Researching The Carrier



Perform An In Depth Research On The Carrier Service.

In the complex world of social engineering, there's certainly a lot to consider and prepare In order to get the job done right, each and every time. Whether you're looking at grabbing the user credentials from your victim over the phone by pretending to be an agent from their credit card provider, or manipulating your doctor for a medical certificate to get time off work when you're not sick to begin with, they all require a calculated and methodical approach to give the SE a chance of success. The same applies to SEing online stores such as Ultimate Ears, Logitech, Costco and stating the obvious- Amazon. If you're reading this from an advanced SE'ers standpoint, you'd be well and truly aware that It can be (at times) a difficult process, even In the most favorable circumstances.

Things like Investigations opened, police reports requested, affidavits and/or statutory declarations Issued to be signed & returned all have a negative Impact on your claim to some degree and If you're not careful with how you handle and respond to these situations, then your SE Is destined to fail. All It takes Is one wrong move on your part, and the refund that you're expecting for the latest Nvidia GeForce RTX 3080 GPU, will be declined before you had the opportunity to even think about what went wrong! To significantly Increase the likelihood of a successful outcome, It's of the utmost Importance to know everything about your target, prior to formulating your method and executing your attack.

As I've mentioned countless times In my tutorials on this blog (and I will keep doing so Indefinitely until It sinks In!), you cannot perform what I call a "blind SE", whereby you have no Idea of how the entity (that you're SEing) Is structured, nor how they operate from an Internal perspective. In other words, to give your SE the best opportunity to work In your favor from beginning to end, It's Imperative to gather as much Information as possible  and as you've most likely realized, I'm referring to "researching". It's all well and good to research the company In question, but have you given much thought and consideration about the "carrier(s)" they utilize for their deliveries?  This Is of equal, If not greater, Importance than the company Itself.

In my experience In the social engineering community, members who have sound knowledge of the respective carrier's terms, conditions and protocols, are few and far between. The majority seem to either obtain very little detail, or simply neglect the carrier altogether- and then they're at a loss as to why their attack vector went horribly wrong. It's this that prompted me to write this article. I will outline every point of relevance, Inclusive of how & why It can affect the direction of where your SE Is heading, and also provide preventative measures to ensure smooth sailing right from the get-go. As such, you can Incorporate what you've learned Into your very own SE In an Informed manner, thus prepare your method and social engineer your target efficiently & effectively. So without further delay, let's begin.

Identifying The Carrier Used:

Once you've familiarized yourself with the Ins and outs of the company you're planning to SE, the next step Is to Identify the carrier that they use  to deliver the package to your premises. This can significantly help with the "method" that you're looking at using and depending on their protocols, the process can be extremely simple. You'll see precisely what I'm referring to a little further down the page. Evidently not every one uses the same service, and some companies dispatch carriers based on where you're located, which can be a somewhat arduous task trying to pinpoint exactly who will be showing up at your doorstep. So the question Is: "How do you establish the carrier that will be serving your needs?".

There's a few ways you can do this but to avoid congestion, I'll only name a couple, starting with the absolute obvious by performing a Google search. Do note that your search results are only as good as the keywords you enter, so be sure to use common sense and only hit those that're relevant to your query. For Instance, If I want to know the type of carriers that Amazon works with, I've typed "What carriers does Amazon use" In Google's search field and a few links down, this web page was at my disposal. As you can see, there's quite a few listed and It's pretty easy to find the locations that they attend to-  by phone number under contact Information, clicking on the carrier link and checking the domain name (Example: "au" Is for "Australia"), or viewing the site Itself to see who they ship to.

The second option Involves a little bit of social engineering on your end and because It's also done for legit reasons, the possibility of failure Is highly unlikely. In fact, It's so straightforward that you cannot mess It up even If you tried! What you do Is, "contact the representative/agent of the company", and pretend that you're a concerned customer who wants to make sure that the package will be delivered to the correct address, and then ask "which carrier will be handling the shipment". I can assure you that the rep will answer your question without any hesitation, and that's due to the fact that no suspicion Is raised whatsoever. SEing does have an element of simplicity after all! Now that the carrier has been Identified, It's vital to ascertain who's liable for loss of goods during transit, so we'll have a look at that now.

Who's Responsible For Loss Of Goods During Transit?

When using the "DNA" (Did Not Arrive) method, whereby you've actually received your delivery but for SEing purposes you state otherwise, and also the "boxing method", by giving the Impression that your Item was stolen at some point during shipment, It's crucial to know who's responsible for loss of goods prior to opting for the said methods. For example, If you're purely liable for how your Item Is sent & received and It legitimately went missing, then say goodbye to your refund or replacement- you'll be the one who's out of pocket for ex-amount of dollars, rather than the other way around! A lot of SE'ers either disregard this altogether, or solely focus on the company without any thought generated Into the carrier, but believe It or not, both entities are much of a muchness.

