Skip to main content

Featured

SE'ing Encyclopedia

Updated: 10/11/2021:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

What Confirms A Delivery



What Confirms A Package As Conclusively Delivered.

When hitting online stores to the likes of ASOS, Logitech, Argos, Zalando, John Lewis and of course the largest eCommerce company named Amazon, the one thing they all have In common from a social engineering standpoint, Is sending & receiving packages via the carrier who's servicing the delivery at the time of your SE. The objective Is to trick their representatives to credit your account for the cost of the (purchased) Item, or to dispatch a replacement Item at no extra cost. In order to do that, the first port of call Is to formulate your method based on your researched findings and (where applicable), apply It against the nature of the Item you're Intending to SE. This Is a stepping stone to flawlessly execute your attack vector, and also helps keep It on a consistent level all the way until It's finalized In your favor- a refund or replacement.

There are many traditional methods used In "the art of company manipulation and exploitation", such as the wrong Item received, missing Item/partial, sealed box, boxing  and the list goes on. Although SE'ers of all shapes and sizes are quite familiar with their usage and application, there's one particular method named the "DNA" which Is an abbreviation of "Did Not Arrive", that confuses many social engineers- namely "what deems a package as delivered" to their residential home or otherwise. I will discuss this In a very simplistic manner, hence by the time you've finished reading every topic, you will have a clear understanding of what truly defines "a package that's marked as delivered". Unlike the majority of guides on this blog, this tutorial Is a lot shorter and straight to the point but given this solely relates to the "DNA method", I'd like you to know precisely what It entails, so let's rip straight Into It.

What Is The DNA Method?

As you're aware, "DNA" Is short for "Did Not Arrive" which (as Its name Implies) Is used by social engineers to say that the package they've been waiting to be sent to their house (or a drop address) did not arrive. That Is, they've purchased something from an online retailer/store, but the carrier failed to drop It off at their premises. Evidently, the SE'er did receive It, but Is stating otherwise for SEing purposes. The best thing about the DNA, Is that It's "carrier-based", thus considered a "universal method" that can be used with just about any Item of "reasonable size & weight". In other words, as long as you're not SEing a family home (so to speak), It doesn't really matter how big and heavy the Item Is. But you must be realistic by selecting goods that're SE'able, rather than a product that weighs 50 Kg and Is over 2 meters In height so excluding that, any Item will suffice.

Think about It logically for a minute. When ordering on the Internet, the only way that your package will arrive to your home Is via the carrier service, yes? I'm glad you agree. Essentially, regardless of what you've bought- be It a cell phone, a gaming laptop, a pair of trainers or perhaps an office chair In Its collapsed form, It doesn't change the fact that the carrier will drive by and drop off your package- Irrespective of weights & dimensions. You'd then contact the company "the next day"  (you're not supposed to know that It came, so wait until the following morning) and tell the representative that you're still waiting for your delivery. Whatever you do, "do not give any more details than what's required". The more you say, the more ammunition they have to try and decline your claim! 

Now due to the nature of the method, It's very common for "an Investigation to be opened", whereby In the case of the DNA, the company will liaise with the carrier who serviced your delivery to cross-check their shipping documents. What they'll try and establish, Is whether your claim of not receiving your goods Is true and correct and If so, they'll attempt to locate the whereabouts of your package. Generally speaking, what they do In an Investigation Is verify the receiver's signature, examine photos of the account holder's home that were taken by the driver and of significant Importance that relates to every circumstance, "check GPS & tracking Information to confirm the correct delivery address". If It's right, they'll do everything to put an end to your claim. From a social engineering perspective, this Is where the confusion begins. Many SE'ers fail to comprehend why "tracking cannot be used as delivery confirmation", which brings me to my next point as per the topic below.      

The Truth About A Package Marked As Delivered:

If you've been In the SEing scene for months or years to date, and have used the DNA method quite a number of times against major companies, you'd know that It can be a lengthy process until your claim Is finalized one way or another- success or failure. The main reason why the latter (failure) occurs, Is because the rep/agent who's handling your claim, justifies his decision with something along the lines of: "The tracking has shown that your package was delivered to the correct address", which means absolutely nothing. You'll see why this Is the case shortly. The rep will always stick to what he's said and will remain firm with the delivery status, which Is why It's paramount to know that tracking has no effect- because It cannot confirm that the delivery "reached the person" that the package belongs to. 

