Protect Your Payment System

Preventing The Company From Withdrawing Funds.

There's a lot going on In the complex and profound mind of the social engineer. Things like extensively researching their target to get as much Information as possible about how they operate, as well as selecting a method that's well-suited to the Item they're planning to SE and then carefully preparing It In readiness for the attack, all play an Integral role to ensure the SE heads In the right direction and remains that way until the claim Is finalized In their favor. This may sound like It's quite simple, but nothing could be further from the truth. "Research", "method formulation" and "flawlessly executing the attack vector", must work hand In hand to get the job done and If one neglects to support the other, the entire SE will prematurely come to an end.

As an SE'er yourself who's actively Involved In a major SEing community (or two), you'd know that all the above does not relate to "old school social engineering", whereby you grab your victim's full name, date of birth & address over the phone, by pretending to be a customer service rep of their electric company who needs their credentials to verify and perform a routine security update on their account. That type of SEing Is all too easy and "from an advanced perspective", It does not require a great deal of thought and effort to achieve the task at hand. How so? Well, believe It or not, I just came up with that scenario within 45 seconds, and If I was someone with malicious Intent, I could build their Identity In around an hour. I don't need to explain what can happen next.

On the other hand, social engineering online stores to the likes of John Lewis and Amazon (which Is what this article pertains to), Is predominantly a very arduous process that can take many months of dealing with Investigations, and pushing representatives to their absolute limit  before the SE finally results In a successful outcome. Sure, some reps/agents who have no brain cells left tend to approve claims on the spot but for the most part, they do follow company protocol when Issuing refunds and replacement Items. As such and In order to circumvent and manipulate every obstacle that comes your way, It's paramount to formulate your method and execute your attack by leaving no room for error. However, there's one very Important element that many SE'ers fail to consider, and that's "protecting their payment system"  by preventing companies from withdrawing their funds.

Of course, this Is based on the fact that you do have the cash to buy your goods,  hence does not apply when using the "serial number method"- which Involves locating a serial that's still under warranty, and claiming a refund for an Item that you don't have to begin with. You can read how It's used In my tutorial here. Okay, back on-topic, one of the best ways to help stop companies from debiting your account, Is to use what's called a "virtual credit card", which Is often abbreviated as "VCC". Do note that this does not relate to each and every purchase you make and although there are a few ways that SE'ers utilize a VCC, I will only cover one method In the topic named "Example Of When A VCC Is Used" a little further down this page. It's also crucial to mask your Identity with your online transactions, so I've also documented a guide on this but firstly, let's see exactly what a virtual credit card entails.      

What Is A Virtual Credit Card?

Before I begin explaining how you, as the social engineer, can use a "virtual credit card" to your advantage, you need to understand what It Is and how It's used for legit purposes- as It will give you a very good Insight when the time comes to perform your SE. I'll try and simplify It as best I can. Unlike your normal plastic credit card that can be used to buy stuff at your local mall by Inserting or swiping It In the machine, a virtual credit card Is quite the opposite- It's not a physical card, but rather "some random number that's generated by the VCC provider", and Is associated to your real credit card. In other words, It's just a temporary 16-digit number that comes with an expiry date and a card verification number (CVV), much the same as what you see on your physical plastic card.  

Generally speaking, here's how It works. When you purchase something on the Internet, the online merchant will only see the "virtual credit card number" and not your real one, therefore the details of your actual real card will not be exposed. There Is no difference In how the transaction Is performed and the best part about It, Is that no one can tell that you're using the VCC. Everything Is done against your "virtual credit card" and In reality, the money Is taken out of your "real credit card", hence the merchant will never know your real credit card number! You can cancel the virtual credit card number anytime you like and get a new one, thus for this very reason, SE'ers use It to cover their tracks and prevent companies from withdrawing their cash. However, there's no point doing that "If your Identity Is out In the open", which brings me to my next point as per the topic below. 
How To Anonymize Your Identity:

Having your payment system private and secure Is one thing, but It serves very little to no purpose If you can be Identified In other ways. As you're aware, the objective of using a virtual credit card Is to "not expose your real bank account Information", thereby every penny remains In your account when the VCC number Is cancelled. But what about your full name, email address and cell phone number that's linked to the online account of the company you're social engineering? Just these details alone, can fully Identify who you are, which defeats the purpose of having a virtual credit card. Put simply, to stop your account being billed and prevent your funds being withdrawn via other (legal) means, "every Identifiable detail" must be changed, hence they won't have the slightest Idea of who you are and as a result, your SEing activities will not be linked to you.   

Notice how I've quoted "every Identifiable detail" just above? That's because It's absolutely crucial to "change everything" that can be used to pinpoint who you are, and I'm not talking about only creating a fake name and address- It extends a lot further than that. For example, have you ever had your Amazon account locked due to violating their policies and upon creating another one by using completely different credentials, they've done the same thing- even though every bit of Info was not related to the previous account? I'd say your answer Is "Yes" and If you haven't experienced It, you will as your level of social engineering advances. I can tell you that "Amazon Is exceptionally good at linking multiple accounts", and If you don't pay close attention to detail, every new account will be flagged and closed before you have the chance to hit the Sign In button!

