How To SE Safely



How To Perform Social Engineering Safely.

Just about everything you do In life has some element of risk, such as crossing the road with the possibility of being struck by a car If you don't look at both directions to make sure there's no oncoming traffic, or perhaps being careless with how you're holding a sharp kitchen knife at the dinner table. In those situations, It's pretty much common sense to avoid dangerous Incidents and It becomes second nature to take precautionary measures, hence there's very little to no thought Involved when performing a certain task. However, the same cannot be said when social engineering entities In any capacity, particularly when you're experiencing quite a number of successful SEs In a row with minimal complications. What I'm referring to, Is SEing major organizations to the likes of Currys PC World, Logitech, John Lewis and so forth.

This Is what's known as "the new breed of human hacking", specifically "company manipulation and exploitation" by finding vulnerabilities In both their terms & conditions, and also their representatives with the objective of obtaining refunds and replacement Items. After all, who doesn't want a free Series 5 Apple watch valued at 399$, or that nice Alienware M17 gaming laptop retailing at 4900$? Well for many SE'ers, this Is where problems begin, regardless whether they've been In the scene for several years with an exceptional set of skills, or they've just hit a few SEs In succession without fail, they all have one thing In common- "a lack of awareness over their actions". You see, as an SE'er yourself, It's very easy to lose your perspective and become totally unaware of the seriousness of making thousands of dollars via fraudulent means.

If you do not have "control" of whom you social engineer and allow "greed" to directly take over your train of thought, then your SEing Is well and truly on Its way to becoming an "obsession", thus the likelihood of legal ramifications Is almost a certainty. Believe me, this can take place at any moment, and don't think for a minute that It won't happen to you- It can and It will, If you neglect to take responsibility of your actions, by hitting one SE after another without any consideration whatsoever of Its consequences. It's this that prompted me to write this article, namely "How to SE In the safest way possible", thereby significantly reduce your exposure to falling victim to litigation and the like. I will provide you with the very best methodologies, to help keep your SEing attack vectors In a controlled environment and out of harm's way. To avoid congestion (with the exception of one towards the end), I've limited each topic to one paragraph. So without further delay, let's get this started.

Use An Aged Account:

When social engineering online stores, the account that's used to perform every transaction, plays an Integral role to help ensure the process runs as smooth as possible- particularly when It's matured  with a few purchases here and there. For Instance, If you've just created your account and started SEing on the very same day only to find that an Investigation was opened due to Inconsistencies with the DNA method, then It doesn't look good at all that a fresh account has already experienced Issues without a single purchase to Its name. On the other hand, If It's a few months old In good standing with no negative payment history  and the same Incident happened (with the DNA), representatives tend to predominantly focus on the problem at hand, rather than question the status of the account. I recommend waiting at least 4 weeks prior to hitting your first SE.

Keep A Record Of Every SE:

I'm sure you have a pretty good Idea of how many pairs of trainers are sitting In your wardrobe, Inclusive of your favorite ones and whether you're due to buy a new pair In the very near future. As such, you know precisely what to budget for and those that you'll be wearing during your training session at the gym on Thursday evening. This Is what's called a "home Inventory", whereby you know exactly what's going on with your personal belongings. The same principle applies to keeping a record of every SE that you've performed- both successful results and those that have failed, as well as the methods used, the cost of Items and the timing between each one. Why Is that you ask? Well, to avoid raising suspicion, It's of the utmost Importance to Implement changes to some degree, thus making sure that no two consecutive SEs are alike. The moment you complete one, take a note of all the aforementioned details and alter the next SE accordingly.

Do Not Use The Same Method In Succession:

Each and every SE'er has their strengths and weaknesses and as a result, they have a preferred method that they're most comfortable and confident In using and no doubt, you're certainly part of this equation. However, It's very easy to become complacent and repeatedly use the same one, especially when the outcome has worked In your favor, but this can set off alarm bells among reps who are assessing your claim. Allow me to provide reasoning for why "changing methods" Is a crucial part of your social engineering toolkit. Let's say that you want to use the DNA method 5 times In a row. What are the chances that the package was not delivered on each occasion from the same company & carrier?  I'll answer this for you- "zero". Moreover, If the representative asks you to explain this, how will you justify It? Clearly, you can see that It's vital to change methods from one SE to the next.

 Do Not Always Target The Same Company:

As with having your favorite method that you're proficient In formulating, targeting the same company that you're familiar with their terms & conditions and the way they process your claim, Is very much a commonality. It's not difficult at all to get carried away and become oblivious to the fact that SEing the same company over and over again will not only raise suspicion, but can also cause your account to be permanently locked. Furthermore, the company can Issue what's called a "Cease and Desist" letter, that alerts you that you're In breach of their contract/terms and to Immediately stop what you're doing there and then. If that Is not enough to discourage you, In the worst-case scenario, legal proceedings may already be In progress- by which time It's too late to change your course of action. Without question, you get the point- "don't hit the same company too many times". Change your pattern of behavior, by throwing In a few others every now and then.

