Universal SE'ing Methods



Using The Universal Social Engineering Methods.

As with compromising systems and circumventing the security of entities via technical gateways, the good thing about social engineering, Is the array of attack vectors at your disposal. It doesn't matter If you're Intending to SE the password from the clerical assistant working In the next building at your office, or a company on a huge scale to refund a 24 Inch full HD monitor- they all have one thing In common, and that Is the "method used to execute the attack". Without It, the probability of a successful result Is zero, regardless of how well you've researched your target and the amount of effort you try to make your execution work. 

Refunders and the like who've been In the SEing scene for many years know exactly what I'm talking about, but some beginners have probably never heard of "social engineering methods", let alone what they entail. So In SEing parlance, what Is a "method" and how does It work? Well, I'm glad you've asked! Let's check It out now.

Social Engineering Methods Defined:

I'd say It's safe to assume, that you've used some sort of systematic approach when helping your child with his homework, or putting together the brand new TV entertainment unit that was purchased from Ikea. Without any forethought whatsoever, the end result would not be possible, yes? Well, the very same analogy applies to social engineering methods. Every method Is the backbone of the SE, that must not only be suited to the task at hand, but also formulated effectively to ensure a successful outcome. That Is, you cannot say that you're going to social engineer someone without having a plan already prepared. The "plan" Is the "method!".

For example, let's say you want to SE a CPU from an online retailer and you've already received the delivery. You've come up with an Idea that you'll send It back for a refund, but Instead of sending the box with the original CPU Inside, you're going to put something else In It. The objective Is for the company to receive your return, put It back In their Inventory, and credit your account thereafter. "Have you thought of the Item that you'll be substituting In the box? Or the fact that Its weight must match the CPU? And how  you're going to seal the box so It looks like It hasn't been opened?".

All the above Is the actual "method" that's known (In this case) as the "Sealed Box Method", whereby the company receives your return and assumes that It hasn't been tampered with. As such, there's no reason to physically open It and your refund Is processed, no questions asked. However, If you do not apply the method perfectly by covering all angles and making sure that every detail Is correct, then your SE will fail. The latter, namely the perfection and detail side of things, Is how methods are structured with each and every SE- Irrespective of the company & Item used.

Those who know me In the social engineering community, will be aware of my good old saying of: "The method Is always based against the nature of the Item". Without a shadow of a doubt, this Is an Integral part of the SE, and Its preparation Is of paramount Importance to the execution of the attack. However, there are a couple of "Universal Methods" that I'd like to Introduce, so without further delay, let's have a look at these In detail.

Universal Social Engineering Methods:

Before I make a start on the Universal Methods, allow me to solidify your understanding on methods per se. The traditional SEing methods, such as the missing Item (also known as empty box or partial), and the boxing  or the similar Item, all must be suited to the weight and (where applicable) the dimensions of the Item In question. In other words, you cannot use these on anything that comes to mind. For Instance, can you Imagine claiming that the laptop you've ordered weighing 2.4 Kg, was not In the box by using the missing Item method?  Obviously It will register a weight on consignment, so the SE will fail before It had the chance to begin!

This Is when the "Universal Methods" come Into action. There are two In total  and due to how they're structured, they can be used on just about any company who utilizes a carrier service, as well as almost any Item of your choice. Such methods are the "DNA" (Did Not Arrive)" and the "Wrong Item Received". What deems these as Universal Methods, Is the fact that every online retailer uses a carrier to deliver orders ("DNA"), and every company obviously has goods to sell ("wrong Item received"), hence they're not tied to any type of specifics. I'll explain how and why each Universal Method Is considered as such, beginning with the DNA. Don't worry, this will be brief!

The Universal DNA Method:

As you're aware, the "DNA" Is used to say that the package that you've ordered, "Did Not Arrive". So why Is this classed as a "Universal Method?"  Well,  given that online companies such as Amazon, ASOS, Argos, Logitech, SteelSeries etc, deliver each and every package with a particular carrier, simply saying that you didn't receive It, will work- no matter what order you've placed. Whether It's a desktop computer that's quite heavy and large, or a cell phone that's somewhat light and compact, the fact Is that It "Did Not Arrive", regardless of Its nature. 

Unless you're placing an order for a house (so to speak!), what makes the DNA Universal, Is that weights & dimensions don't count- It has no Impact whatsoever when claiming that the package was not delivered to your premises. Ultimately, It all comes down to (as It seems) the carrier driver failing to do his job, someone else signed & accepted It, or the package was (seemingly) stolen from your front doorstep. There's one more Universal Method that's equally effective, which brings me to my next point. 

The Universal Wrong Item Received Method:

Even If you've never heard of this method, you can easily Identify what It's all about, just by reading Its name. Put simply, you claim that the Item you've received, Is completely different to the one you ordered, thus "wrong Item received". As opposed to the DNA, this requires careful and strategic planning but the effect and result, Is no different. Here's how It works. To avoid confusion, I'll break It down In point form as follows.

* You order the Item you want  from an online company.
* You then use a "different account" to order a "different Item"- again from the same company. (The "different Item" Is the "wrong Item").
* The "different Item" must be extremely cheap (so you don't lose much) and of the same weight.
* When you receive your package, you claim that "the wrong Item" was sent. 
   (The "wrong Item" Is the "different Item" that you've already purchased above).
* The company will then ask to return the "wrong Item" so they can replace/refund It. 
*  You send back the "different Item" and keep the original one.
* The company will scan the "different Item" and see that It's part of their Inventory.
* A refund or replacement will be Issued thereafter.

So why Is the "wrong Item received" defined as a "Universal Method?"  Evidently, every company stocks goods for their online sales, which means that you can SE any one you like (hence "Universal") with the wrong Item received method. As said, the only requirements are a "stock Item" of "matching weight" that's "significantly cheaper" and ordered on a "different account". It doesn't get much easier than that!

In Conclusion:

You now have a clear understanding on the two types of "Universal Methods", and how they're used In preparation for your attack. There's no right or wrong as to which of the two you decide to use, but rather based on opting for the one you're most comfortable and confident In using. Do remember that It's Imperative to use a calculated approach with the "Universal Wrong Item Received Method", particularly the weight- It must match (or be very close to) the original Item. As for the "Universal DNA Method", go for your life- there are no prerequisites. 





Comments


Popular Social Engineering Posts