Allow me to give you an Insight from a carrier's standpoint, namely "DHL P├Ąckchen International". At the time of writing this article, they've released themselves from liability for damage or loss and Instead, pass the responsibility onto the company/seller. Now If you're using this service and the company that you're social engineering Is also not held responsible, then anything that goes wrong from the consignor to the consignee and vice versa, will be at your own expense. You can clearly see that "researching both the company & carrier's terms" before even thinking about preparing your SE, Is of paramount Importance. That being said, It's not always a straightforward process, thus you need to have an open mind when gathering details.

There are many carriers who do In fact state that they will cover lost packages If they're at fault, but If you haven't read the fine print or overlooked It completely, this "only applies If you've purchased shipping Insurance". That's the catch- without It, they have every right to refuse responsibility. So If you want to use the DNA or boxing method, you must be absolutely sure that funds will not come out of your pocket and the only way to prevent this, Is to go through every possible piece of text In "both the company & carrier's terms and conditions". If your findings are Inconclusive, you can simply choose another method, like the wrong Item received  that Is not dependent on lost shipments.

 Does The Driver Accept Signatures?

Although It's part of just about every carrier's policy to request a signature when they delivery your order to your premises, I've personally experienced countless drivers who either drop off packages at the doorstep or sign their hand-held device themselves. And all this Is predominantly due to having deadlines to meet with their scheduled daily run, hence they do not have time to wait around- even If It's only for 10 seconds or so. If you haven't figured It out already, this relates to the "DNA method" and If you're not asked to put pen to paper, then your SE Is 50% complete. How so you ask? Well, just because a package Is marked as "delivered", by no means does It conclude that "you personally received It".

In other words, the tracking will show that It was sent to the correct destination (your address) but If you didn't sign for It, then as far as you're concerned, It wasn't handed to you. Sure, you can scribble anything you like to circumvent authentication, but when there's nothing written at the time of delivery, It will significantly help to solidify your claim that the driver failed to ship your goods to your home. Moreover, If he left It somewhere In the front yard, who's to say that a passerby didn't take It whilst you were kicking back watching TV? So If you're planning to use the DNA, the first port of call Is to find out If you'll be required to sign on receipt of your package. Obviously, It won't be listed on their website but rest assured, there's always a way to obtain the Information you're after.

Apart from asking other users (who're registered on Internet forums or on Discord chat), whether they've had some sort of experience with how the carrier operates, the best way to conclusively Identify If the need for a signature Is warranted, Is to perform what I call a "practice run". This Is a "bogus or a trial SE", whereby you place an order for a very cheap Item, preferably one that you need, with the Intention to check If the driver will ask you to sign. If so, then you know what you're up against and can either scribble a random name, or simply select another method. Of course, this Is on the grounds that the same carrier will be used each and every time. If you've done your research, then you'll have no problem In determining this.

Are Photos Taken At The Premises?

Every carrier company, Irrespective If It's servicing your local PC store that has only a handful of employees or one that's on a very large scale such as DHL and FedEx, they all have one thing In common- and that's the procedure they use when delivering packages to and from destinations. As handling requirements Inevitably change due to unforeseen circumstances, so too do their protocols and as such, they must comply with new measures that have been Implemented Into their policy. For example, at the time of this article, a nasty virus named "Corona" Infected the entire globe and because It was contagious by physical contact, the majority of carriers added new guidelines to refuse their drivers to get signatures.

This may sound like It's perfect for the "DNA method" by stating that you didn't personally sign and accept your delivery, but unfortunately for all SE'ers, there's an additional rule that's been put In place to compensate for the lack of signatures, and that Is "photos taken at the premises" of where the package was left. The carrier named "DPD", actually does this by asking you to open your front door, then puts your package In the entryway/doorway and takes a photo as proof of delivery. Their objective Is to confirm that they did their job as required and If you're planning to state otherwise, they'll reference their photos and try to decline your claim. As already mentioned, there's always a way to manipulate a given situation.

So how do you stop the driver from taking photos at your home? Well, you don't, but rather use a very clever and calculated approach to make It seem as though he didn't set foot Into your property, and this Is how you do It. Provided your goods are sent via tracking, you can check Its shipping status to see precisely where It Is at any given time, and around 15-20 minutes before It's due to arrive, "rearrange the entryway In your house"  by putting rugs, chairs, tables and so forth where they're clearly visible. What you've just done, Is "give the appearance that It's not your home" (with random furniture) and when the driver knocks at your door, allow him to go ahead with the photos.

