Skip to main content

Featured

SE'ing Encyclopedia

Updated: 08/09/2022:    If you've ever wanted to know every term and method relative to social engineering, Irrespective of your level of experience, then you've come to the right place. This SEing encyclopedia, has everything you need pertaining to common terms and methods that're used In today's world of exploiting the human firewall. All topics Include a brief description, as well as a few examples of how each term Is used In a sentence- which will be of benefit to those new to the SEing sector. To help refine your search, I've added a table of contents, whereby you can pick and choose exactly what you're looking for. 

What To Expect With Tech Items

 



What To Expect When SEing Tech-Based Items

Every social engineer differs to some degree with the types of Items they're Interested In SEing, and depending on whether they're male or female, the needs and wants will Inevitably vary between each gender. Things like beauty products, hair straighteners, air purifiers and coffee machines are a commonality with women, while guys are predominantly Interested In an array of goods to the likes of Apple AirPods, laptop computers, smart watches, SSDs (Solid State Drives), GPU graphics cards and the list goes on. 

In order to obtain such Items totally free of charge, the first thing that must be done Is to obviously Identify stores who distribute them, and then deceive their representatives to either generate a refund for the full cost of the purchased Item, or dispatch a replacement without sending back the original one. It sounds like a simple task In theory, but It's a totally different story when put Into practice. To give the SE the best chance of a favorable outcome, there are certain steps to perform prior to launching the attack.

As a rule of thumb with each and every SE and on the grounds the given retailer has yet to be social engineered, the first port of call Is to "research their operations" to see how they're structured and the measures they have In place when processing claims. After that, "the carriers used to service their deliveries" must be established, namely to determine what sort of verification Is required on receipt of goods - such as an OTP (One-Time Password) or the need to provide a signature

Once the Information gathering session Is complete, "Item & method formulation" Is Implemented, meaning (apart from the DNA, the wrong Item received and the sealed box) selecting a method that's suited to the nature of the Item. The attack vector can then be executed and because the perfect Ingredients were used to prepare It, the SE will get off to a flawless start - for the fact that yourself, as a social engineer, had full control of Its effectiveness while It was In your local environment

However, unless the rep/agent Is brain-dead and approves the claim on the spot, difficulties will be experienced every so often when In the hands of the company, as well as after the SE succeeded (more on this In the last topic). In some cases, It's not the method nor the representative who's responsible for It, but rather the type of product being SEd - specifically and on-topic of this article, "technological Items" - similar to those mentioned In the opening paragraph of this guide.

For example, are you aware that an "IMEI number" can have an Impact on your device to the point of rendering It non-functional? Or perhaps the company uses Its serial number to "remotely Identify that the device Is actively In use?". How about a "Proof Of Destruction" requested by the customer service rep to move forward with your claim? Or "complications when selling an SEd device", whereby the buyer will face usability Issues? I'd say It's safe to assume, that some or all of those events are unbeknownst to you. Rest assured, I've covered each one respectively In the topics below, but before I rip Into It, we'll begin by having a look at what defines a tech Item.         

What Defines A Tech Item?

Even though the title of this topic Is pretty much common sense, self-explanatory and for the most part, does not require any elaboration whatsoever, It's Important to know precisely how tech products are categorized, and what actually Identifies them as part of the technology sector. As a result, you'll be well-prepared for the ramifications (as discussed above) that may take place while your claim Is In motion, Inclusive of the possible consequences when advertising your Item for sale on a given website. 

Having such knowledge, will allow you to make an Informed decision as to whether or not a particular product should be refunded/replaced from the company you're planning to SE - as some retailers are known (for example) to blacklist or track devices after the claim has been finalized. Moreover (and as per the last topic of this page), preventative measures will be applied on your end to minimize the risk of being Identified when looking for a buyer to purchase your goods. Okay, so what exactly defines a tech Item, and how does It differentiate Itself from other products?

Stating the obvious, It pertains to anything that's manufactured to perform some type of functionality. Due to the purpose It's designed to serve, such as authenticating via an online service to the likes of an Apple ID, or hooking onto a carrier to get an IPhone up and running, the majority of devices contain a serial number and/or an IMEI number.  Both Identify ownership of the device, and the serial Is used to verify It when making a warranty claim. Naturally, there's a lot more to It than that, but I cannot cater for every detail. To give you an Insight of the different types of technological Items, I've created a small list below.