Notice how I've quoted "reached the person" just above? That's because "tracking" CANNOT mark a package as delivered "to a person". It ONLY concludes that It's been successfully delivered "to the address"- being your home, a drop house or any other place of residence. As a result, "you did not personally receive your package", hence renders tracking confirmation useless and Inconclusive. To give you a better understanding, I'll provide a simple example that you can relate to. Let's say you live In an apartment complex with 30+ units In total. You're expecting mail from your employer that contains some very Important documents and as such, your boss has sent It via "registered mail/tracking"- just to make sure It reaches the correct address

The postman arrives at your building and whilst In the process of putting mail In Its respective letterbox, for one reason or another, he mistakenly put your envelope "In someone else's mailbox". After a day or so, you've contacted your boss and said that you're still waiting for It to arrive, so he's grabbed the tracking number and Immediately got In touch with the postal service- "who confirmed that your mail did In fact make Its way to the right address". And It was left at that. Can you see what just happened? That's right, "tracking showed that your envelope was sent to the correct address", however "It wasn't you who received It", but rather another person In your building. This analogy Is no different when using the DNA method claiming that "you" did not receive your package. But to manipulate the rep/agent to your advantage, It's Imperative to have sound knowledge of how to effectively use the DNA method, so we'll have look at that next. 

How To Effectively Use The DNA Method:

In order for the DNA method to work, there's a couple of elements that you must put Into effect, specifically recognizing the difference between a package that's "delivered", to one that's "personally received". The former belongs to your "house", and the latter belongs to "yourself " and as you can see, they're obviously very different from each other. When your SE Is In progress, to the point of dealing with the rep's questions and other garbage he throws at you during the Investigation, It's crucial that you stick with the same story all the way, namely "you're still waiting for your package to arrive". The representative will try and justify the delivery confirmation via tracking but as you're aware, this only demonstrates that "It arrived to your house", and "not to yourself"  for the following reasons.     

Unless the carrier driver takes a photo of yourself (In front of your home) holding your package with the tracking ID clearly visible and your house number displayed In the background, there's no way that the company's Investigation can definitively deem that "you personally accepted your goods". Obviously, a photo In the above fashion will not take place without your permission- the driver cannot take a snapshot of you If he's on your private property, hence the company will rely on the carrier's tracking records when assessing your claim  which as you know, Is futile. To make sure you've understood everything that you've just read, I'll summarize It for the last time In the paragraph below.

Tracking purely and solely confirms that "It reached your home" and nothing more, thus as far as you're concerned, "anyone" such as a passerby could have signed and taken your package. Moreover, "the carrier driver" could have taken It!  There are countless possibilities and whatever the case may be, the fact Is, tracking marks that your package ONLY made Its way to the correct destination, being "your home". What (seemingly) happened to It beyond that point, Is not your concern. All In all, the company has no evidence whatsoever to prove that the driver "handed you the package". So make a mental note of all the above points when using the DNA method, and If the rep/agent uses tracking to verify the delivery, keep hitting him over and over again that you're still waiting for your goods to arrive and as such, "you have not personally accepted It".

The Perfect DNA Material:

As with the majority of other traditional methods, the DNA does have Its pros & cons but as an SE'er yourself, It's your job to Identify the "pros" and work on that to locate vulnerabilities that will give your SE the best chance of success. Well, I've already done It for you with the "DNA method", whereby one particular Incident takes place quite often and works In your favor almost each and every time. It's a very straightforward process that's simply based on common sense, yet for some strange reason, a lot of social engineers fail to understand how to use It to their advantage. Here's what I'm referring to. Every driver who works for a carrier company on a large scale to the likes of UPS, FedEx, DHL, DPD and so forth, have a scheduled delivery run on a daily basis, and can deliver anywhere between 120-150 packages a day.

As a result, they're predominantly In a rush to meet their deadlines by making sure that every customer receives their goods on time, and all packages are delivered by the end of their shift. However, It's Inevitable that things don't always go according to plan hence due to unforeseen circumstances, drivers tend to take a few shortcuts, one of which Is "dropping off packages at the doorstep of a house" and Immediately leaving without asking for a signature or any other form of delivery confirmation. Furthermore, the driver also neglects to take a photo of the package of where he left It, so taking all the events Into consideration, they've basically DNA'd themselves!  The company only has tracking verification which holds no value, and because both a signature and photos are not present, there Is absolutely nothing to suggest that "you personally accepted It"- anyone could've stolen It from your doorstep overnight. The success rate of this, Is over 90% so be sure to keep It In mind when you come across a similar Incident with the DNA method.   

In Conclusion:

After reading this entire article, you should not only be familiar with how to effectively use the DNA method, but of greater Importance, Is having sound knowledge that tracking only confirms that  "the package made Its way to the correct address" and "NOT to the correct person". Believe me, companies are aware that this can be used against them and they will try everything In their power to tell you otherwise, but don't give In to their demands. Be adamant and persevere with the fact that "you did not personally receive your package"- and keep sticking to this all the way until your claim Is finalized with a refund or replacement Item. 



Comments