heygirl30
Regular Member
- Joined
- Jan 30, 2024
- Posts
- 5
- Reaction score
- 0
- Status
- Offline
- Last Seen
A brief introduction: You've contacted the supplier, stating that you received the package but that the device is defective. Obviously, it isn't, but that's the reason you're using to social engineer them. After going through a few troubleshooting procedures and informing them that the phone is still not working, they have asked you to return it for a full refund. Instead of sending the phone, you placed dry ice in the package to match the weight of the item. You've also made a small tear in the bottom of the package, just enough to match the size of the phone, and sealed it with different colored tape. The package is then sent, and by the time they receive it, the dry ice has melted, and the tear on the package indicates that the phone was stolen while in transit.As a result, they checked with the carrier and are confident that the phone was stolen after conducting several investigations. You were subsequently issued a full refund.
You now have a brand new cell phone and a refund, which means you didn't pay anything for it.
See how the method was used for social engineering? It tampered with the packaging, thereby manipulating the person on the other end into doing something they were not supposed to do--namely, providing a full refund for the cell phone. You now have the device and your money back, resulting in a free phone!
So, as you are aware, social engineering is all about the method used, regardless of the outcome.
What you're about to read will prepare you for all types of social engineering attacks, both personally and professionally. Before I begin, there are several terms used in social engineering and computing, either as a whole or in abbreviated form, that you should be aware of. I will refer to these terms frequently, so please read the section below.
SOCIAL ENGINEERING TERMS AND METHODS DEFINED:
Note: The majority of what you're about to read is about social engineering companies obtaining refunds and/or replacements for items that the social engineer purchased and received. The goal of this is to make you fully aware of how social engineers operate, the methods they use during their attacks, and, most importantly (from a business standpoint), how to protect your company and its representatives from SEing exploitation.
My goal is to put you in the mind of a social engineer and give you a clear understanding of the methodologies they use to manipulate representatives into doing things they shouldn't be doing in the first place. After reading each topic below, you will understand how to identify a social engineering attack and stop it before it can succeed. Everything is based on true events that social engineers perform on a daily basis, but for security reasons, I've removed all personally identifiable information.
I've also included a few common terms used in the social engineering community. Take the time to read "every" topic, especially from a business perspective. It will significantly assist your entire organization in reducing risks from all aspects of social engineering attack vectors.
SEing is an abbreviated form of "Social Engineering".
This is one of the most widely used terms in the field of social engineering. Every Internet forum and chat gateway that discusses social engineering will frequently use SEing. So make a mental note and keep it handy. You'll need to refer to it frequently.
SEd stands for "Social Engineered".
Similarly to SEing, the majority of social engineers use this. Those who have been SEing for a long time will use this much more frequently than those who have only been around for a few months. A variant of this is SE'd (the addition of an apostrophe), which is equivalent to SEd.
SEs stands for "Social Engineers".
In contrast to both of the preceding, you will rarely come across this in online social engineering communities; however, it is certainly worth familiarizing yourself with its meaning. It is primarily written as is, with the exception of a few instances where an apostrophe in the form of SE is used.
SE'er is defined as "Social Engineerer".
Used to describe the person who social engineers, also known as the social engineerer. It's abbreviated and used as such because "social engineerer" isn't in the English dictionary and doesn't make much sense when used as a whole word. SE'er is the least commonly used term, but as you will see in a few topics below, it places the sentence in the proper context. Keep this in mind because you will come across it frequently.
SE stands for "Social Engineer".
I don't see much point in going into detail about this. Without a doubt, this is "the" most widely used term in the field of human hacking. Even if you've only recently begun reading guides, you've most likely encountered the abbreviation "Social Engineering" in the early stages of your involvement, and you'll undoubtedly encounter it again in many articles and Internet boards/forums.
Warranty Exploitation: "Refund Anything Still Under Warranty"
What you're about to read in this topic applies to nearly every article listed below. Although the term "Warranty Exploitation" is not commonly used in social engineering terminology, it is still used occasionally on Internet forums and chat platforms such as IRC and Discord. Warranty exploitation, as the name implies, is the practice of social engineers taking advantage of items that are still covered by the manufacturer's warranty in order to obtain a refund or replacement. This works in the SE'ers' favor because they are aware that the company must comply with their warranty terms and devise a strategy to exploit it accordingly. If the SE'ers' method is effective, there is little a company can do to deny their claim. So, when you read "Warranty Exploitation," it refers to how social engineers obtain refunds and replacements.
DNA is an acronym for "Did Not Arrive".
DNA is primarily carrier-based and is considered a universal method. When social engineering companies intend to obtain a refund or replacement for an already purchased item, DNA is used to describe a specific method to accomplish this, known as the "Did Not Arrive" method. Simply put, the social engineer will claim that the package he ordered did not arrive at his home. He'll either use a forged signature or claim that the item was stolen if it was left at his door. When the company contacts the carrier and is unable to verify delivery due to one of the aforementioned reasons, they will issue a refund or replace the item.