When he leaves, "place everything back as per Its original state" and the very next day, contact the company and tell them that you're still waiting for your package to arrive. Don't do this on the same day- you're not supposed to know when It came! Now even If they visit your house and compare the photos with the current layout of your doorway, they will not match, hence there's no evidence to suggest that your delivery made Its way to Its destination- your property. As a result, they'll have no grounds to dismiss your claim, therefore expect your account to be credited or a replacement Item dispatched.

Does The Driver Personally Investigate?

Let's face It, social engineering doesn't always go according to plan and because of the nature of the SE'ers actions, the consequences can certainly be a cause for concern, particularly when using the DNA method. It's not only Investigations, police reports and affidavits that you need to worry about, but It's also a commonality for "carrier drivers to get Involved" when you say that they failed to hand over your package. Put yourself In their shoes for a minute. If you distinctly remember that you well and truly fulfilled the delivery at a given address and a report was raised claiming otherwise, would you disregard It and be responsible for non-receipt of goods, or defend yourself by taking further action? I think your answer Is obvious.

I've come across a lot of SE'ers who have reported that the same driver repeatedly either called their landline/cell phone, or visited their home by knocking at the door to ask questions pertaining to why they said that the package wasn't received. It's all well and good If you live alone- just don't pick up the phone or answer the door but If It's your parent's house, then It can become a very nasty situation. As such, you'd want to avoid It at all costs but unfortunately, there are no hard and fast rules as to how you can check If the driver personally Investigates. Evidently, you will not find any Information on their website's terms and conditions, which means that you will have to do a little bit of detective work via your own volition.

There's no definitive procedure, thus what I recommend Is to register on a social engineering forum, and simply create a thread by providing the name of the carrier and ask If they've experienced Issues with the driver  as per the aforementioned details. You can also use the board's search function, by entering the relative keywords to see If there's any existing posts that conclude your query. Alternatively, as mentioned a little further up, you can perform a "practice run" but this time base It on "legit reasons", whereby you buy an Item without Intending to SE. Instead, you claim that It wasn't delivered and If the driver happens to show up at your doorstep, tell him that a family member accepted the package without your knowledge, and apologize for any Inconvenience caused. This will give you a clear Indication as to the driver's Involvement, If any.   

Is It The Same Driver For Each Delivery?

One of the biggest mistakes that many SE'ers make, Is to neglect to separate their acts of social engineering from their personal environment, thereby they tend to form some sort of relationship with the carrier driver who delivers their goods on a regular basis. It's bad practice and extremely unwise to do this and If you're part of this equation, Immediately change your SEing habits and start formulating new procedures!  If you haven't figured It out already, yet again, I'm referring to the "DNA" (Did Not Arrive) method, namely when you order a lot of Items quite often from companies who utilize the same carrier service. Because drivers have a scheduled run each and every day and on the grounds that your purchases are consistent, the probability of the same one dropping off your packages, Is almost a certainty.

As a result, It's Inevitable that some type of connection will be formed between yourself and the driver- even If It's only by name, however along with seeing the same face over and over again, "an element of trust" Is also established. This Is when problems begin, when using the DNA method. Due to all this, the driver tends to slack off and If company protocol has It that a signature must be taken, he'll sign It himself and hand over your package. This will be repeated with every delivery, and It's all because you're both acquainted, and also the fact that he has no reason to doubt you. If this has already happened to you, It cannot be reversed and not only will he come knocking at your door when you say the delivery didn't arrive, but there are Instances where he can get fired for (seemingly) not doing his job.

I've been In the SEing scene for over 3 decades and right from the get-go, I'm a firm believer that you should "never target any entity on a personal level", and this Is definitely no exception. Social engineering huge companies that can afford to lose a measly few hundred dollars Is one thing, but to cause someone to lose their job at the expense of your SE, Is just selfish and totally unacceptable. I don't need to elaborate further. To sum It up, If you're on a mutual level with the carrier driver, respect his/her position and "do not claim the DNA method". Period. On the other hand, If you haven't reached this stage yet, take a few preventative measures to ensure that It doesn't develop Into friendship between you both.   

In Conclusion:

Well, this was a very lengthy article that covered the most relevant and Important aspects of researching how carriers operate, and what to expect when they respond to certain situations. Obviously, not every carrier service functions In the exact same manner and It's way beyond the scope of this guide to cater for the lot, so use what you've just read as a general guide by manipulating Its contents according to the nature of your SE. Do note that companies & carriers work closely together, so It pays to checkout the company's terms as well. When you've collected everything you need, you can prepare your method based on your findings. The execution of your SE will follow thereafter. 






Comments


Popular Social Engineering Posts