Skip to main content

Featured

SE'ing Encyclopedia

Updated: 10/11/2021:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

Advanced Replacement



The Company Dispatches A Replacement Item In Advance.

When hitting online retailers to the likes of Zalando, Nike and of course the largest eCommerce company being Amazon, they're all exploitable by tricking their representatives to perform an action that they're not supposed to do- In this case, send out a replacement Item at no extra charge or credit your account for the full cost of the purchased Item. That's precisely what social engineering Is all about- "getting the person on the other end of the conversation/gateway to do something that he/she Is not meant to do". Be It using the "DNA" (Did Not Arrive) method by saying that you didn't receive the package that was delivered by the carrier driver, or claiming that upon opening the box, a different Item was enclosed hence "the wrong Item received method" was put Into action- the fact Is you're manipulating the rep/agent to believe your side of the story, regardless of your objective. 

In other words, It doesn't matter what the end result Is. Whether you're simply after a replacement or you'd prefer your account be credited, It's "the methodology used to achieve your goal" that truly defines social engineering. In terms of company manipulation and exploitation, the only way that the SE will work In your favor, Is by Implementing a flawless "Item & method compatibility", meaning for the most part, the method must be suited to the nature (weight & size) of the Item- you cannot select the first one that comes to mind. For example, If you're looking to use the "missing Item method" on a pair of Fila Disruptor trainers that weigh around 1.20 kg and the company opens an Investigation by cross-checking the weight recorded at the carrier's depot, then your SE will fail there and then.

Sure, some reps lack common sense or have very little to no brain cells left and approve claims on the spot, but predominantly, they do follow protocol during the evaluation process. Not each and every SE requires the method to be prepared In advance- some companies will actually ship the product beforehand, which Is known as an "Advanced Replacement" or an "Advanced Exchange". The former Is used by "HP", and the latter relates to "Dell" but Irrespective of their titles, they both serve the same purpose. So what exactly Is this, and how do SE'ers utilize It to their advantage? I'm glad you've asked! I will demonstrate how to apply It to Its full potential, thereby maximize the success rate of your SE but before I do that, It's paramount to have a clear understanding of what an "Advanced Replacement" entails so without further delay, let's get this started. 

What Is An Advanced Replacement?

As already mentioned In the above paragraph, this Is also referred to as an "Advance Exchanged" that's offered by Dell  but for the purpose of this guide, I'll be referencing It as "Advanced Replacement" that's commonly abbreviated as"AR". As Its name Implies, this Is when the company sends you a replacement Item BEFORE you return the one that was purchased from them that's "apparently" defective. I've quoted "apparently" for a very good reason, namely because there's nothing wrong with your Item- you're just saying It's not working so they can dispatch another one free of charge, but It's not as easy as It sounds. You'll see what I mean In a minute or two. Generally speaking, here's how an AR works. 

Let's say you've bought a computer monitor and whilst It's still within their warranty period, you've contacted the customer service representative and told him that It's not turning on. Now as per their policy and guidelines, they'll go through a few troubleshooting steps  to try and Identify why It's not functioning In Its original state. They may ask things like "Are there any lights on when It's plugged Into the computer?" or perhaps tell you to use different/spare HDMI and/or USB cables and so forth. Obviously you'll say that It's still not powering up, and after the rep Is satisfied that It Is In fact a manufacturer defect, he'll send you a replacement "In advance"  so when you receive It, you're supposed to return the one that you've claimed Is nonfunctional.

Being the SE'er that you are, you'll do nothing of the sort, but failing to comply with their request by not sending back the broken Item, will result In your bank account being billed for the full cost of the purchase price. One of many companies that does this, Is "HP"  (Hewlett-Packard) and If you think that they'll simply forget about It and not touch your funds, you're under a total misapprehension- they will debit your account If you don't return your faulty product

Yes, reps/agents who're half-asleep on the job or have handed In their resignation, will probably Issue the replacement and won't bother pursuing the matter any further. But I'm talking about those who operate strictly by the book and do not finalize claims until they either get their goods back, or recover the cash by withdrawing It from your payment system. Because of this, It's of the utmost Importance to be "well prepared before even thinking about SEing companies who offer advanced replacements"  as part of their claims management process, which brings me to the next topic.    

Preparing For The Advanced Replacement:

If you've yet to perform an advanced replacement, there's a lot that needs to be attended to prior to executing your attack vector against the target In question. Companies are not as naive as some SE'ers may think- they don't appreciate marking the claim as a loss due to non-return of goods, hence as said In the above topic, they will compensate It by taking money out of your credit card or bank account. As such, It's crucial to "change every Identifiable detail" that can be used to pinpoint who you are, and I'm not referring to only creating a fake name & address- It extends a lot further than that. Sure, many social engineers have gotten away with solely changing their family & given name and residential address, but I'm the type of SE'er who covers every angle and leaves nothing to chance.

