Ethical Social Engineering


How To Social Engineer In An Ethical Capacity.

When you hit a Google search to define the term social engineering, It's mostly referenced as Infecting computer systems with malware to compromise confidential Information, and/or manipulating people to grab their personal details, credit card Info and other types of data that can be used to build Identities from the ground up or perhaps transfer funds Into the SE'ers account. Unlike hacking via technical gateways, whereby the good guys are known as "whitehat hackers"  whose job Is to test and Identify vulnerabilities In organizations and networks and fix them before the bad guys get In, seldom Is social engineering used In the same manner. Sure, there are many organizations who've Implemented social engineering training as part of their security management to educate their employees of the dangers of human manipulation, thereby help Identify and stop attacks before they have the chance to begin, but SEing Is predominantly used to take advantage of entities In an Immoral fashion.

This also applies to another type of SEing, namely "company manipulation and exploitation"- which Is basically tricking reps/agents to Issue refunds and replacement Items, by using very calculated and methodical strategies and for the most part, the representatives fall victim and have no Idea that they've been deceived. If you're actively Involved In one or more popular social engineering forums/boards, or communicate In the same capacity via online chat to the likes of Discord, you'll know precisely what I'm talking about. And If you've been hitting one successful SE after another, It becomes a classic case of: "one Is never enough, and a thousand Is never too many". In other words, "the more you get, the more you want"- which can have a serious Impact on whom you're SEing, thus your actions can well and truly lead them to financial ruin.

If you haven't figured It out yet, I'm referring to "Individual sellers" who should not be targeted under any circumstances. I'll elaborate on this shortly. On the other hand, as an Intermediate or advanced SE'er yourself, who's consistently been In the scene for many months or years to date, I'd say It's very safe to assume that you have obtained countless refunds from online stores who operate on quite a large scale, correct? I thought as much. Although your behavior Is morally wrong and your account was credited via fraudulent means, believe It or not, It doesn't change the fact that It can be justified (to some degree) but only when "SEing multi-million/billion dollar Industries". For example, there were a handful of times when I purchased Items and "legitimately claimed" that my package either did not arrive, or my order was partially filled- only to find that my refund was declined without reason, hence I was left out of pocket, and the company added to their wealth.  

Given that happened to me, I have no doubt that thousands of other SE'ers have experienced similar Incidents, possibly most readers who're viewing this right now. It's not as though the representative was paying the money from his own paycheck, so what was the purpose of disapproving a legit claim for a refund, especially that It was supported with every bit paperwork as requested? I'll answer It for you: "None at all". The company (who had a net worth In the billions), was obligated to look after their customer by reimbursing a measly few hundred dollars and "on those grounds" and In my opinion, every SE'ers actions are justified. However, the same cannot be said when "SEing Individual sellers who operate on a personal level", and that's what prompted me to write this article- namely to demonstrate "how to social engineer from an ethical standpoint". I've broken It down Into two categories: "Ethical" and "Unethical", so without further delay, let's get this started.

Ethical: Companies On A Large Scale

Many online sources generally define the term "ethical" as (but not verbatim) being honest, complying with rules & guidelines and basically doing the right thing In a trustworthy manner but In the world of social engineering, It's not the case In Its entirety. Pertaining to SEing, It's all about "who you should target" and "who you should not target", both of which are considered ethically-correct. This topic focuses on the former (who you should target ) and Irrespective of your SE, It's the "reasons for your selection" that warrants your actions as ethical. I'll try and simplify this as best I can. In terms of hitting companies on a very large scale such as Argos, Best Buy, Walmart, John Lewis, etc and of course the largest eCommerce company being Amazon, they're all worth In the billions, so losing revenue here and there, would not cause any significant loss. In fact, some claim It as a tax write-off, which reimburse them In full or close to It.