Wrong Item Received Method: "Incorrect Item Sent".
The "Wrong Item Received" method is a highly effective method used by social engineers when attempting to obtain a refund from a company. The social engineer will claim that the company sent the incorrect item. The company will request that it be returned, so the social engineer will purchase something that the company "stocks" in their inventory, is roughly the same weight and size, and is significantly less expensive. He will send it to the company. When they receive it, they will issue a refund. It's that simple.
Missing Item Method: "No Item in the Box".
To make this method work, the item purchased by the social engineer must be extremely lightweight and barely registers a weight on consignment. Let's say the item is a pair of AirPods weighing only 8 grams. After placing the order online and receiving the package, he contacts the company and informs them that he received the box with nothing inside, thus "missing Item". Because the Airpods are so light, the company is unable to verify the weight with the carrier. It will not show any records! As a result, the company will provide either a refund or a replacement. This has a very high success rate when done exactly as stated on lightweight items.
Boxing Method: "Sending a Box Without the Item".
Boxing is the process of obtaining a refund or replacement for an item purchased by the social engineer from an online store. In simple terms, he returns the box to the seller without the purchased item. It generally works like this. The social engineer will contact the seller, claiming that the item is defective. The seller will request a return, and the social engineer will send the box empty, minus the item. Packages are now weighed during shipment, so to match the weight of the item, the social engineer will place "Dry Ice" in the box. He will also tear the package to a length appropriate for the item and seal it with different colored tape. This gives the impression that the package has been tampered with in transit. That is, the item was stolen. By the time the seller receives the delivery, the dry ice has sublimated, and only the box is received. The seller contacts the carrier and, after investigating, concludes that the item was stolen. A refund or replacement is then issued to the social engineer.
Double Dip Method: "SE An Item Twice".
This method requires a specific skill set, which is primarily used by advanced social engineers. They SE a company in order to obtain an item "twice" for free. For example, the social engineer will claim that he did not receive the package (when, in reality, he did), and the company will send a replacement. He now has two items, but he only paid for one of them. Next, he will claim that the replacement item is defective and then use the "Boxing Method" to request a refund. Finally, he has SEd two items without paying a dime. This is a more difficult method than the others, but advanced social engineers almost always succeed.
Triple Dip Method: "SE An Item Three Times".
Some argue that this method is too extreme, and to be honest, I completely agree. As with the "Double Dip Method" above, this goes one step further by incorporating another Item into the equation, resulting in "three Items" for free. Try following this step by step. The social engineer will order an item and claim it was missing from the box. The company will then ship a replacement item. The social engineer now has "two items". He will then claim that the replacement item has not arrived. The company will then ship another replacement item. The social engineer now has "three items". Finally, the social engineer will state that the replacement item is the incorrect item. The company will then issue a refund. Finally, the social engineer has "three items" and a "refund". This is an extremely difficult process that is more prone to failure than any other method.
Drop House- "A House Or Address Not Belonging To The SE'er".
A "Drop Address" is a house that does not belong to the social engineer but is used as a delivery point for packages. There are numerous reasons to use this, the most common being to protect the SE's identity and/or to avoid being billed by the company that is shipping the goods. The social engineer will look for a vacant home, such as one listed for lease or rent. He will then use this as the delivery address when ordering items from an online retailer, and he will either accept the delivery from the carrier or, if the driver leaves it at the premises, pick it up later. Given that the house is in no way associated with the social engineer, there is no identifiable relationship, resulting in a relatively high success rate.
POP - "Proof of Purchase".
The title of this topic is fairly self-explanatory, but because it is almost always written and referred to in its abbreviated form ("POP"), it's critical that you understand exactly what it stands for--"Proof Of Purchase". When a social engineer SEs an item and requests a refund or replacement, before the company issues it, they will request a POP to confirm that the item was purchased from their store. A good social engineer can easily work around this. He has two options: Photoshop the receipt or use a receipt generator tailored to the company that has requested it. Obviously, it cannot be validated by its order number, but it all appears to be the result of an error in the company's administrative department.
AR is an acronym for "Advanced Replacement" .
Not many companies include this in their claims management process, but for those that do, it means they will send the item BEFORE the defective product is returned to them, hence the term "Advanced Replacement". This is ideal for the social engineer, especially when delivered to a "Drop House" (as mentioned in a few previous topics). In this case, he doesn't even have to think about how to avoid sending the defective product; the Drop House isn't his, so he's completely safe. So, what happens if it is sent to "his" residential address and the company is waiting for the defective item to be returned? Simple: he will box the company (refer to the "Boxing Method" section above) and keep both items. The term "AR" is often used in the social engineering community.
