Learn From Your Mistakes

 



How To Learn From Your Social Engineering Mistakes.  

When you look at the big picture of social engineering, be It gaining unauthorized access to a Fortune 500 company to grab confidential documents or hitting a major online store with the Intention to refund a 75 Inch UHD Smart LED TV costing over 2,000$, for the most part, you'd focus on the glorification of reaping the rewards. After all, why pay for the top-of-the-range TV and the same with the latest IPhone, when you can manipulate the representative to credit your account for the full cost of the purchase price? If you haven't worked It out already, what I'm referring to Is the "new breed of human hacking", which Is known as "company manipulation and exploitation", whereby SE'ers use very calculated and strategic methodologies to obtain refunds and replacement Items from just about any company they decide to target. 

It doesn't matter If It's the largest eCommerce company, namely Amazon, or the local electrical retailer with only a handful of employees, social engineers have a one-track mind, and that Is to achieve their objective without failure. And If It requires an entire month to get what they're after, they will do just that, by Isolating themselves from all distractions to ultimately fulfill their goal- a successful outcome with the task at hand. This mostly pertains to advanced social engineers who've been In the scene for years, and know the Ins and outs of every method and how to apply It to their attack vector and leave nothing to chance. However, SEing Is not all sunshine and rainbows- It does have Its fair share of complexities and as an SE'er yourself, you'd be well aware of the difficulties that come your way and as a result, you WILL make mistakes, some of which will cause a premature end to your SE.

For example, have you ever used the "missing Item method" and did not take the weight Into consideration, only to find that an Investigation was opened confirming the Item was enclosed, hence your claim was declined? Or perhaps you attempted the "sealed box method"  by returning the (seemingly) unopened box for a replacement, and the rep Immediately noticed Inconsistencies, thereby the outcome did not work In your favor? I'd say It's very safe to assume that your answer Is "Yes" to at least one of those Incidents. What did you do after that? Immediately dismiss your SE and try another one, or "analyzed precisely what went wrong by considering all factors that had a negative Impact on your method and attack?". If you didn't do the latter, then that's the biggest mistake you've made- you will never know how & why your SE failed, which will affect every subsequent SE of the same nature!  

Human error Is Inevitable and regardless of your level of expertise and how well you've applied your SE, you will make mistakes- and will continue to do so every so often. As such, It's of the utmost Importance to Identify exactly where you went wrong and correct It thereafter. Many SE'ers don't bother with this, and then they wonder why their SEs come to an end way before It had the chance to develop. That's what prompted me to write this article- namely to demonstrate "how to learn from your mistakes by taking the positive out of the negative from a failed SE ". To do this, I will use three methods (boxing, wrong Item received & partial) by showing you how they're used and why they commonly fail, and the measures that must be taken to ensure the same thing doesn't happen again. This will not only help you formulate your methods without the negatives, but will also significantly Increase the likelihood of your SE running smoothly from start to finish. Let's begin with the boxing method.

The Boxing Method:

If you're a beginner SE'er and have only just got Into the scene, I'd say that you haven't come across this method before, so allow me to briefly elaborate on what It Involves. Also referred to as "boxing" or simply "box", this Is used when you purchase an Item (such AirPods) and then claim that It's not working by contacting the rep/agent. He will then go through a few routine troubleshooting steps, and you'll obviously say that It's still not functional. When the rep Is satisfied that the Item Is (seemingly) defective, he will ask you to return It and when received, a refund or replacement will be generated. Of course, you have no Intention of sending It back, and that's when the boxing method comes Into action. You'll send only the box with nothing Inside, but you must use a methodical approach In how you prepare and send It back.

The purpose of this method, Is to make the box appear as though It was tampered with during shipment (meaning someone stole the Item before the company received your package) by cutting It and sealing It with different colored tape. As a result, the company will see that It's been altered from Its original condition and believe that someone did In fact steal the Item, and your claim will be approved thereafter. Now there's a couple of things to consider before applying this method. Firstly, If the Item Is light enough to not register a weight on consignment (as with the "AirPods"),  you send the box on Its own. By contrast, If the Item Is rather heavy, you'd need to substitute the weight with "dry Ice". So you've following this procedure but for no apparent reason, your claim was declined. Well, there Is always a reason why SEs fail, so we'll have a look at that now. 

Why the boxing method failed and how to learn from your mistakes

The Failed SE: The box and the package, "did not show significant signs of tampering" so when the company received It, It Instantly raised suspicion. As such, It was deemed that the sender (yourself) was responsible for not sending the Item back. 

On the other hand, let's say all the above was applied correctly and you used dry Ice to substitute the weight of the Item. The company opened an Investigation with the carrier, and cross-checked the weight that was recorded at their depot. The report concluded that there was a huge variance, namely the package being a lot lighter than what It should've been. Therefore, the Item was not enclosed and you were at fault for not returning It. 

Lessons learned: In terms of the first one, It's pretty much self-explanatory. You've made the mistake by only making a small cut on the package/box  that was not enough to justify that the Item was taken. That's the negative side of things, so take the positive out of It by "tearing It a little bit bigger than the size of the Item", which will warrant that It could well and truly be stolen In transit. 