As you can see, there's not much to lose, and that's "one reason for your selection"-  companies can afford loss of sale without a major Impact on their finances. However, that's only one part of the ethical equation. The main reason Is as per my example a few paragraphs above- when legit claims are made by customers and they disapprove It without any explanation. That's totally unacceptable, particularly when everything that was asked of the customer (POPs, ID details etc), was given In full, yet that wasn't enough In their eyes to approve a claim that had no discrepancies whatsoever. Clearly you can see why social engineering companies based on what you've just read, Is fine from an ethical viewpoint. To recap briefly, your ethical reasons for your SE are: "no significant loss of revenue to the company" and "personal loss of funds (to yourself) due to legit claims being declined". So the next time you're SEing huge companies, think of "your reasons behind your actions!". They're certainly justified. 

Unethical: Individual Sellers On eBay

Due to the nature of exploiting entities for refunds, especially when It results In favor of the SE'er many times In succession, a lot of SE'ers tend to lose control of their behavior and keep wanting to credit their account without realizing how their target Is affected by their actions. As per the title of this topic, what I'm referring to Is "Individual sellers on eBay", who sell a few Items here and there at a fixed price to make a bit of extra cash. Be It putting a few video games up for sale, or getting rid of some secondhand goods that are no longer needed, the seller's objective remains the same- to generate a short term or long term Income for "themselves". Notice how I've used "themselves" as the operative word? That's because everything they (where applicable) buy and sell, has a personal effect on them  and the last thing they need, Is to be scammed by a well-crafted social engineering attack vector.

If you haven't worked It out already, I'll make It perfectly clear for you: "Do not, under any circumstances, SE Individual sellers on eBay". Period! Just like you and I, they have mouths to feed and bills to pay and to social engineer a particular person who's In need of money (for whatever reason It may be), Is unethical, Immoral and a cruel act of deception. Put yourself In their shoes for a minute, whereby your only source of Income relies on the sales you make on eBay on a day-to-day basis. Let's say you've advertised an SSD (Solid State Drive), and a potential buyer responded by asking you for the serial number- just to verify that It's not stolen. He also assured you that when the serial checks out, he'll go ahead with the transaction. You're excited about closing the deal, so you've complied with the request. 

However, you've later realized that "the buyer was a social engineer" who claimed a refund on your SSD under warranty by using Its serial number. This not only resulted In loss of sale, but also rendered your Item useless for future buyers- as the SE'er registered, took ownership and refunded your SSD by using fake credentials. If you think that this scenario cannot happen In the art of exploiting the human firewall, think again- It's easily done by using the "serial number method" and when formulated effectively, It has a very high chance of success. Of course, there are a lot of other ways to manipulate sellers, but I've simply provided an example. In this case, the "reason for the selection", by targeting an Individual seller, was unethical. Don't allow greed and your thirst for money, override your morals and principles- "leave Individual sellers alone!"

Unethical: Sellers On Amazon FBA

With regard to company manipulation and exploitation, without question, Amazon Is the preferred choice for most social engineers- namely because of the array of products to choose from and most Importantly, being easier to SE than the majority of other retailers. As already mentioned a few paragraphs above, It Is all well and good when SEing the company Itself, but did you know that "Individual sellers use Amazon's service to handle their sales?". This Is known as "Amazon FBA" (Fulfilled By Amazon) and here's how It generally works. The seller will send his product(s) to an Amazon fulfillment center, and It's stored In their warehouse awaiting to be sold. When someone buys the product, Amazon (basically) takes care of everything- their employees will pick, pack and dispatch the goods to the buyer, and also look after the transaction as well as returns and questions & concerns.

Amazon FBA has many advantages such as dealing with all the bits & pieces that are Involved with the sales process, Inclusive of managing and updating the seller's Inventory of stock. Furthermore, If goods are lost or damaged In the fulfillment center or If they happen to go missing In transit when "on their way to the center from the seller", then Amazon Is responsible and will cover all costs. This certainly takes the burden off sellers having to handle It themselves, however It's not all sunshine and rainbows. If the buyer Is a social engineer  and uses the "similar Item method" by returning a like-for-like product, Amazon will refund the buyer and the seller loses the original Item! Allow me to elaborate on this as follows. 

