Skip to main content

Featured

SE'ing Encyclopedia

Updated: 08/09/2022:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

Perform A Practice Run

 



Perform A Practice Run Prior To The Real SE

In terms of social engineering stores on every level to the likes of Wayfair, ASOS, Amazon, Zalando, Argos, Apple etc, with the Intention to trick their representatives to perform actions that they're not supposed to do - namely credit accounts and/or dispatch replacement Items at their expense, It takes an exceptional set of skills to get the job done with minimal disruptions. Things like Internal and external Investigations opened to sort out discrepancies with claims, as well as police reports asked to be filed and returned for theft-related Incidents, can be rather frustrating and somewhat concerning for those who've just started their career In the art of "company manipulation and exploitation".

To add to the confusion of Inexperienced social engineers, It's not uncommon for companies to Issue affidavits and statutory declarations, and If they (the SE'ers) have very little or no Idea on how these documents should be handled, there's a very high chance their attack vector will be disrupted and the SE will eventually come to an end. Sure, there are times when chat bots Instantly approve claims particularly with low value Items, or refunds are generated on scan, and of course brain-dead reps who reimburse funds on the spot but for the most part, customer service reps work strictly by the book when assessing claims.

If you've been consistently SEing on an advanced level for many years to date, you'd be well and truly aware that everything mentioned above pertaining to Investigations and signing paperwork, Is only part of company protocol to move forward with the claim, hence there's no cause for concern. Now It's all well and good, If you want to know what you're up against when refunding a given online retailer - you'd simply research the Ins and outs of their terms & conditions, Inclusive of the carriers used to service their deliveries, and/or perhaps ask fellow SE'ers to share their knowledge.

But what If you fail to get the Information you're after, no matter how much time you've spent gathering the company/carrier details? Well, that's where I come In, by Introducing you to a very effective tool which I've personally named It as a "practice run". What you will learn today, Is the definition of a practice run, the traditional methods that warrant Its usage, and finishing off with what to specifically look for during a practice run. Confused? Rest assured, this will make perfect sense as the article progresses. Okay, before discussing all that, we'll start by checking out what a "practice run" entails.  


What Is A Practice Run?

When you're after a few details about a company you're planning to SE, the first place to navigate, Is to their website's terms and FAQ section, and you'd probably also hit a few Google searches here and there. However, for privacy and security reasons, certain types of Info Is kept within the confines of the company, thus Is not open to the general Internet community. As such, an excellent way to see how they process orders  and the requirements their carriers use to deliver & verify consignments, Is to do what I call a "practice run", meaning a trial SE.

So what exactly does a practice run Involve? I'm glad you asked! Essentially, rather than SEing your real Item, you put together a "bogus SE" that's solely used for testing purposes - with the Intention of establishing the actions companies take while evaluating claims, and the measures they have In place when assembling, dispatching and delivering goods to their customers. This will give you a pretty good understanding of what to expect when you're ready to execute your real SE. There are many ways to perform a practice run, but I'll keep It simple by demonstrating just the one example as follows.

Begin by ordering a very cheap Item that only costs a few dollars or so, from the same company you'll be social engineering (for real) at a later date. This way, If your SE doesn't go according to plan and fails, you've got nothing to lose except a measly two or three bucks on the cheap Item you've already bought. That approach only relates to the "missing Item", "partial" and the "wrong Item received method" - for the fact that you'd need to determine If CCTV cameras are In use, If a return Is requested by the company and whether products are checked during packing (I've covered all that In the last topic), therefore the Item value Is Immaterial.

As for the "DNA method", you'd be checking If an OTP (One-Time Password) Is required on delivery - which Is often the result of SEing a high value Item so If you're doing that with your SE, be sure to match the cost of the Item In the practice run. Okay, I'll use the "missing Item method" to show how the practice run works. After buying your Item and receiving the package from the carrier driver, you've contacted the rep/agent, and told him that nothing was Inside the box/package. As expected, an Investigation was opened to see why you didn't get your product.

On completion of the Investigation, If the claim was approved and a refund was Issued, you know for sure that CCTV cameras were not monitoring their warehouse, nor did their storemen check any goods when packing the order and as such, the missing Item method can be used with your "real SE" against the same company. Evidently, the practice run can be applied to every other method mentioned In this tutorial by adjusting the approach accordingly, but In order to do that, you must fully familiarize yourself with each method as outlined In the topics below. And when you're done, I've discussed "What To Look For During A Practice Run" with the said methods prior to concluding this article. So let's start with the good ol' missing Item method.     