What you're about to read below, Involves formulating a totally new profile that has no association to your real Identity whatsoever, and given you'll be using your device (such as a computer, cell phone or otherwise) to communicate during the SE, I've Included that as part of the equation. Some SEers would argue that my recommendations Is an overkill, meaning the majority are not needed with an advanced replacement, however all It takes Is "one minor detail that's personally linked to you to be leaked In the hands of the representative", and your movements will be traced In no time at all. The purpose of building a new profile from the ground up, Is "to remain completely anonymous" from the time your SE Is executed, right through to receiving your replacement Item and vanishing thereafter. Be sure to take every bit of the following Information on board and If need be, alter It to suit your SE.  

  • Change of full name (family & given name)
  • Change of date of birth (where applicable) 
  • Change of full residential address (use a drop house)
  • Change of email address (self-explanatory)
  • Make sure the new email address does not contain any personal details
  • Change of phone number (new SIM on a fake account or use a burner service)
  • Navigate online via a VPN (NordVPN, ExpressVPN or IPVanish will suffice)
  • Use a different device (one that was NEVER used with previous accounts)
  • Change the device MAC address (this free tool does an excellent job)
  • Protect your payment system with a VCC - Virtual Credit Card (there's heaps of providers online)

Although the above Implementations Is not an exhaustive list, Its objective Is to minimize your exposure  to the point of keeping your real Identity where It belongs- within your local environment. It contains the perfect Ingredients to ensure your privacy & anonymity Is fully protected at all times, thus your fictitious presence and behavior, will not raise suspicion. All this Is vital to keep the SE flowing In a positive direction, and maintain It that way consistently from start to finish. Now as with every AR, you will be required to send back your (seemingly) defective unit, but because "you cannot be Identified after applying my recommendations", It's not a cause for concern.

The company will dispatch your replacement and when you receive It, you'll disappear without leaving any fingerprints or digital footprints behind. Okay, prior to concluding this topic, It's Imperative to have a good understanding of what's Involved with advanced replacements, particularly the Importance of utilizing a "Drop House" and a "Virtual Credit Card" - both of which are mandatory with ARs and cannot be disregarded under any circumstances. If you've never come across either of the two or both, rest assured, you'll be well-Informed In the topic below so let's check It out now. 
 
The SE In Action:

Before I make a start, I'd like to point out that this Is not based on any specific company, therefore the Information leading to the series of events that take place during the course of the entire scenario, may vary from one SE to the next. Also, for all Intents and purposes, "you are the social engineer who's hitting the company"  and to keep things simple (and as already discussed), the Item to be SEd Is a computer monitor.  So without further ado, let's begin. Your very first step was to "research the company", namely how they process claims- to see whether they do In fact offer "advanced replacements" and after that was established, you've setup everything on your end. This consisted of "hiding your Identity In full", using a drop house and having your payment system protected with a "VCC" (Virtual Credit Card).

As a result of all the above, you're now operating under an alias and you're ready to execute your SE without any chance of being personally Identified. You've ordered the monitor by paying with your "virtual credit card", had It delivered to a "drop address" (a vacated home not belonging to you) and around an hour later, you've contacted the company and told the representative that It's not working. Evidently, there's nothing wrong with It, so you are only stating otherwise for SEing purposes. As you're aware, their claims protocol Is to troubleshoot the product, hence It's very Important to remain adamant by saying that It's not functioning with every question and request from the rep/agent. A short while later, the rep decided that an AR was warranted and dispatched a new monitor to your address- the "drop house".

This means that you need to send back your (seemingly) faulty monitor, but obviously you have no Intention of returning It. Now the way advanced replacements "generally work", Is that the company will put a hold on your credit card and If you don't give them your broken Item, they will debit your account for the cost of the replacement unit. Before they have the opportunity to do this, you'll put your "virtual credit card" to good use, by cancelling It right after your new monitor Is delivered. Given the VCC Is a disposable card, the company cannot withdraw funds from the account that It's associated with. To make absolutely sure that they don't touch your cash, also cancel your real (plastic/physical) credit card and do the same with your bank account

If you played It smart from the beginning, you would've created every account using fake credentials, thus there's no hope of being tracked at some stage In the future. The VCC has simply added an extra layer of anonymity, therefore your payment system Is well and truly hidden. All In all, because your Identification Is fictitious In every facet to your real profile, along with using a drop house to accept the delivery and a VCC to protect and keep your money secured, you've ultimately social engineered two computer monitors for the price of one. A job very well done Indeed. 

In Conclusion:

Now that you've read the entire article and taking Into consideration the detailed Information In every topic, you may be under the Impression that It's somewhat an arduous and lengthy process to SE using an advanced replacement, but I can assure you that nothing could be further from the truth. As mentioned a little further up the page, I'm an SEer who detects every vulnerability and exploits the target In question by leaving no room for error. As such, each and every guide on this blog Is written with precision and accuracy, which essentially gives my readers the tools and know-how to successfully SE from one entity to the next with minimal complications- and this tutorial Is certainly no exception.        


Comments