and stolen the package In your absence, hence the package & house number shown In their photo, Is worthless- for the reason that "you did not personally receive and accept your package". Do keep this In mind when using the DNA method.

The second option used to verify consignments (and of relevance to this article), Is when the driver asks you to open the front door and he'll place the package In the "entryway", and then take a photo as proof of delivery. As a result, If you try and deny that your order arrived, they'll use "the layout of your entryway"  to prove that It's your home In their photo. Seems Impossible to circumvent, correct? Not at all, and here's how you bypass It by (first) putting the "tracking number" Into action. You need to know when your package Is due to arrive, so head over to the carrier's website, enter your tracking number and take note of when It's expected to reach your address. Depending on where It's located In transit, you may have to do It several times. Now the following part Is very Important, so pay attention to every detail.

Once you've Identified where your package Is and when It's coming, around 30 minutes before It's due to arrive, "rearrange your entryway"  by removing every bit of furniture and replace It with rugs, chairs, tables and so forth from another room. Also, be sure everything Is clearly visible when the front door Is opened. What you've just done, Is "give the appearance that It's NOT your home", so when the driver arrives and asks you to take a photo of your entryway, allow him to go ahead. When he leaves, "place your furniture back to Its original layout". If they decide to Investigate by visiting your home and compare their photos with the current (and normal) layout of your entryway, "they will not match", thus they have no evidence to conclude that your package made Its way to the right address, namely your home!  As you can see, the tracking number allowed you to establish when your delivery was arriving, thereby the method was fully supported which will result In the SE succeeding. 

Using A Drop House:

Once again, this pertains to the "DNA method".  If you're the type of social engineer who prefers to remain anonymous by not having stuff delivered to your real address, one of many ways you can accept your goods Is by using what's called a "drop house", also referred to as a "drop address" or just "drop" on Its own. So what exactly Is this? I'm glad you've asked. Put simply, It's a physical location In the form of a residential house that does not belong to the SE'er, and Is used as a delivery point to "accept packages from a given carrier service". In other words, Instead of using your current address to receive your orders, you'd opt for a remote home that's "vacated" and has no association to you whatsoever. The drop can be a property that's "listed for sale", one that's advertised for "rent/lease" or a "foreclosed home"- which means Its owners did not pay the monthly repayments on the mortgage, and the bank seized the property and put It up "for sale"

Whatever the type of drop you decide to utilize (rent, foreclosed, for sale), you need to be absolutely certain that "no one Is living there when your package arrives". Remember: You're the one who will be at the drop house awaiting your delivery In front of the premises, so It's paramount to make sure It's empty and of greater Importance, "knowing when the driver Is scheduled to arrive", therefore you must calculate "when" you'll be at your drop to meet the driver. You should definitely know by now, on how to do this- It's no different to what you've read In the topic above, so navigate to the carrier's website and "use your tracking number to check how your package Is travelling", and take note of the "ETA" (Estimated Time Of Arrival). 

Be sure to get there around 20-30 minutes earlier, hence It ensures you won't miss the driver's arrival and while you're waiting, act like you belong there by picking a few weeds from the front garden or cleaning around the house. As such, you will not raise suspicion, thus there's no reason why your presence will be questioned, not even by the neighbors- they'd probably think that you're a friend of the owner who's dropped by to do a little maintenance work. The moment the driver turns up, greet him (her) with a friendly "hello", grab your package by signing with a fake signature and as he's leaving, end the conversation on a good note by thanking him and saying to enjoy the rest of his day. As a result of every event, you've avoided attracting attention and yet again, "tracking confirmation was the key to effectively finalize the DNA method with the drop house".

Returning Your Item:

What you've just had the pleasure of reading so far, relates to the tracking Information when "receiving" deliveries to an address of your choice, but as an SE'er yourself, It's quite obvious that you should be well aware that It also applies to "sending" packages to a given company  for a refund or replacement Item. The way this works Is very different to everything I've described In the above topics, meaning you will only be using the tracking number to confirm a couple of things: Your package "has been delivered" to the company OR "It's In transit and will be delivered" to the company. Because of the nature of how you'll be applying the tracking number, It's only advantage (and for the purpose of this guide) Is when "filing a PayPal dispute/claim" and when using the "FTID method". I'll cover each of those respectively, beginning with the FTID.

Using The FTID Method

Prior to making a start on this, I'd like to make one thing perfectly clear with the method Itself. It's the biggest load of trash to hit the social engineering sector, for the reason that "It's flawed In many areas and contains an array of Inconsistencies that ultimately result In a failed SE". So why am I discussing It? Well, to save you from disappointment before you attempt to try and use such a deficient piece of rubbish. There Is however, one particular way that It "may" (not "will") have a successful outcome- which Is the purpose of this topic. I'll elaborate on It shortly. In terms of the method's definition, "FTID" Is an abbreviation of "Fake Tracking Id" which Is totally misleading. The "tracking ID" Is not fake at all, It's the "shipment" that's fictitious. The method's creator/author can't even get the title right, so how Is It supposed to work without leaving room for error? Enough said.