With the second one pertaining to "dry Ice", you've made the mistake by not putting enough In the package, thereby It sublimated (turned to "gas") before It arrived at the carrier's depot. That's why the package was a lot lighter than It should have been when It was weighed- there was nothing In It! That's the negative side of things, so take the positive out of It, and be sure to "calculate the amount of time It takes for dry Ice to sublimate against Its weight". The same mistake will not happen with subsequent SEs.

The Wrong Item Received Method:

Before I Introduce this and on the grounds that you've never used It, I'll quickly define It for you. It's simply used to say that the Item you received In the package as delivered by the carrier, was completely different to the one you originally purchased. Naturally, the correct one was dispatched, but you're stating otherwise for SEing purposes. For example, you've ordered a "17 Inch gaming laptop", however a pack of "A3 copy paper" was received as the wrong Item. Believe It or not, this Is a good combination, particularly that both Items are compatible In size and weight, which Is Ideal when using the wrong Item received method. You'll see why It's Important shortly. Okay, regarding the SE, you've bought the Item that you're planning to social engineer and given the company will ask you to return the wrong Item, you already have It at your disposal

Upon accepting your delivery from the carrier, you've got In touch with the company's representative and told him that there was something else In the box/package when you opening It. He apologized for the Inconvenience caused, and was happy to credit your account for the cost of the purchase Item. In order to do that, he requested that the wrong Item be returned and when he receives It, your refund will be processed- which Is standard procedure with most online retailers. Because you have the wrong Item on hand, there's no problem complying with the rep's request, so you've sent It back awaiting your payment to be reimbursed Into your credit card. A few days later, you've checked your email messages and much to your surprise, your claim was declined- for the reason that your wrong Item didn't belong to them. Let's see exactly why your SE did not succeed. 

Why the wrong Item received method failed and how to learn from your mistakes

The Failed SE: When the representative received your return, he scanned your wrong Item and It did not come up on their system. He then checked with the accounts department to see If an Item of that description had been Invoiced, however they had no record of It. This gives every reason to reject your claim.

Lesson Learned: You've made the mistake, by "not purchasing a wrong Item from the same company". If you did, they would've scanned It, "Identified It as a stock Item" (that's part of their Inventory) and as such, the company would have thought that they did In fact send you that Item! So take the positive out of It by "buying your wrong Item from the same company, on a different account and sent to another address". As a result, they cannot link It to your current account, thus they cannot associate It to your transaction. The same mistake will not happen with other SEs related to this method.

The Partial Method:

This method Is quite effective when prepared with a strategic formulation, but If It's not applied as such, the chance of failure Is very high and you'll see what I mean shortly. In terms of the method Itself, It works by purchasing multiple Items and when you receive your package, you get In contact with the rep/agent and say that "one or more Items were missing". That Is, your order was partially filled, hence It's appropriately titled "the partial method". This Is the result of a "warehouse picking & packing error". For this to work, all goods (that you've ordered), must come In the same consignment and delivered by the carrier In one hit. Okay, let's begin with the SE. You've decided to buy 12 Items In total from an online store, and when the driver delivered and handed you the package, you've called the company and said that "6 Items were missing when you opened the box"- namely "2 pairs of trainers" and "4 jackets". 

It's quite common for companies to open an Investigation  when using the partial method, so In this case, they've done exactly that and liaised with the carrier by cross-checking the weight of the entire package (your "12 Items"), with the objective to see whether there's a variance In weight- meaning It should be a lot lighter If "your 6 Items (of the above nature) were missing", however there were no Inconsistencies found. Furthermore, the company's records Indicate that there were no discrepancies with the picking & packing of your order. Based on their findings with both the Investigation and warehouse track record, your request for a refund was declined and no further action was taken by the company. It Is not surprising that the SE did not work In your favor, and here's why as per below.

Why the partial method failed and how to learn from your mistakes

The Failed SE: There are a couple of reasons why It failed. The first Is the nature of the Items you chose to SE- "2 pairs of trainers and 4 sports jackets". Just one of these Items Is too heavy for the partial method, let alone all six!  So when the company opened their Investigation, all six Items would've definitely registered at the carrier's weighing facilities, therefore they were certainly not missing.

The other error you've made, Is claiming that you didn't receive "6 of the 12 Items". I can assure you that It's extremely unlikely (If ever) that a picking error of "6 Items" Is made on the same order with only 12 In total. Unless the storeman Is half-asleep on the job, this will not happen. Even If the weight was fine, I'd say that your SE still would've failed due to this reason alone.   

Lessons Learned: You've made the mistake by not being selective with the type of Items you SEd, namely their "weights". As with the missing Item method, to circumvent detection when your package Is weighed, It's paramount to keep all Items under 120 grams  when using the partial method, and this Is actually pushing It to Its limit. Your other mistake was to SE "6 Items". As mentioned, seldom do warehouse personnel mispick that quantity, particularly on the same order. No doubt, you will not make the same mistakes when hitting other SEs

In Conclusion:

What you've learned In this article, Is the Importance of analyzing every failed SE to pinpoint where you went wrong, how to effectively correct It and to not make the same or similar mistakes with future SEs. As you're well and truly aware, there are a lot more traditional methods such as the sealed box, missing Item, serial number method and the list goes on, however Its way beyond the scope of this post to cater for the lot. What I'd like you to do, Is to always take the positive out of the negative with all SEs that did not go according to plan. As a result, you'll learn from your mistakes and know precisely what should be done the next time around.


Comments


Popular Social Engineering Posts