  • Apple AirPods 3rd Generation
  • GoPro Hero 9 Action Camera
  • Acer Nitro 5 Gaming Laptop
  • Bose QC35 Series II
  • Kingston Internal SSD
  • Logitech G502 Gaming Mouse
  • NVIDIA RTX 3080 GPU
  • Apple IPhone 13
  • IPad Mini 5
  • Oculus Quest 2 VR Headset

All of the products above, have a dedicated serial number and depending on the nature of the device, It can be remotely tracked - which I've discussed In the topic after the next. Now given the "IPhone 13" and the "IPad Mini 5" are cellular devices that need to be connected to a network to send & receive data, each have an IMEI number that's primarily used to "Identify It". And that's when problems may be experienced when SEing Items with IMEI numbers, hence It's vital to have a good understanding of why It's the case, so let's check It out now.


IMEI Number Blacklisted

Generally speaking, an IMEI ("International Mobile Equipment Identity") number relates to devices that establish a connection to a cellular network Including, but not limited to, mobile phones, tablets (cellular-enabled) and smart watches, but for the purpose of this tutorial, I will focus on cell phones. Because the Information Is added to the IMEI at the time the number Is hard-coded Into the device by the manufacturer, It doesn't Include personal credentials about the user It's registered to, therefore It only contains details about the device - the make, model, specifications etc. 

But from a social engineering standpoint, namely after the phone has been refunded, the IMEI number can be used to "blacklist" the device, which Is why some SE'ers are hesitant to target cell phones. Put simply, when you've successfully refunded a particular phone by (for example) using the boxing method, you're not supposed to have the phone In your possession - someone (apparently) stole It while It was In transit with the boxing method. As a result, Its IMEI 
number "may" (and not "will") be placed In a pool of blacklisted numbers - for the reason that the device Is believed to be stolen.

Essentially, when you try to activate the phone via a given carrier and It already knows It's been stolen, It will be locked (blacklisted) out of their network, thus you cannot use their service. Furthermore, the blacklist updates across all carriers, so If you attempt to utilize another one, your device will be rejected, and the same will happen with every other phone carrier In the country where the blacklist took place. Ultimately, you're left with a phone that cannot make calls, receive text/SMS messages, connect to the Internet (through the carrier) and so on and so forth. 

Now I'm not Implying the phone "will" be blacklisted - If It Is the case each and every time, there wouldn't be a single social engineer SEing an IPhone or an Android device. What I am saying, Is that there's a possibility It "may" be blacklisted and It can occur at any stage after the claim was approved. Under these circumstances, rather than taking It as a loss, you'd need to get rid of the phone (or whatever you've SEd) by "selling It" - as discussed In the final topic prior to concluding this article.         


Items Tracked Remotely

Almost every tech-based Item you plan to SE, be It a computer monitor, keyboard, SSD (Solid State Drive), headphones, gaming console, Smart TV etc, has a "unique serial number" that's generated and put In by the manufacturer, and no two serials are ever alike. Here's what I mean. Let's hypothetically say you've purchased 10 Netgear routers, all of the exact same model and from the very same store. When checking each one, I can guarantee you that all serials will differ from one another, and there Is a perfectly good explanation for It as follows.

If, for example, a particular piece of hardware Is being recalled by the manufacturer due to a defect, customers will be given a list of serial numbers to check If their product Is part of the recall. In terms of social engineering, SE'ers use the serial number method by obtaining a serial off the Internet or otherwise that's still under warranty, and then pretend the product (that the number relates to) Is not working with the Intention to get a replacement. In both scenarios, "the serial number Identifies the device", and Is the reason why each one must be unique.    

Back to SEing, serials are also used by some companies to "track the Item" either during the assessment of the claim, or after It has been finalized - namely when they've realized there's some kind of Inconsistency with the Information the SE'er has provided. For Instance, we'll say you've put the disposed of the faulty Item method Into action, whereby your product (seemingly) caught fire and for health & safety purposes, you threw It In the trash. The representative was deceived Into believing your story, and to process a refund, he asked for a POP (Proof Of Purchase).

On the grounds you don't have the POP, you've Photoshopped It and emailed It as an attachment. However, another rep/agent cross-checked It and noticed It was Invalid and as such, he decided to see whether It matched the device by referring to previous notes - which demonstrated "It was disposed of"In order to confirm It's no longer In use, the rep tried to "remotely connect to It" and much to his surprise, activity was detected - specifically the events "you" performed on the device. 