In a nutshell, the FTID method Is all about having the "tracking number shown as delivered (carrier-wise), but the company has no administrative or physical record of the package In their warehouse". Simply stated, the tracking Information says It's delivered correctly, but the company does not have the package/parcel (don't worry, this will make sense In a few minutes, so keep reading). As a result, there are no details assigned to the sender (the SE'er)  which releases the social engineer from liability, therefore It's the company who's responsible for loss of goods, thus they have no choice but to Issue a refund or replacement. I'll demonstrate the only way that the method "may" (and In almost all cases "won't") work, and you'll be using the tracking number only to verify that you (apparently) returned your Item.    

The objective Is to "seemingly sent your Item back". That Is, you will send an empty parcel or envelope  hoping that when they receive It, they'll toss It In the trash and as such, the "tracking" confirms the consignment, but they "do not physically have It". I recommend sending an envelope and here's how you prepare It. Remove all Identifiable details linked to your order- senders Information, RMA Info (If any), order numbers and so forth. The only thing that you'll leave Intact, Is the "tracking number" and Its associated "barcode". This ensures that your envelope will get scanned, and get there as Intended. Now before sending It off, you must give It the appearance as though It's an advertisement, by placing a sticker or two on the envelope that reads (for example) "Peter's carpet cleaning services" or perhaps "10% off your next electric bill". It's totally up to you.

Can you see what you've just done? That's right, your return appears to be something useless to the company  that's of no Interest to anyone working In the receiving/Inwards goods department, so when they see the advertising stickers on the envelope, fingers crossed, they'll throw It out. Basically, for this method to work, you're relying on the laziness of the storemen and hoping they're brain-dead to completely Ignore an envelope that's clearly marked and addressed to them. I can confidently say that every company who works on a scanning/tracking system, will check each return, regardless of Its appearance. 

Seldom (If ever), do people spend money on tracking for the sake of sending an advertisement to an Individual entity, which Is yet another reason why the method will fail. As with spam emails, they'd mass-mail thousands of envelopes to random companies knowing that quite a few will utilize the service that they're offering. Anyway, on the grounds that It somehow does work, you'd call the company asking about your claim and "give them the tracking details" as proof of delivery. This will solidify the fact that It was sent to the correct destination/company.

Given they've disposed of the envelope, they cannot cross-check your return, hence your bank account will be credited for the cost of the purchased Item. Now If you're still living In the 60s when scanning systems were non-existent and the delivery was based on the details of the shipping label, Inclusive of SEing a company whose employees are half-asleep on the job and couldn't care less about following protocol, then the flawed so-called FTID method may work as per my tutorial. That aside, once again "the tracking number confirmed the shipment as delivered", and was the major contributor to the (hopefully) successful outcome.  

Filing A PayPal Dispute/Claim

Before I discuss "how you can use the tracking number to your advantage with PayPal", It's very Important to know how PayPal operates- both from a legit and SEing viewpoint as follows. Even though you've researched your target thoroughly, formulated your method perfectly based on your Item and (researched) findings and executed your attack by leaving nothing to chance, your SE can fail at the best of times. This Is through no fault of your own, but rather the fact that "you have very little to no control of how representatives assess and process claims". When SEs fail, a lot of social engineers take It as a loss and think that It's ultimately come to an end, but nothing could be further from the truth. 

If you're using "PayPal" as your payment system (If not, do so asap!), It protects your purchases by offering what's called "Buyer Protection", which Is Ideal to rescue a failed SE and here's how It basically works. If something goes wrong with the purchase, such as the package didn't arrive (DNA method) or a different Item was sent (wrong Item received method), you'd file a PayPal "dispute" and that will get escalated to a "claim". PayPal will then step In and try and correct It. Now there's only a couple of things that you can claim for, being what I've just mentioned - the "DNA" and the "wrong Item received". PayPal lists these respectively as "INR" (Item Not Received) and "SNAD" (Significantly Not As Described). They'll collect all Information about your claim and If they have enough evidence In support of your SE, they will refund your account. If PayPal declines It, you'll SE them by using your "tracking number"
   
Now that you comprehend how PayPal resolves matters, you'll be using them to your benefit In the form of "returning your Item to the company"  when you have no Intention to do so by putting your "tracking number"  Into action. "Do note that this does not work with each and every SE, and Its success & failure rate Is equally divided at 50%", but you've got nothing to lose and everything to gain- If the outcome Is finalized In your favor. Allow me to explain It In layman's terms. For one reason or another, PayPal sometimes reverses the transaction and refunds your account, "only when they receive tracking confirmation that your package Is on Its way (In transit) to the company"

In other words, all they need Is the "tracking number" that shows the sender & receiver details, and that's enough to satisfy their decision to reimburse the funds back Into your account, Irrespective of your package not delivered to the company as yet. Remember: "You're not sending your Item back, only the package with the tracking details". Now to give this the best chance of  success, It's crucial to contact PayPal In advance, meaning way before your package reaches the company- just to speed up the refund process. All In all, your bank account will be credited by PayPal and whatever happens with your package thereafter, Is Immaterial.   

In Conclusion:

As you've well and truly realized, the tracking number Is used more than just simply verifying deliveries from consignor to consignee and vice versa. What you've learned from this article, Is that the tracking number's usage can be manipulated to serve your needs In a social engineering capacity, whilst still maintaining Its authenticity and not raising any suspicion whatsoever. There's one thing that I'd like you to always remember: "SEing Is all about manipulating an entity Into performing an action that they're not supposed to do". You've done exactly that, by Incorporating the tracking number Into your method to give your SE the greatest opportunity to succeed. 


Comments