Latest Social Engineering Posts

Using A Drop House

 



Using A Drop House To Receive Deliveries.

Whether you've been social engineering for decades or just started your career In the art of human hacking, you'd be well aware of the risks Involved when exploiting entities of all shapes and sizes and as a result, the need to protect everything related to your Identity and environment Is paramount. Many SE'ers focus on the obvious, such as navigating behind a VPN when SEing online stores or creating fake accounts and the same with payment systems, thereby not revealing their full name and transaction gateway however some put very little thought when It comes to anonymizing their residential address. It may seem like a difficult task to create a fake delivery point to accept packages from a carrier service- after all, It must reach Its destination as nominated by the social engineer, but there's a very effective method named a "Drop House", also known as a "Drop Address" or simply a "Drop". You'll see what this means shortly.

If you haven't already guessed, the type of SEing that I'm referring to Is exploiting companies to the likes of Amazon and ASOS for refunds and replacement Items- both of which use a carrier service to ship orders to their customer's place of residence. From a social engineering standpoint, there are times when It's Imperative to accept goods at another location. A commonality Is when the company offers an "AR" (Advanced Replacement), whereby they'll dispatch the Item In advance BEFORE the defective product Is returned to them. Of course, the SE'er has no Intention to return It- In fact, the majority of times he doesn't have the defective Item to begin with! Companies however, are not silly, they will bill the social engineer's account (for the full cost of the purchase Item) If he fails to send back his Item and that's when a "Drop House" comes Into action.

So what exactly Is It? In very simple terms, It's a property that's vacated, usually one that's listed for sale or rent/lease and the SE'er will use that to receive the delivery from the carrier. So In the case of the "Advanced Replacement", he'll gladly take the package from the carrier driver and given he's used a fake account as well as a fictitious payment method for the transaction (example: a one-time virtual credit card), there's no way that the company can Identify him by name, account type nor his address. As a result, the SE'er has walked away with his Item without leaving a digital or physical footprint behind! Evidently, a Drop House Is suited to an array of social engineering attack vectors, but I've simply provided the most commonly used In the world of company manipulation and exploitation.



Comments