The acronym "POD" stands for "Proof Of Destruction" .
Before sending out a replacement for a defective item, a number of companies request what is known as a "POD" (Proof Of Destruction) on a claim made by the social engineer. The representative will instruct the social engineer to destroy the defective item/device by, for example, breaking the buttons and cutting the cord on the computer mouse or drilling holes in the hard drive. Once that is completed, the representative requests evidence in the form of a photo or video that clearly demonstrates all of this, and only after he receives it and is satisfied with its contents will a replacement be sent. Social engineers get around this by downloading images from Google or eBay and then Photoshopping them (including serial numbers and other information) according to the representative's instructions. The term "POD" is used in this way in almost every article and post about it.
The term "RMA" stands for "Return Merchandise Authorization" .
Without going into too much detail, a company issues a "RMA" (Return Merchandise Authorization) to approve a refund or replacement for an item. In general, the customer receives an email with an RMA number (or tracking number) confirming the replacement or refund. The customer then writes the number on the box the item is being shipped in and sends it via a designated carrier. The company will then process the replacement or refund request. Some companies require this, but social engineers work around it by primarily using the "Boxing Method". The RMA process varies from one organization to the next, so this should only be used as a general guide.
C&D stands for "cease and desist".
Even though this is not common in the social engineering sector, it is certainly worth noting, especially given the seriousness of its application. When a social engineer goes too far in obtaining refunds and/or replacements from a company, a "C&D" (Cease and Desist) letter is sent to the social engineer, requesting that he discontinue his SE activity. If the social engineer ignores it and continues his actions, the company that sent the letter may take legal action. As you can see, this is a serious matter, and in almost every case, it ends the SE immediately. It can be a lengthy process to issue a C&D letter. Although it is not required, the company must first consult with an attorney before preparing the paperwork--which can take some time to collect and document all of the details.
SN stands for "serial number".
It is common knowledge among advanced SEs, but when used and written as "SN", it makes little to no sense to novice social engineers. Based on personal experience, I believe it is equally used as "SN" and "Serial Number". Some items, such as a computer keyboard and mouse, have a serial number that is unique to each one, and this number is used to identify the device when customers submit a warranty claim for a refund. Social engineers take advantage of this by obtaining the serial number (for example, from eBay) and then contacting the company as if the item is their own. They will claim that it is defective and request a replacement. Given that the item is still under warranty, the company will send a replacement item. It is a clever strategy to SE an item that the social engineer does not need to begin with.
Tracking Number: "Track Delivery Location".
When a product is purchased from an online retailer and shipped to a delivery address by a carrier, the package is assigned a "Tracking Number". It is usually sent as a confirmation email after the item has been ordered. As the name implies, it allows customers to track and see the location of their package at any time by entering it into the website's tracking option for their respective carrier. This is extremely useful for social engineers who use a "drop house/address" during their SE. It allows them to see exactly where their package is, and once it is close to the drop-off location, the social engineer will go there and accept the delivery. UPS and FedEx are just two of the many carriers that use tracking numbers for their shipments.
Corrupted File: "Send a damaged image or video.
In order to complete the process of assessing a claim for a refund or replacement of an item, some companies ask the customer to provide a picture or video that must include (obviously) the item and other Identifiable details, such as its serial number and perhaps a handwritten note. Only when the image or video is sent and fulfills the request, will a refund/replacement be issued. Aside from Photoshopping an image, social engineers use online services.
Reshipping is as follows: "Ship To A Company & Then To The Address" .
When a package is sent by an online store, it is delivered to the reshipping company's warehouse, which then forwards it to the customer's home. The type of personal information we give out when purchasing products on the Internet varies from person to person. Some people don't mind giving out their home address, while others prefer to keep it private.
Receipt Generator: "Fictitious Receipt".
Many social engineers go to great lengths to succeed with whomever they're SEing, and if it means falsifying paperwork to achieve their objective, they'll do just that to the company who's requesting it. Such paperwork is to create a fake receipt using a "Receipt Generator," which comes in the form of either a standalone tool (used on your computer) or through an online website such as this. When an online store is managing a refund claim, sometimes they'll ask for a receipt.
Image Metadata: "Remove Metadata When Editing Images".
It's Inevitable that online retailers will dispatch defective Items unintentionally and In such Instances, the customer will ask for either a refund or replacement. In order to complete the customer's request, some companies require the original "POP" (Proof Of Purchase) and once It's received, the refund/replacement Is finalized. A social engineer who doesn't have the POP, will create one using Photoshop and send It In the form of an Image file, but a proficient SE'er knows precisely what to do "prior" to sending the file. When an Image Is edited, particularly In Adobe Photoshop, If will show the changes by viewing the metadata (Information about the Image). The company can easily examine this and determine that the POP Is In fact fake. To prevent this, the social engineer will strip the metadata by using an online tool, or save the Image In a systematic manner In Photoshop Itself by choosing "File > Save for web", and then selecting "JPEG". As an added precautionary measure, he'll change the "Copyright and Contact Info" to "None", thus leaving no Indication that the Image has been altered.