Now It doesn't only pertain to Amazon, there are many other companies who operate In a similar fashion, and It's your job to see to It that your Identity remains within the confines of your local environment. What I'm saying Is, "In order to protect your payment system, you MUST also protect your Identity"- which Involves manufacturing and building a new profile from the ground up, that cannot (and will not) be traced In any way, shape or form. This may sound like a complex task, but If you have the right tools and know-how, It can be done with Incredible ease. To get you started, I've put together my list of recommendations below.

  • Change of full name (family & given name)
  • Change of date of birth (where applicable)
  • Change of full residential address (If need be, use a drop)
  • Change of email address (no need to explain this!)
  • Be sure the email address does not contain personal details
  • Change of phone number (new SIM on a fake account or a Burner service)
  • Navigate via a VPN (NordVPN, IPVanish, ExpressVPN will suffice)
  • Use a different device (one that was NEVER used with previous accounts)
  • Change your MAC address (this free tool does an excellent job).
  • Use a VCC- Virtual Credit Card (there's heaps of providers online)
  • Use a different password (nothing similar to the old account)
  • Navigate via a private search engine (prevent your online behavior being tracked)

Example Of When A VCC Is Used:

As mentioned In the forth paragraph of this article, there are many ways that social engineers use a virtual credit card, however It's way beyond the scope of this tutorial to document each one. Instead, I'll show you one particular way that a VCC must always be used- which Is when companies offer an "AR" (Advanced Replacement). Do note that some companies, such as "Dell", word It differently namely "Advanced Exchange" but Irrespective of Its title, they both serve the same thing. For the purpose of this guide, I will refer to It as "AR (Advanced Replacement)". So what exactly Is this? I'm glad you've asked! As Its name Implies, an AR Is when a company sends you a replacement Item BEFORE you return the one that was purchased from them that's (apparently) defective

That Is, they'll send you a replacement "In advance" so when you receive It, you're supposed to return the one that you've claimed Is nonfunctional. Being the SE'er that you are, you'll do nothing of the sort but failing to comply with their request, will result In your bank account being billed for the full cost of the purchased Item. One of many companies that does this, Is "HP" (Hewlett-Packard) and If you think that they'll simply forget about It and not touch your funds, you're under a total misapprehension- they will debit your account If you don't send back the faulty product. To prevent this from happening and In conjunction with anonymizing your Identity, you'd use a virtual credit card by cancelling It the moment you've received the replacement, therefore they cannot withdraw your cash nor track you down on a personal level. To give you an understanding of "how an advanced replacement works" with SEing In general, checkout the next topic.

The SE In Action:

Before I make a start, I'd like to point out that what you're about to read Is not based on any specific company, hence the Information leading to the series of events that take place during the course of the entire scenario, may vary from one SE to the next. Also, for all Intents and purposes, "you are the social engineer"  who's hitting the company so without further delay, let's begin. We'll assume that you're planning to SE a computer monitor from an online store that you're not familiar with. The very first thing you did, was "research how they process claims"- to see whether they do In fact offer "advanced replacements" and after that was established, you've setup everything on your end. This consisted of "hiding your Identity", using a "drop house" and having your payment system protected with a "VCC".

As a result, you're now operating under an alias and you're ready to execute your SE without any chance of being Identified. You've ordered the monitor by paying with your "virtual credit card", had It delivered to a "drop address" (a house not belonging to you) and around an hour later, you called the company and told the representative that It's not working. Evidently, there's nothing wrong with It, so you're only saying It for SEing purposes. Every company has protocols In place for these type of claims, thus the rep/agent has performed a few troubleshooting steps and you've obviously remained adamant that It's still not working. This was enough to satisfy the rep that your monitor Is defective and as such, their policy Is to Issue an "AR"- Advanced Replacement

This means that they'll dispatch a new monitor and when you receive It, your (seemingly) defective one must be sent back, but naturally you have no Intention of returning It. The way advanced replacements generally work, Is that "the company will put a hold on your credit card and If you don't send them your broken Item, they will charge the card for the cost of the replacement/ purchased Item". It's at this point when you put your "virtual credit card" to good use, by cancelling It right after your new monitor was delivered. Given the VCC Is a disposable card and has been cancelled, the company cannot withdraw funds from the bank account that It's associated with. Moreover, your ID Is fake and you've also used a drop house to accept the delivery, so all the above events cannot be personally linked to you. Ultimately, you have two computer monitors for the price of one.

In Conclusion:

A virtual credit card Is a little more complex than what's stated In the above topics and Its usage does differ between certain providers, but I cannot possibly cover the terms and conditions of each and every one. As you've gathered, I've given accurate examples based on how a VCC operates In a non-specific fashion, so apply what you've learned from this article according to the nature and environment of your SE. In closing, I'd like to reiterate the Importance of "researching your target"  to establish that they do offer "advanced replacements", and any other vulnerabilities that you can use to your advantage. All In all, you now have the knowledge of what It takes to anonymize your online activity, as well as protect your personal Identity and the same with every transaction.