Social Engineering Methods For Every Beginner.
Social engineering Is a very broad term that covers an extensive range of attack vectors and when It's effectively applied according to the behavior and environment of the target In question, the SEers Intention Is almost guaranteed to succeed. Be It SEing a Fortune 500 company for the 4 digit PIN code to the building's main entry, or manipulating someone over the phone by pretending to be a customer service rep of the credit card provider who's updating their account details and requires their full name & date of birth for verification purposes, the task can easily be achieved by using a calculated and methodical approach. If you've been social engineering In that capacity for many years to date, you'd know exactly what's Involved to get the job done and as such, you'd class yourself as and "advanced social engineer" whose been there, done that, correct? Not necessarily!
In fact, and on the grounds that you've "only SEd In that capacity", I can confidently say that "you're a beginner In today's standards of social engineering!". How so? Well, I've already used a few common abbreviations that you'd be clueless as to what they denote- namely "SEers", "SEing" and "SEd". Moreover, I'd say It's very safe to assume that you haven't come across "company manipulation and exploitation", yes? I thought as much. And don't bother doing a Google search- apart from this blog and unless someone has copied my work, you won't find anything online "under that title". What I'm referring to Is the "new breed of human hacking", whereby online stores to the likes of Logitech, Zalando, Argos and the biggest eCommerce company being Amazon, are deceived Into Issuing refunds Into the social engineer's account, or dispatching replacement Items free of charge.
After reading all the above, you're now labelled a novice SE'er who's got a lot to learn pertaining to SEing the aforementioned entities so prior to moving any further with this tutorial, I suggest you familiarize yourself by reading my Beginners Guide To SE'ing and perhaps a few other posts that you're comfortable with. When you're done, you can continue where you left off here. On the other hand, "If you've just started your career In the art of human hacking by manipulating representatives for refunds and replacements" and you're not sure how to prepare your method and also Indecisive of the types of Items to use, then you've come to the right place. The aim of this article, Is to Introduce you to methods that're suited to beginners and even If you've never used one before, you will learn how to apply It with Incredible ease.
There are quite a number of traditional methods to choose from such as the "DNA" (Did Not Arrive), the "wrong Item received", "boxing method", "double-dip", "triple-dip" and many others. However, they not only require an exceptional set of skills to formulate correctly, but they're also susceptible to triggering all sorts of questions and concerns from the company you happen to be SEing at the time. For that reason alone, they will not be discussed but what I will do, Is educate you with a few methods that barely need your attention after your attack has been executed. In other words, all that will be required on your part, Is to prepare your method according to my recommendations and SE your target thereafter.
Because of the nature of the methods you'll be utilizing, the company will not hassle you with their ridiculous demands, but rather (where applicable) will carry out their own Internal Investigations and let you know how your claim Is progressing. That's precisely the point of this guide- "to get you started with methods that can be easily prepared, and do not warrant any further action on your end". Before I rip Into all that, It's Important that you have a clear understanding of what a method Is and how It's used, so without further delay, let's check It out now.
What Are Social Engineering Methods?
When you've selected the company you'd like to SE and researched their terms & conditions, the next step Is to create a "strategy" on how you're going to execute your attack and manipulate their representatives afterwards. That Is, you need a "plan" that will be used to guide your SE from beginning to end. The "plan" Is the "method" and without It, your SE cannot (and will not) make a start. Allow me to provide an example that you can relate to. Let's say you've purchased an entertainment unit from IKEA, that comes with shelves, draws etc In Its collapsed form. In order to put It together and complete your project, you'd need the "assembly Instructions" and If they happen to be missing, you cannot get the job done. The very same principle applies to SEing- In this case, the "assembly Instructions" Is the "method", which Is used to support your attack vector and get what you're aiming to achieve- a refund or replacement Item. Makes sense? Good.
Now It's not as easy as opting for the first method that comes to mind. Apart from the DNA and wrong Item received that can be used with just about any Item of reasonable size and weight, every other traditional method must be based against the nature of the Item. For Instance, given packages are weighed when dispatched by the company and also at the carrier's depot, If you're going to use the "missing Item method" by saying that the Timberland Pro Safety Boots you ordered from Amazon (that weigh around 1.4Kg) were missing In the package when delivered by the carrier, then your SE will fail. They're just too heavy for the said method, so when the company Investigates and cross-checks the carrier's records, the weight (1.4kg) would've registered, therefore your boots could not have been missing when you received your package.
Sure, some reps are brain-dead and approve claims with very little to no questions asked, but for the most part, they do follow protocol and It's this that leads your SE In the wrong direction and ultimately causes It to prematurely come to an end. As a beginner SE'er, It's paramount to build your foundation correctly from the moment you start your journey Into exploiting companies- both online and In-store SEing. When your confidence level builds and gradually Increases, you'll find that over time, social engineering will become second nature to the point of formulating each and every method with precision. However, you can't just jump In the deep end by using methods that are totally unbeknownst to you- as It will cause your SE to fail before It had the chance to begin, which brings me to my next point. As a newbie, I recommend to start with the "stale food method", so we'll have a look at that now.
The Stale Food Method:
The reason I always suggest this method for beginners, Is because food Items are extremely simple to SE and as a matter of fact, anyone who puts their mind to It, will most likely succeed on their very first attempt. Do note that this also applies to beverages/drinks and the like. You don't have to be a master social engineer to get either a free replacement meal, or your money back after eating or drinking something and complaining straight after. That's what defines the "stale food method"- pretending that the food or drink you consumed caused you to feel very sick, thus It was stale due to passing Its expiry date or because It wasn't handled and stored In compliance with "health & safety" regulations. Notice how I've used "health & safety" as the operative words? That's because It will be used to solidify your SE on just about every occasion for the following reasons.