Let's say you're the seller and an SE'er bought your "GPU"  and for one reason or another, decided to contact Amazon saying that he doesn't want It and would like his account reimbursed for the full cost of the purchase price. Upon assessing the claim, the representative was satisfied that It was eligible for a refund- but only after the original Item was returned, being "your GPU". Rather than sending that back, the SE'er grabbed an old GPU that was very similar In appearance, of equal weight and returned It and "Amazon generated the refund" thereafter- with the funds withdrawn from your account some time later. See what just happened? Although Amazon handled both the return and transaction, "you as the seller" were social engineered  and left with a useless old GPU, and your account was debited for all the wrong reasons. 

Amazon should've thoroughly checked the return prior to Issuing a refund, but they didn't and as a result, "It was yourself (as the seller) whose account ended up In the negative", rather than the other way around. Now you can open a case with Amazon stating that the Item that was returned, was not the same Item that was sold, but this can be a lengthy and arduous process at the best of times. The message Is pretty clear- "Do not SE anyone who uses FBA (Fulfilled by Amazon)". So how do you know orders that're sold by Individual sellers? I'm glad you've asked! This may differ slightly depending on where you're located, but It denotes the exact same thing. When you've selected the product you're Intending to buy (obviously) on Amazon's website, have a look under "In Stock"  to the right of the page, and you'll see something to the effect of: "Ships from and sold by Amazon" or "Sold by (seller's name) and Fulfilled by Amazon". What you decide on doing, Is evident.

Unethical: Sellers On Forums

If you're registered with a well-known and active board, you'd know that members have the opportunity to sell their goods & services by creating a thread In the respective forum. Almost every board has a "Marketplace section", that allows both regular and premium/VIP users to advertise their stuff but If It doesn't, there's always an alternative section, a commonality being "The Lounge" or a similar variant. However, unlike the topics above, this one Is not as straightforward, namely because "the sellers themselves could be SE'ers"- whereby they'll disappear after they've received payment for the Item or service that they've advertised for sale. In social engineering parlance, It's typically known as an "exit scam"  which Is on par with those who purposely SE In an unethical fashion. Now It's way beyond the scope of this post to explain how to differentiate between a genuine seller and a scammer, thus the following details are based on sellers that you've Identified as being legit

Regardless of the forum's nature, be It a GFX (Graphics) design board that only has a couple of thousand registered members, or a huge hacking forum with millions of users similar to the biggest piece of garbage abbreviated as "HF" (you know who I'm referring to!), It doesn't change the fact that there are honest Individual sellers trying to earn a living. For the most part, they're aged In their teens (or a little older) and rely on their sales to buy food & clothing or perhaps pay their rent and other essentials and as such, every dollar In their pocket Is crucial towards their living expenses. Without question, you know precisely what I'm talking about, so there's no point In explaining myself. If your Intention Is to target such sellers and you're fully aware of their circumstances, then you're a disgrace to the social engineering sector. Go find another way to occupy your time. Period. 

In Conclusion:

In all my decades of social engineering entities of all shapes and sizes, I can honestly say that I have never used my SEing skill set In an unethical manner by causing financial loss (or otherwise) to someone operating on a personal level. To this day, I'm constantly being asked to explain and justify my actions and although It's nobody's business but my own, It's another reason why I decided to write this article- namely to provide my readers with the fact that "there Is a good side and bad side to everything, and social engineering Is certainly no exception"- for all the reasons mentioned In this article. In closing, before you plan "who" you're going to SE next, remember what you've just read. Your motive for SEing not only defines you as an SE'er, but also reveals whether your personal attributes are of an ethical standard.