"An Official Inquiry by the Company" is the title of the investigation.
Every online supplier, differs to some degree In the way they address and process refund and replacement claims, but a very common approach with the majority of retailers, Is to open what's called a "Investigation". Here's what I mean. When a customer calls the company and tells them that he did not receive the Item/package that he ordered, the company will open an Investigation and cross-check with their carrier to see If they did In fact deliver It. The carrier's records will determine the outcome. An Investigation Is part of their protocol to simply move forward with the claim. Social engineers are well aware of this and use the "DNA" (Did Not Arrive) method, by using a fake signature on receipt and then say that the package wasn't delivered. The company's Investigation can determine that the package was "delivered", however (because of the fake signature) they cannot say for sure that It was "received" by the social engineer. The Investigation Is then deemed Inconclusive, and the social engineer Is Issued a refund.
Police Report- "Filing a Report with the Police".
In addition to the above-mentioned topic of a company opening an investigation, they may also ask the customer to obtain a "Police Report" to help with their inquiry. Among other things, the police report is frequently requested when the customer claims that the carrier did not deliver the package to his home. The police report is basically nothing more than a bit of paperwork that states that everything the customer has said is true and correct to the best of his knowledge.
Item Contains Blood Method: "Avoid Sending Item Back".
To avoid returning an item to a company for a refund or replacement, social engineers use a clever trick in which they claim to have cut themselves while opening the package. Businesses of all sizes, whether multi-billion-dollar corporations or small family-owned businesses with a few employees, must follow the applicable laws.
Cross Shipping: "Send Defective Item & Receive New Item".
Cross-Shipping is a process in which a company sends a package containing the replacement item at the same time that the customer sends a package containing the defective item. Companies use a variety of methods to ship customer orders and receive warranty claims, each of which is based on the customer's current situation.
VCC stands for "Virtual Credit Card".
A "VCC" (Virtual Credit Card) is a number that is linked to your actual credit card and can only be used once. Unlike a regular credit card, which is made of plastic, a "VCC" (Virtual Credit Card) can be used for online purchases just like a regular credit card.
Disposed of the Faulty Item- "Avoid Sending the Item Back".
When you buy something online, whether it's a toothbrush, a computer keyboard, or a pair of headphones, it doesn't always arrive in perfect working order. Almost every retailer will ask you to return the faulty item in exchange for a refund or replacement. While this isn't a common practice, social engineers use the "Disposed The Faulty Item" method.
I received the item as a gift - "Avoid Sending POP".
As mentioned in the "POP" (Proof Of Purchase) topic a few articles above this, before a company can issue a refund or replacement for (example) a faulty item, the customer must provide the POP. This is simply to verify that the product was purchased from the company in question. When a social engineer wants to refund an item that he doesn't have to begin with, he'll avoid sending the POP by saying that he "received the item as a gift" and that the gifter didn't see the
Wrong Item In The Box Method: "Send a Different Item".
It is rare for a manufacturer to pack an incorrect item in a box during manufacturing and shipping, but it does happen on rare occasions. For example, if a customer orders something online and receives the correct "box" but with a different "item," the social engineer has a significant advantage because if the manufacturer can make a mistake and pack the wrong item, so can the social engineer.
Similar Item In The Box Method- "Send Almost An Identical Item"
Almost the same as the topic right above this regarding the "Wrong Item In The Box Method", manufacturers/suppliers can make errors when picking and packing products prior to dispatch- particularly when two or more Items are very similar In appearance. Sure, they're scanned and Identified by their respective serial numbers, but all It takes Is a momentary lapse of concentration, and the scanned Item Is not the one that was packed and shipped. To a social engineer, this Is known as the "Similar Item In The Box Method", whereby they receive a delivery of the correct Item from an online retailer, but swap It for a "old similar Item" they have lying around the house. They'll contact the company, claim that the Item Is defective and receive a refund or replacement. This Is actually the social engineer's preferred method. Why? Well, a company may open the returned box and rather than scanning It's serial number, they'll have a quick look and see that It's appearance matches the description on the box and accept It thereafter.
Broken Glass Method: "Item Smashed When Received".
When ordering from an online store, a package can be lost or misplaced, have its contents stolen in transit, or be damaged in some way. The latter (damaged) is what social engineers take advantage of when ordering "particular" items.". That's because the SE'er is selective with the nature of the item, namely those that are shipped in bottles such as perfumes and cologne. They're susceptible to breakage, and because of this, there's very little a company can do to deny that it didn't happen from the time it left their warehouse to when it was received by the customer. Social engineers know all about this, and use the "Broken Glass Method" to request a refund on a bottle of (example) cologne that arr
Food SEing Method: "Claiming to Feel Sick After Consumption".