The Missing Item Method

As Its name Implies, the "missing Item method" Is used to say that the Item you ordered from an online store, was missing from the box/package when the carrier delivered It to your home. Here's an example of how It functions. You've purchased an SSD from a UK retailer called Currys PC World and upon "opening the box", there was nothing Inside - the "SSD" Itself was missing. Alternatively, you can say that when "the package was opened", the entire contents were missing - the "box & the SSD" was not In the package. You'd call Currys and tell the representative that you didn't receive your product, and he'll then begin to assess your claim.

For the missing Item method to work, It's paramount to select something that's "extremely light and will not register a weight on consignment", thus the company won't have evidence to suggest your Item was In the package/box when you accepted It from the carrier driver. I recommend not to exceed "120 grams" (for only the Item, or the box & Item), and that's pushing It to Its absolute limit. Now I'm the type of SE'er who covers every angle with each SE, so for a greater than 95% success rate, stick with a weight between "40-60 grams". That said, there are some factors like "CCTV cameras" that significantly complicate the SE to point of failure, of which I've discussed towards the end of this guide.  


The Partial Method

Given you've just read about the missing Item method, you'll have no problem relating to "the partial method" (also known as the "PEB" - Partial Empty Box), namely because It works on a similar principle, but with a slight variation In how It's formulated and executed. Often referenced as "partial" on Its own, the method pertains to ordering a bunch of Items from an online retailer, then claiming your order was "partially filled" when It arrived. In other words and purely as an example, 5 Items were purchased, however only 3 or 4 of those Items were received

It's performed almost the same as the missing Item method, but Instead of buying only the one product and SEing that alone, you'd grab "multiple Items on the same shipment" and then get In touch with the rep, and tell him that "one or more Items were not In the package/box when you opened It". Now this part Is very Important, so pay attention! If you're SEing more than one product, you must combine the weight Into a single figure and keep It under 120 grams. For Instance, If one Is 65 grams and the other Is 45 grams, It's taken as one unit at 110 grams. Do the math: 65 + 45 obviously equals 110. Be sure to apply this formula to each and every Item you're social engineering.


The DNA Method

The DNA Is an abbreviation of "Did Not Arrive", and Is used by SE'ers to say that the package they've been waiting to be delivered to their address or drop house, did not arrive as Intended. That Is, they've bought something from the Internet, but the carrier driver neglected to drop It off at their home. Of course, this Is not true at all - the social engineer Is using that excuse for a refund. The good thing about this method, Is that It's "carrier based", hence Is compatible with almost every company who utilizes a carrier service to deliver goods to their customers. 

I'd like to point out a huge vulnerability that the DNA exploits, thereby It gives the SE a very high chance of success - specifically "when carrier drivers leave packages unattended at the doorstep". When It happens, they've basically DNA'd themselves, for the reason that "you did not personally receive the package".

Sure, GPS/tracking marks the consignment as delivered, but It only confirms delivery to an "address" and NOT to a "person". Even If a signature Is requested, tracking Is still useless - fake sign It, and you're In the clear. All In all, by remaining adamant about "not personally receiving the package", there's nothing a company can do to say that you did! Now If an "OTP" Is required to accept the package, one way to establish It beforehand, Is with a practice run - which I've covered In the last topic.    


The Wrong Item Received Method

The biggest advantage of the wrong Item received method, Is Its versatility, meaning It's suited to every company that has a warehouse full of stock. Unless you're SEing a car (so to speak!), there's almost no restrictions with the type of Item to be SEd. therefore It can be used with just about every online store. I'll explain how It works In a very simplistic fashion. After you've bought a product and It was delivered to your house, contact the rep/agent and Inform him that "the package contained a different Item to what was originally ordered".

Naturally, and as you already know, the event didn't take place - the correct Item was dispatched. Before going ahead with the method Itself, you first need to "buy the wrong Item that you're pretending to have received" - for the fact that you'll be required to send It back, and a refund will only be processed when the company has It In their possession. Makes sense? Good! When buying the wrong Item, do so on a "separate account" by changing every Identifiable detail, thus It won't be associated to your main/primary account. Also, make sure It's purchased from "the same company you're currently SEing", and Is sent to "another address".   

As a result, when the return (of the wrong Item) Is scanned, they'll see It's part of their Inventory and assume they mistakenly sent an Incorrect product to you. As a final note, It's Imperative that "the weight of the wrong Item, Is as close as possible to the Item you're SEing", so If the company decides to liaise with the carrier who serviced your delivery and cross-checks their records, there will not be a variance In weight, thereby your claim of receiving the wrong Item, Is well and truly justified. This concludes your understanding of the 4 methods that warrant a practice run, which brings me to the last topic of this article.


What To Look For During  A Practice Run

Now that you're well acquainted with the aforementioned methods, In order to utilize them to their full potential and help ensure a successful outcome, It's of the utmost Importance to be aware of the "protocols and procedures some stores have Implemented In their warehouse", as well as the "type of delivery verification certain carriers require on receipt of goods". In simple terms, many companies and their carrier partners, operate In a manner that will not only cause huge complications to the method you're planning to use, but may also prematurely put an end to your SE.