Every licensed business operating In the food Industry, must comply with the applicable laws and regulations that Includes (but not limited to) food that's suitable for consumption, handling & storage, cleanliness/proper hygiene, segregation of cooked & raw products and much more. What this means for yourself, the SE'er, Is that when the company receives a complaint relative to a "health concern", they'll have no choice but to Issue a replacement meal/drink or a full refund. In short, simply SE them by saying you became very unwell "straight after eating/drinking their product", and you really can't go wrong. Another thing I'd like to point out, Is a "customer satisfaction guarantee" (or some variant) that's marked on the packaging Itself. Read the label and If you see something like "If this product does not meet your expectations, please contact us on....", then they've basically SE'd themselves! This Is a huge vulnerability that can be exploited with ease.
The Missing Item Method:
Although this particular method may cause the company to open an Investigation (which I've covered In the next paragraph), you will not be asked to provide any Information on your end, hence the reason why It's suited to beginner social engineers. If this Is the very first time you've heard of this method, I'd say you'd have a pretty good Idea of what It entails- just by reading the topic's title. As Its name Implies, It's commonly used by SE'ers to say that the Item they ordered from an online store, was missing when they opened the package after It was delivered by the carrier. For example, we'll assume that you purchased a CPU from a UK electrical retailer named Currys PC World, and "upon opening the box" there was nothing Inside. Alternatively, you can say that "the entire box and Its contents (the CPU) was missing". You'd then call Currys and Inform the rep/agent exactly what had happened.
Of course, you did receive the CPU, but you're stating otherwise for SEing purposes. For the missing Item method to work, It's of the utmost Importance to select an Item that's "extremely light and will not register a weight during shipment". Why Is that, you ask? Well, packages are weighed when dispatched and at the carrier's depot, so If you've tried to SE (for example) a GHD ceramic hair straightener that's around 800 grams by claiming that It was missing, It will be detected at the carrier's weighing facilities, therefore your SE will fail. But this (predominantly) happens only If the company decides to "open an Investigation", whereby they'll contact the carrier who serviced your delivery and check their records, namely the weight of your package. If It matches with the weight of (In this case) your GHD hair straightener, then It could not have possibly been missing! As a rule of thumb, I suggest not exceeding a weight of "120 grams" when using the missing Item method, and that's pushing It to Its limit.
The Partial Method:
This Is very similar to the missing Item method above and operates on the same principle, but Instead of ordering a single Item and saying It was not In the box/package when you opened It, you'd purchase multiple Items and claim that "one or more were missing", hence your order was "partially filled" which Is why this method Is named as such- the "partial method". Even though It's closely related to the missing Item method, Its formulation requires a different approach with the Item(s) that you Intend to claim as missing. Here's what I mean. A lot of SE'ers make the mistake of believing that If they place an order for 5 or more Items, then any one of those can be claimed as missing- "regardless of their weight". That Is, they think that "the extra Items In the package will mask the one (or two Items) they're SEing". Let me tell you that this Is not the case at all.
I'll provide a complete breakdown for you, so pay attention! Let's say you bought 5 Items "with a total weight of 3 Kg". Now we'll assume that you want to SE "one of those Items at 1 Kg", by saying It was missing but you received all the rest. If an Investigation Is opened, your SE will fail for the reasons as follows. When the warehouse packed your order, the combined weight of all Items was obviously "3 Kg". The company then dispatched your package at obviously "3 Kg". The carrier weighed your package at their depot- again at "3 Kg". Given you're claiming that you didn't receive your Item that weighs "1 Kg", how much should the dispatched weight and the one at the carrier's depot be? Correct, "2 Kg". But It wasn't! As per above, your package was "3 Kg", so your Item could NOT have been missing! This Is why It's crucial to choose an Item that's very light- a maximum of 120 grams, thus It will not be detected when weighed.
The Sealed Box Method:
The last method that I'll Introduce you to that (as with all the above) does not require any Involvement on your end AFTER you've executed It, Is called the "sealed box method". This works by purchasing an Item that's "fully enclosed In a cardboard box and factory sealed". You'd then take out Its Item, and replace It with something useless of equal weight that you have lying around the house, seal It perfectly as per Its original state and SE the company by saying that you received the same one as a gift, or had a change of mind and would like a refund. The representative will ask you to return It, and when he receives It, he'll scan It and place It back Into stock and your payment will be credited Into your account thereafter. This Is an extremely effective method with a very high success rate, however It must be applied flawlessly.
You see, the objective Is to not give any reason for the rep/agent to check your return, thereby he will put your box back on the shelving/racking In their warehouse thinking that the box & goods have not been touched. Realistically from your social engineering standpoint, you've kept your purchased Item and put something else Inside. But for this to work, you need to be methodical, by "not showing any signs of tampering whatsoever when sealing the box with your useless Item Inside"- because If the rep notices Inconsistencies with the way you've repacked It, he'll most likely thoroughly check It when returned, and I don't need to explain what happens next. Put simply- "be sure that the way you've repacked the box, Is an exact match of the way you received It at the time of purchase". The sealed box method Is not weight-specific, meaning you can use It with any product of reasonable weight, but make sure your useless Item weighs the same as the original Item.
The purpose of this article, Is to provide beginner SE'ers with methods that don't require any action on their end when the SE Is In progress. In other words, when the rep/agent Is handing your claim, that's where all discussions remain, hence you're not asked to give additional Information to move forward with It. Sure, the rep may request a few bits & pieces such as a "POP" (Proof Of Purchase) or the order number, but you won't be needed further than that. When your skill set advances, you can then start using other methods accordingly.