Food (consumable) products are one of the easiest items to SE. You don't have to be a master social engineer to get either a free replacement meal or your money back after eating something and complaining right after. How many times have you ordered takeout and it wasn't to your expectations--not cooked properly or stale with a very unpleasant taste? If you did happen to complain, I bet you would've received another meal for free.
You now have a brand new cell phone and a refund, which means you didn't pay anything for it.
See how the method was used for social engineering? It tampered with the packaging, thereby manipulating the person on the other end into doing something they were not supposed to do--namely, providing a full refund for the cell phone. You now have the device and your money back, resulting in a free phone!
So, as you are aware, social engineering is all about the method used, regardless of the outcome.
What you're about to read will prepare you for all types of social engineering attacks, both personally and professionally. Before I begin, there are several terms used in social engineering and computing, either as a whole or in abbreviated form, that you should be aware of. I will refer to these terms frequently, so please read the section below.
SOCIAL ENGINEERING TERMS AND METHODS DEFINED:
Note: The majority of what you're about to read is about social engineering companies obtaining refunds and/or replacements for items that the social engineer purchased and received. The goal of this is to make you fully aware of how social engineers operate, the methods they use during their attacks, and, most importantly (from a business standpoint), how to protect your company and its representatives from SEing exploitation.
My goal is to put you in the mind of a social engineer and give you a clear understanding of the methodologies they use to manipulate representatives into doing things they shouldn't be doing in the first place. After reading each topic below, you will understand how to identify a social engineering attack and stop it before it can succeed. Everything is based on true events that social engineers perform on a daily basis, but for security reasons, I've removed all personally identifiable information.
I've also included a few common terms used in the social engineering community. Take the time to read "every" topic, especially from a business perspective. It will significantly assist your entire organization in reducing risks from all aspects of social engineering attack vectors.
SEing is an abbreviated form of "Social Engineering".
This is one of the most widely used terms in the field of social engineering. Every Internet forum and chat gateway that discusses social engineering will frequently use SEing. So make a mental note and keep it handy. You'll need to refer to it frequently.
SEd stands for "Social Engineered".
Similarly to SEing, the majority of social engineers use this. Those who have been SEing for a long time will use this much more frequently than those who have only been around for a few months. A variant of this is SE'd (the addition of an apostrophe), which is equivalent to SEd.
SEs stands for "Social Engineers".
In contrast to both of the preceding, you will rarely come across this in online social engineering communities; however, it is certainly worth familiarizing yourself with its meaning. It is primarily written as is, with the exception of a few instances where an apostrophe in the form of SE is used.
SE'er is defined as "Social Engineerer".
Used to describe the person who social engineers, also known as the social engineerer. It's abbreviated and used as such because "social engineerer" isn't in the English dictionary and doesn't make much sense when used as a whole word. SE'er is the least commonly used term, but as you will see in a few topics below, it places the sentence in the proper context. Keep this in mind because you will come across it frequently.
SE stands for "Social Engineer".
I don't see much point in going into detail about this. Without a doubt, this is "the" most widely used term in the field of human hacking. Even if you've only recently begun reading guides, you've most likely encountered the abbreviation "Social Engineering" in the early stages of your involvement, and you'll undoubtedly encounter it again in many articles and Internet boards/forums.
Warranty Exploitation: "Refund Anything Still Under Warranty"
What you're about to read in this topic applies to nearly every article listed below. Although the term "Warranty Exploitation" is not commonly used in social engineering terminology, it is still used occasionally on Internet forums and chat platforms such as IRC and Discord. Warranty exploitation, as the name implies, is the practice of social engineers taking advantage of items that are still covered by the manufacturer's warranty in order to obtain a refund or replacement. This works in the SE'ers' favor because they are aware that the company must comply with their warranty terms and devise a strategy to exploit it accordingly. If the SE'ers' method is effective, there is little a company can do to deny their claim. So, when you read "Warranty Exploitation," it refers to how social engineers obtain refunds and replacements.
DNA is an acronym for "Did Not Arrive".
DNA is primarily carrier-based and is considered a universal method. When social engineering companies intend to obtain a refund or replacement for an already purchased item, DNA is used to describe a specific method to accomplish this, known as the "Did Not Arrive" method. Simply put, the social engineer will claim that the package he ordered did not arrive at his home. He'll either use a forged signature or claim that the item was stolen if it was left at his door. When the company contacts the carrier and is unable to verify delivery due to one of the aforementioned reasons, they will issue a refund or replace the item.
Wrong Item Received Method: "Incorrect Item Sent".