As such, you need to know exactly what you're up against BEFORE targeting the company you have In mind, hence It will give you a clear Indication as to whether the method you've selected, can be used to social engineer the company/carrier In question. And the way It's done, Is by "knowing what to look for when performing your practice run" - which will decide If your method can/cannot be put Into action. To help you along the way, I've outlined four elements (below) relating to warehousing and carrier services, and listed the method(s) they may Impact or eliminate altogether. Also, to avoid congestion, I've kept everything to a minimum and straight to the point.     


CCTV Cameras - Related To The Missing Item, Partial & Wrong Item Received Method

If you've never social engineered a particular company and thinking of using the "missing Item method", the "partial" or perhaps the "wrong Item received", It's crucial to establish If their warehouse activities Is monitored by CCTV cameras - namely their picking & packing procedures. If It Is the case and on the grounds you're purely SEing the entire contents of your product (box, packaging and Its Item), It's almost guaranteed your SE will come to an end not longer after your claim was assessed.

The reason Is because they'll open an Internal Investigation by referring to their CCTV footage, and see that your Item was picked, packed and dispatched correctly, and there's nothing you can do In your defence to support your SE. Cameras don't lie, social engineers do! So when using any of the methods above, especially If you're wanting to SE a high value Item, first perform a practice run on a separate/fake account and If It succeeds, It confirms CCTV cameras are not Installed. You can then use your real/main account to SE the company.  


Products Checked During Packing - As Per The Above Subtopic's Methods

Unbeknownst to many SE'ers, certain companies actually "check their goods as they're being packed In the box/package" prior to taping It up, and sending It off to the buyer. For Instance, I can confidently say that a UK sunglasses (and watch) retailer called Shade Station operates by picking their stock, "opening the sunglasses case to make sure the product Is Inside", and then packs and sends It to the customer. Other stores with a similar setup, also work In the same fashion. It's a huge Issue that ultimately puts an end to the missing Item, partial and the wrong Item received method

And If you still plan on saying (for example) your sunglasses were missing, think again - they'll email the CCTV footage clearly showing "your product was In the case" and packed In full! And when that happens, say goodbye to your SE - the video demonstrates the Item was Included In your order, hence It's useless trying to dispute the evidence - It's a complete waste of time, so don't even bother escalating the claim, It will be declined based on the proof contained In the footage. If your practice run determines the Item Is checked at the time It's packed, opt for another company.       


See If An OTP Is Required On Delivery - Related To The DNA Method

If (for example) you're SEing a high value Item, such as a TAG Heuer Men's watch from Amazon that retails for around 5,000$ by using the DNA method, an "OTP" (One-Time Password) will most likely be required to verify that the package not only made Its way to the correct address, but was also "personally received by yourself (the SE'er) or another authorized recipient". What this means, Is that the OTP will be sent to your cell phone or the email address on your account, and when the driver arrives, you must tell him the password to accept the package.

If you don't give him the OTP, he has every right to mark the consignment as undelivered. Although (for the most part) you're told In advance of the OTP, If you've already planned the DNA method before being Informed about the password, It may well ruin the entire SE - particularly If you're adamant on using the DNA, and have no Idea how to circumvent One-Time Password verification. There are a few ways to Identify an OTP - namely (sometimes) at Amazon's checkout page, or manipulating the rep/agent to reveal the delivery status but when all else fails, you guessed It, hit a practice run.


Check If A Return Is Requested - Related To The Wrong Item Received Method

Stating the obvious, a request for a return does not apply to the missing Item, partial and the DNA method - you (seemingly) don't have the Item using these methods, therefore It only pertains to the "wrong Item received method". Now If you've formulated It as discussed further up the page, there's no problem sending the wrong Item back to the company for a refund or replacement.  

However, a lot of social engineers experience difficulties locating a wrong Item of equal/similar weight as the original purchase product. As a result, they'd like to find out If the company they're SEing will In fact request the return (Logitech & SteelSeries, will most likely ask for a POD - Proof Of Destruction Instead of a return) and of course, that's when the good ol' practice run Is put Into action. There's no need to elaborate on this, you know what to do!   


In Conclusion

There are many other methods that can be used with a practice run, but It's way beyond the scope of this article to cater for the lot, thus I've purposely focused on four common methods used by SE'ers of all shapes & sizes - the "missing Item", "partial", "DNA" and the "wrong Item received"

As such and along with having sound knowledge of the design and application of each one, you're now In a position to effectively formulate the lot, and (when necessary), put the practice run Into action to help ensure your SE heads In the right direction towards achieving Its objective - a refund generated Into your account or If you prefer, a replacement Item dispatched free of charge.   


Comments