In other words and put simply, the company had the capacity to "remotely track the device you were using" purely by Its serial number. Sounds pretty creepy, yes? Believe me, I can confidently say that It does happen with certain retailers, one of which Is Oculus, and they can even Identify the game you've played on the VR Headset! So prior to SEing a tech Item of similar nature to the headset, or one that fits In the same category, research It to make sure It cannot be remotely tracked                 


Request For A Proof Of Destruction

Before I make a start, what you're about to read may vary from one company to the next, Inclusive of the way things are processed on their end, so this should be used as a general guide. Okay, a  "POD" Is an abbreviation of "Proof Of Destruction", that's commonly used by companies such as Logitech and SteelSeries, whereby Instead of returning your Item, "they'll ask you to destroy It" In a manner that will render It non-functional, then take either a photo or video of the damaged product an send It via email.

You may also be told to place a handwritten note next to the (damaged) device, and/or show Its serial number -  just to verify It belongs to you, and not something taken from Google Images. Evidently, a POD only applies to tech-based Items that have some type of functionality - as mentioned In the topic named "What Defines A Tech Item". Here's a brief example of how a POD works. You've bought a wireless gaming keyboard and upon receiving It, you called the rep/agent and said It's not working. Of course, there's nothing wrong with It, but you're stating otherwise for SEing purposes.

Rather than sending It back for a warranty replacement, the rep tells you to break a few keys and smash some pieces off the keyboard Itself, then take a photo/video and email the result, and the claim will be approved shortly after. The reason you're told to destroy It, Is to make sure your (seemingly) defective Item Is useless, thus preventing you from falsifying your claim. The company usually opts for a POD, when the cost of the Item Is greater than the cost of freight to send It back. Obviously, you have no Intention of breaking It, so to circumvent the rep's request, the corrupted file or the corrupted video method Is put Into effect. If you're proficient In Photoshop, by all means, use your skill set accordingly.      


Complications When Selling An SEd Device

This article has exceeded Its reading time by a lot more than what I Initially anticipated, so to avoid congestion, I've kept everything down to a minimum. As you are aware, an Item's serial number can Identify the user who purchased the device and If you've successfully refunded something by, for example, using the missing Item method and wish to advertise It for sale, you may experience complications (when sold) further down the track. How so, you ask? Well, In this case, you've said that the product was missing when the carrier driver delivered the package, so "the Item Is supposed to be no-existent".

As such, Its serial number may be deemed Invalid and If the device happens to die and the buyer decides to put In a warranty claim, the manufacturer will reject It - for the fact that It's no longer listed as an Item that's eligible for repair or replacement. Because of that, there's every chance the buyer will contact you demanding an explanation, which can lead to heated arguments and threats that you certainly don't want to eventuate. I'm not saying that this will happen, but rather It "may" happen.

The moral of the story Is, "take precautionary measures with tech Items containing unique details (serial numbers and the like), that might be linked back to you". To do that, It's Imperative to anonymize yourself when "buying" your goods and then "selling" after the claim has been finalized In your favor. It's done by changing every Identifiable detail, which will also provide you with an entirely new Identity. Here's what I recommend to protect yourself from being tracked and Identified when "buying" and "selling".

  • Change of full name (family & given name)
  • Change of date of birth (where applicable)
  • Change of full residential address (If need be, use a drop house)
  • Change of email address (no need to explain this)
  • Make sure the email address does not contain anything personal to you
  • Change of phone number (new SIM on a fake account or a Burner service
  • Navigate via a VPN (NordVPN, IPVanish, ExpressVPN will suffice)
  • Use a different device (one that was NEVER used with previous accounts)
  • Change your device MAC address (this free tool does the job well)
  • Use a VCC - Virtual Credit Card (there's heaps of providers online)
  • Use a GC - Gift Card (an alternative to a virtual credit card)
  • Use a different password (nothing similar to previous accounts)
  • Navigate via a private search engine (prevent your online behavior from being tracked)

Although all the above Is not an exhaustive list (I cannot possibly cater for everyone's needs), It serves Its purpose well to prevent your Identity from being leaked Into the hands of others. Evidently, not everything will apply to the circumstances of your environment, so pick and choose those that are of relevance. Now some SE'ers may see It as an overkill, meaning many Implementations are not required, but all It takes Is one minor detail to be disclosed, and your ID & movements will be Instantly Identified.  


In Conclusion

After reading every topic In this article, you've learned how technological Items are Identified by way of an IMEI and/or serial number, and the role the former (IMEI) plays to render devices pretty much useless when blacklisted, and how certain companies have the power to remotely track the activity on a device solely by Its serial number

You're also well- acquainted with what happens when a "POD" (Proof Of Destruction) Is requested, and the methodologies used to circumvent It. And last but not least, you've attained the knowledge to significantly minimize the risk of being Identified when buying products "with the Intention to sell the SEd Items". All In all and as per the title of this article, you're now fully aware of "what to expect with tech Items".    

Comments