The "Wrong Item Received" method is a highly effective method used by social engineers when attempting to obtain a refund from a company. The social engineer will claim that the company sent the incorrect item. The company will request that it be returned, so the social engineer will purchase something that the company "stocks" in their inventory, is roughly the same weight and size, and is significantly less expensive. He will send it to the company. When they receive it, they will issue a refund. It's that simple.
Missing Item Method: "No Item in the Box".
To make this method work, the item purchased by the social engineer must be extremely lightweight and barely registers a weight on consignment. Let's say the item is a pair of AirPods weighing only 8 grams. After placing the order online and receiving the package, he contacts the company and informs them that he received the box with nothing inside, thus "missing Item". Because the Airpods are so light, the company is unable to verify the weight with the carrier. It will not show any records! As a result, the company will provide either a refund or a replacement. This has a very high success rate when done exactly as stated on lightweight items.
Boxing Method: "Sending a Box Without the Item".
Boxing is the process of obtaining a refund or replacement for an item purchased by the social engineer from an online store. In simple terms, he returns the box to the seller without the purchased item. It generally works like this. The social engineer will contact the seller, claiming that the item is defective. The seller will request a return, and the social engineer will send the box empty, minus the item. Packages are now weighed during shipment, so to match the weight of the item, the social engineer will place "Dry Ice" in the box. He will also tear the package to a length appropriate for the item and seal it with different colored tape. This gives the impression that the package has been tampered with in transit. That is, the item was stolen. By the time the seller receives the delivery, the dry ice has sublimated, and only the box is received. The seller contacts the carrier and, after investigating, concludes that the item was stolen. A refund or replacement is then issued to the social engineer.
Double Dip Method: "SE An Item Twice".
This method requires a specific skill set, which is primarily used by advanced social engineers. They SE a company in order to obtain an item "twice" for free. For example, the social engineer will claim that he did not receive the package (when, in reality, he did), and the company will send a replacement. He now has two items, but he only paid for one of them. Next, he will claim that the replacement item is defective and then use the "Boxing Method" to request a refund. Finally, he has SEd two items without paying a dime. This is a more difficult method than the others, but advanced social engineers almost always succeed.
Triple Dip Method: "SE An Item Three Times".
Some argue that this method is too extreme, and to be honest, I completely agree. As with the "Double Dip Method" above, this goes one step further by incorporating another Item into the equation, resulting in "three Items" for free. Try following this step by step. The social engineer will order an item and claim it was missing from the box. The company will then ship a replacement item. The social engineer now has "two items". He will then claim that the replacement item has not arrived. The company will then ship another replacement item. The social engineer now has "three items". Finally, the social engineer will state that the replacement item is the incorrect item. The company will then issue a refund. Finally, the social engineer has "three items" and a "refund". This is an extremely difficult process that is more prone to failure than any other method.
Drop House- "A House Or Address Not Belonging To The SE'er".
A "Drop Address" is a house that does not belong to the social engineer but is used as a delivery point for packages. There are numerous reasons to use this, the most common being to protect the SE's identity and/or to avoid being billed by the company that is shipping the goods. The social engineer will look for a vacant home, such as one listed for lease or rent. He will then use this as the delivery address when ordering items from an online retailer, and he will either accept the delivery from the carrier or, if the driver leaves it at the premises, pick it up later. Given that the house is in no way associated with the social engineer, there is no identifiable relationship, resulting in a relatively high success rate.
POP - "Proof of Purchase".
The title of this topic is fairly self-explanatory, but because it is almost always written and referred to in its abbreviated form ("POP"), it's critical that you understand exactly what it stands for--"Proof Of Purchase". When a social engineer SEs an item and requests a refund or replacement, before the company issues it, they will request a POP to confirm that the item was purchased from their store. A good social engineer can easily work around this. He has two options: Photoshop the receipt or use a receipt generator tailored to the company that has requested it. Obviously, it cannot be validated by its order number, but it all appears to be the result of an error in the company's administrative department.
AR is an acronym for "Advanced Replacement" .
Not many companies include this in their claims management process, but for those that do, it means they will send the item BEFORE the defective product is returned to them, hence the term "Advanced Replacement". This is ideal for the social engineer, especially when delivered to a "Drop House" (as mentioned in a few previous topics). In this case, he doesn't even have to think about how to avoid sending the defective product; the Drop House isn't his, so he's completely safe. So, what happens if it is sent to "his" residential address and the company is waiting for the defective item to be returned? Simple: he will box the company (refer to the "Boxing Method" section above) and keep both items. The term "AR" is often used in the social engineering community.
The acronym "POD" stands for "Proof Of Destruction" .
Before sending out a replacement for a defective item, a number of companies request what is known as a "POD" (Proof Of Destruction) on a claim made by the social engineer. The representative will instruct the social engineer to destroy the defective item/device by, for example, breaking the buttons and cutting the cord on the computer mouse or drilling holes in the hard drive. Once that is completed, the representative requests evidence in the form of a photo or video that clearly demonstrates all of this, and only after he receives it and is satisfied with its contents will a replacement be sent. Social engineers get around this by downloading images from Google or eBay and then Photoshopping them (including serial numbers and other information) according to the representative's instructions. The term "POD" is used in this way in almost every article and post about it.