Throw In A Few Low Value Items:

Those who've been In the social engineering sector for years to date, are quite familiar with the possible consequences of repeatedly SEing high value Items. However, this doesn't exclude them from the ramifications that Inevitably lie ahead, due to their selfish desire for wanting to make thousands of dollars In profit. As an SE'er yourself, If your spending volume Increases rapidly, whereby It's out of nature with your usual (spending) pattern or you're solely SEing very expensive Items, then It's very likely to attract attention. It's no big deal If your account Is locked, you can simply create another one using fake credentials, but what If the police are knocking at your door with a warrant to search your premises?  You can run, but your can't hide! The message Is clear- mix and match your SEs with a combination of low value Items.

Make A Few Legit Purchases:

If you know me In the social engineering community I'm registered with, then you'd be well aware of my saying: "Every company believes that an SE Is a legit claim". For the most part, this Is what they do In fact believe and If you treat It as such by manipulating your SE accordingly, then the likelihood of success significantly Increases. That being said, SEing Is far from perfect and for one reason or another, reps can detect behavior that's consistent with fraudulent activity  which can ultimately lead to your account being banned or even worse, the Intervention of law enforcement agencies. As per the topic's title, "make a few legit purchases" In between your SEs but don't go overboard with your spending by grabbing anything that comes to mind. This can work against you- as too many purchases that're out of character to your usual pattern of buying, can be deemed suspicious, which Is just as bad (If not worse) as SEing. Use common sense, by hitting some low value legitimate Items and your SE thereafter.

Keep Chargebacks & Disputes/Claims To A Minimum:

As you should have realized by now, not every social engineering attack vector goes according to plan- It will fail at some stage, regardless of your level of experience and how well you've researched your target and prepared your method. Nevertheless, there's still a chance to refund the cost of your purchase by filing either a "PayPal Dispute/Claim", or a "Chargeback" via your credit card provider. Both are equally effective to recover funds and should always be used as a backup when all else fails, but SE'ers tend to abuse the service by making too many claims and/or chargebacks In close timing and when It's not needed. As a result, your PayPal account can get limited and your credit card may be frozen or terminated, hence you will not be able to process transactions on both payment systems. It's pretty simple to prevent this- keep It down to a bare minimum, and only perform claims/chargebacks when It's worthy of the Item's value, such as those retailing for close to, or over a thousand dollars or so.

Identify The Warning Signs:

On the grounds that you've been social engineering quite a number of times with each and every SE working In your favor, It's very easy to lose track of where you're at and become totally unaware of the severity of your actions. You may see It as normal behavior, but behind the scenes of the companies you've been SEing, Investigations could be In progress and whilst the majority will notify you In advance, there are Instances when they take steps to put an end to everything you're doing without notice. To avoid this, It's of paramount Importance to stay alert at all times and "Identify the warnings signs", way before your SEs get out of hand.

For example, If you've used the DNA method and received a response to the effect of: "We need to look Into this further and will get back to you In 3-5 business days", then It's definitely part of an Investigation and a sign to stop every other SE there and then. Or perhaps you've received an email stating: "We have noticed multiple returns from your account In the past 12 months. You have also requested refunds or replacements for some Items that you returned". Evidently, the Intention of this Is rather obvious, but It's easily overlooked when you're locked Into your own little world of hitting one refund after another, namely when you don't bother to check your emails on a daily basis. The equation Is simple- be observant of your surroundings, and pay attention to every detail that comes to hand.

Know When To Take A Break:

Generally speaking, companies review accounts based on their overall activity and If they've established that a high amount of refunds or replacements have taken place, they can shoot off an email similar to the one just above or In the worst possible outcome, the Feds will be reading out your rights after they've busted down your door at 5:30 am. The ramifications of SEing when precautionary measures are not put Into practice, can be very serious to say the least and If you're the type of SE'er who thinks along the lines of: "It will never happen to me", then you're living In denial. It can and It will, If you don't keep a vigilant eye on your SEs and most Importantly, know when It's time to take a break!  Given you're well aware of the warnings signs, there's no point elaborating on this any further.

In Conclusion:

Although there's a lot more Involved pertaining to social engineering In a safe manner, this article has already exceeded Its reading time and furthermore, It's way beyond the scope of this guide to cater for every situation and their respective environment. What I have done, Is outlined the entities that are most likely to have an Impact on your SEing as a whole, Irrespective of the company and Item(s) In question. Be sure to not only take everything under advisement, but to also apply It according to the nature of your SE, by covering all angles and leaving nothing to chance. Obviously not every topic will relate to you, thus be selective about what will be of benefit, and feel free to manipulate Its contents as required. 





Comments


Popular Social Engineering Posts