The term "RMA" stands for "Return Merchandise Authorization" .
Without going into too much detail, a company issues a "RMA" (Return Merchandise Authorization) to approve a refund or replacement for an item. In general, the customer receives an email with an RMA number (or tracking number) confirming the replacement or refund. The customer then writes the number on the box the item is being shipped in and sends it via a designated carrier. The company will then process the replacement or refund request. Some companies require this, but social engineers work around it by primarily using the "Boxing Method". The RMA process varies from one organization to the next, so this should only be used as a general guide.
C&D stands for "cease and desist".
Even though this is not common in the social engineering sector, it is certainly worth noting, especially given the seriousness of its application. When a social engineer goes too far in obtaining refunds and/or replacements from a company, a "C&D" (Cease and Desist) letter is sent to the social engineer, requesting that he discontinue his SE activity. If the social engineer ignores it and continues his actions, the company that sent the letter may take legal action. As you can see, this is a serious matter, and in almost every case, it ends the SE immediately. It can be a lengthy process to issue a C&D letter. Although it is not required, the company must first consult with an attorney before preparing the paperwork--which can take some time to collect and document all of the details.
SN stands for "serial number".
It is common knowledge among advanced SEs, but when used and written as "SN", it makes little to no sense to novice social engineers. Based on personal experience, I believe it is equally used as "SN" and "Serial Number". Some items, such as a computer keyboard and mouse, have a serial number that is unique to each one, and this number is used to identify the device when customers submit a warranty claim for a refund. Social engineers take advantage of this by obtaining the serial number (for example, from eBay) and then contacting the company as if the item is their own. They will claim that it is defective and request a replacement. Given that the item is still under warranty, the company will send a replacement item. It is a clever strategy to SE an item that the social engineer does not need to begin with.
Tracking Number: "Track Delivery Location".
When a product is purchased from an online retailer and shipped to a delivery address by a carrier, the package is assigned a "Tracking Number". It is usually sent as a confirmation email after the item has been ordered. As the name implies, it allows customers to track and see the location of their package at any time by entering it into the website's tracking option for their respective carrier. This is extremely useful for social engineers who use a "drop house/address" during their SE. It allows them to see exactly where their package is, and once it is close to the drop-off location, the social engineer will go there and accept the delivery. UPS and FedEx are just two of the many carriers that use tracking numbers for their shipments.
Corrupted File: "Send a damaged image or video.
In order to complete the process of assessing a claim for a refund or replacement of an item, some companies ask the customer to provide a picture or video that must include (obviously) the item and other Identifiable details, such as its serial number and perhaps a handwritten note. Only when the image or video is sent and fulfills the request, will a refund/replacement be issued. Aside from Photoshopping an image, social engineers use online services.
Reshipping is as follows: "Ship To A Company & Then To The Address" .
When a package is sent by an online store, it is delivered to the reshipping company's warehouse, which then forwards it to the customer's home. The type of personal information we give out when purchasing products on the Internet varies from person to person. Some people don't mind giving out their home address, while others prefer to keep it private.
Receipt Generator: "Fictitious Receipt".
Many social engineers go to great lengths to succeed with whomever they're SEing, and if it means falsifying paperwork to achieve their objective, they'll do just that to the company who's requesting it. Such paperwork is to create a fake receipt using a "Receipt Generator," which comes in the form of either a standalone tool (used on your computer) or through an online website such as this. When an online store is managing a refund claim, sometimes they'll ask for a receipt.
Image Metadata: "Remove Metadata When Editing Images".
It's Inevitable that online retailers will dispatch defective Items unintentionally and In such Instances, the customer will ask for either a refund or replacement. In order to complete the customer's request, some companies require the original "POP" (Proof Of Purchase) and once It's received, the refund/replacement Is finalized. A social engineer who doesn't have the POP, will create one using Photoshop and send It In the form of an Image file, but a proficient SE'er knows precisely what to do "prior" to sending the file. When an Image Is edited, particularly In Adobe Photoshop, If will show the changes by viewing the metadata (Information about the Image). The company can easily examine this and determine that the POP Is In fact fake. To prevent this, the social engineer will strip the metadata by using an online tool, or save the Image In a systematic manner In Photoshop Itself by choosing "File > Save for web", and then selecting "JPEG". As an added precautionary measure, he'll change the "Copyright and Contact Info" to "None", thus leaving no Indication that the Image has been altered.
"An Official Inquiry by the Company" is the title of the investigation.
Every online supplier, differs to some degree In the way they address and process refund and replacement claims, but a very common approach with the majority of retailers, Is to open what's called a "Investigation". Here's what I mean. When a customer calls the company and tells them that he did not receive the Item/package that he ordered, the company will open an Investigation and cross-check with their carrier to see If they did In fact deliver It. The carrier's records will determine the outcome. An Investigation Is part of their protocol to simply move forward with the claim. Social engineers are well aware of this and use the "DNA" (Did Not Arrive) method, by using a fake signature on receipt and then say that the package wasn't delivered. The company's Investigation can determine that the package was "delivered", however (because of the fake signature) they cannot say for sure that It was "received" by the social engineer. The Investigation Is then deemed Inconclusive, and the social engineer Is Issued a refund.
Police Report- "Filing a Report with the Police".
In addition to the above-mentioned topic of a company opening an investigation, they may also ask the customer to obtain a "Police Report" to help with their inquiry. Among other things, the police report is frequently requested when the customer claims that the carrier did not deliver the package to his home. The police report is basically nothing more than a bit of paperwork that states that everything the customer has said is true and correct to the best of his knowledge.
Item Contains Blood Method: "Avoid Sending Item Back".
To avoid returning an item to a company for a refund or replacement, social engineers use a clever trick in which they claim to have cut themselves while opening the package. Businesses of all sizes, whether multi-billion-dollar corporations or small family-owned businesses with a few employees, must follow the applicable laws.
Cross Shipping: "Send Defective Item & Receive New Item".
Cross-Shipping is a process in which a company sends a package containing the replacement item at the same time that the customer sends a package containing the defective item. Companies use a variety of methods to ship customer orders and receive warranty claims, each of which is based on the customer's current situation.
VCC stands for "Virtual Credit Card".
A "VCC" (Virtual Credit Card) is a number that is linked to your actual credit card and can only be used once. Unlike a regular credit card, which is made of plastic, a "VCC" (Virtual Credit Card) can be used for online purchases just like a regular credit card.
Disposed of the Faulty Item- "Avoid Sending the Item Back".
When you buy something online, whether it's a toothbrush, a computer keyboard, or a pair of headphones, it doesn't always arrive in perfect working order. Almost every retailer will ask you to return the faulty item in exchange for a refund or replacement. While this isn't a common practice, social engineers use the "Disposed The Faulty Item" method.
I received the item as a gift - "Avoid Sending POP".
As mentioned in the "POP" (Proof Of Purchase) topic a few articles above this, before a company can issue a refund or replacement for (example) a faulty item, the customer must provide the POP. This is simply to verify that the product was purchased from the company in question. When a social engineer wants to refund an item that he doesn't have to begin with, he'll avoid sending the POP by saying that he "received the item as a gift" and that the gifter didn't see the
Wrong Item In The Box Method: "Send a Different Item".
It is rare for a manufacturer to pack an incorrect item in a box during manufacturing and shipping, but it does happen on rare occasions. For example, if a customer orders something online and receives the correct "box" but with a different "item," the social engineer has a significant advantage because if the manufacturer can make a mistake and pack the wrong item, so can the social engineer.
Similar Item In The Box Method- "Send Almost An Identical Item"
Almost the same as the topic right above this regarding the "Wrong Item In The Box Method", manufacturers/suppliers can make errors when picking and packing products prior to dispatch- particularly when two or more Items are very similar In appearance. Sure, they're scanned and Identified by their respective serial numbers, but all It takes Is a momentary lapse of concentration, and the scanned Item Is not the one that was packed and shipped. To a social engineer, this Is known as the "Similar Item In The Box Method", whereby they receive a delivery of the correct Item from an online retailer, but swap It for a "old similar Item" they have lying around the house. They'll contact the company, claim that the Item Is defective and receive a refund or replacement. This Is actually the social engineer's preferred method. Why? Well, a company may open the returned box and rather than scanning It's serial number, they'll have a quick look and see that It's appearance matches the description on the box and accept It thereafter.
Broken Glass Method: "Item Smashed When Received".
When ordering from an online store, a package can be lost or misplaced, have its contents stolen in transit, or be damaged in some way. The latter (damaged) is what social engineers take advantage of when ordering "particular" items.". That's because the SE'er is selective with the nature of the item, namely those that are shipped in bottles such as perfumes and cologne. They're susceptible to breakage, and because of this, there's very little a company can do to deny that it didn't happen from the time it left their warehouse to when it was received by the customer. Social engineers know all about this, and use the "Broken Glass Method" to request a refund on a bottle of (example) cologne that arr
Food SEing Method: "Claiming to Feel Sick After Consumption".
Food (consumable) products are one of the easiest items to SE. You don't have to be a master social engineer to get either a free replacement meal or your money back after eating something and complaining right after. How many times have you ordered takeout and it wasn't to your expectations--not cooked properly or stale with a very unpleasant taste? If you did happen to complain, I bet you would've received another meal for free.