SE'ing Complications

 


SEing Events That Cause Significant Complications 

We all want the luxury of buying any product that comes to mind, be It an IPhone 13, a pair of Nike trainers with matching tracksuit pants and hoodie, or a top-end laptop to handle any game you throw at It - It's human nature to keep up with the latest technology and designer clothing and footwear. However, such Items can be rather expensive and not everyone has the cash upfront, and that's when social engineering comes Into action, by using a series of attack vectors against stores/retailers of all shapes and sizes with the Intention to acquire goods without paying a single dime, regardless of their nature and value.   

Now I'm not talking about old-school SEing consisting of (but not limited to) "pretexting", "tailgating", "spear phishing", "quid pro quo", "phishing" etc, that's used to obtain confidential Information, physically enter a restricted building or perhaps gain remote access to a computer system. What I am referring to, Is a much more sophisticated type called "company manipulation and exploitation", whereby representatives are deceived Into generating refunds Into the SE'ers account, or dispatch replacement Items while the social engineer still gets to keep the original purchased product. 

As simple as It may sound, It takes an exceptional set of skills to get the job done, particularly when high value Items are Involved, and dealing with stubborn reps who follow protocol every step of the way during the evaluation of claims. In such circumstances and In order to give the SE the best chance of success, It's paramount to "research" the company's operations, flawlessly Implement "method & Item formulation" (choose a method suited to the nature of the Item) and execute the attack by leaving very little to no room for error. As a result, It maximizes the likelihood of a favorable outcome - a refund or replacement but that being said, It doesn't always go according to plan.

For Instance, If you've been SEing for years on an Intermediate/advanced level or offer a refunding service, you'd be well aware of the complexities, and what It takes to circumvent every obstacle that comes your way. Things like being hit with a POD (Proof Of Destruction) and asked for a POP (Proof Of Purchase) when you don't have one to begin with, may trigger some degree of difficulty but due to your level of expertise, both can be bypassed without having an Impact on the SE. While those types of events (and more) are easily addressed more often than not, there are others that cause huge problems to the point of the SE failing, namely "when you don't have the knowledge to manipulate It". Don't worry, this will make perfect sense In a minute or so.

The purpose of this article and as per Its title, Is to demonstrate "SEing events that cause significant complications" which leads to many social engineers either avoiding the event altogether, or If It's In the middle of their SE, they have no clue how to handle It. For example, what will you do when a "Cease & Desist" notice Is emailed to you by the company you're SEing? I'd say you've never heard of a Cease & Desist, let alone have the know-how to tackle It In the appropriate manner. Rest assured, I've got you covered. I will discuss that, and 3 other events that "seriously complicate SEs", as well as (where applicable) show you how to circumvent each one - starting with an "OTP".


An OTP Required On Delivery:

Although this Is not tied to any particular company & carrier service, and may vary depending on locality and other factors not mentioned In this topic, It Is a commonality when SEing "Amazon", so be sure to keep that In mind. Okay, If (for example) you're social engineering a high value Item such as a QLED 8K HD Smart TV (from Amazon Itself) that retails at over $4,000 by using the DNA (Did Not Arrive) method, an "OTP" which Is an abbreviation of "One-Time Password", will most likely be required to verify that the package not only made Its way to the correct address, but was also personally received by yourself (the SE'er) or an authorized recipient.  

Because the product Is very expensive, It's crucial for the carrier to make sure It's accepted by the account holder or a household member, thus an OTP will be part of their delivery process. Here's how It generally works. When your order Is placed and ready to be dispatched, or In some cases already In transit, the OTP will be sent by the company to your cell phone number or to the registered email address on your account, and when the carrier arrives, you must tell him your password to receive the package.     
If you neglect to show the driver the One-Time Password, he has every right to refuse handing over your package, hence will mark It as an undelivered consignment and take It back to the depot to reschedule the delivery time & date. Given the goods can only be accepted with an OTP, a lot of SE'ers do not use the DNA method - for the reason that they believe It will be an arduous task to grab the package from the driver without telling him the password. While I certainly agree It's not a simple procedure, It's not to say It cannot be done, but "It does take quite a bit of effort and manipulation to succeed". So let's have a look at how to do It In the following subtopics.

Circumvent An OTP Generated To A Cell Phone

To avoid congestion, both this and the subtopic below Is brief and straight to the point. The first thing you need to do, Is to buy a very cheap second-hand cell phone that costs next to nothing, and smash It by "breaking the glass" - before the driver arrives. Just In case the phone displays some type of functionality that can potentially ruin the SE, take the battery out or fully discharge It - you'll see why shortly. When the carrier comes and the driver Is walking towards you, make as though you're looking through your phone and ready to hand out the password, but Instead "purposely drop It with a very distressed look on your face". Be sure the driver has seen that!

Next, attempt to show him the OTP by putting the cell phone In his full view. This gives the Impression that you're not trying to hide anything and to seem like you're doing your utmost best to get the password, press the power button a few times - obviously the phone will not turn on. Deeply apologize for the Inconvenience caused and "refer to him by his first name" taken from his uniform - believe me, people feel appreciated when you communicate with them by name. Also, tell him the package contains a "BP monitor that's urgently needed to monitor your mother's blood pressure" - with the objective to make him feel sorry for you. Taking all those events Into account, there's a good chance the driver will give you the package without the One-Time Password.    

Circumvent An OTP Generated To An Email Address

Rather than generating the OTP to your cell phone, some companies will send It to the registered email address on your account, which serves the same purpose as the phone - It must be forwarded to the driver before the package can be handed to you. The Intention of this SE, Is to manipulate the driver Into thinking you haven't received the password, and that you're doing everything you can to get It from the representative. Okay, as the driver jumps out of his van, pretend you're on the phone with the rep asking why he hasn't sent the OTP and to resend It. An SE Is only as good as Its execution, so It's vital that "the driver can clearly hear your end of the conversation".  Remember: This Is all an act of deception - the OTP doesn't exist, nor does the call between yourself and the rep/agent!

Given carriers have deadlines to meet, they generally don't like to be kept waiting, thus you'll use It to your advantage as follows. I want to reiterate that "you're seemingly on the phone with the rep, therefore all communications are not real". So, tell the rep that you will check your email for the OTP, and pass the same message onto the driver. As said, carriers don't like to wait around, so rather than Instantly looking on your phone, enter your home and (pretend) to check It on your PC, "and make sure to take your time". After a few minutes, come out and tell the driver that nothing has come through In your email, and ask the rep to send It again.

Keep repeating the process (by entering and exiting your home) and saying your Inbox Is empty - until the conversation ends with the OTP failing to arrive to your email account. It's at this stage when the driver will be SEd, by giving him a sense of reassurance and offering to (fake) sign for the package, and to remove all doubts and questions he may have, show him your ID - driver's license or any other form of Identification. Don't worry, he'll look at It but will not take any photos, so It's completely useless and cannot verify receipt of goods. All In all, If the SE Is performed as described, It greatly Increases the probability of grabbing the package without the OTP.


The Carrier Driver Inspecting Goods:

What you're about to read, doesn't occur very often and It mainly depends on the carrier's terms, conditions and protocol but If It unexpectedly comes your way, It can be very problematic, hence It's Imperative to be well Informed of the events that take place and how they should be handled. The following scenario Is not based on any specifics, but rather Intended to give you an understanding of what happens when "carrier drivers are asked to personally check goods at the collection point" - your home address or otherwise. 

Let's say you're SEing an online retailer by using the faulty Item method, and claiming the product you've purchased Is defective. After the rep goes through a few troubleshooting steps and Is satisfied It's not functioning, a refund/replacement will be Issued , but ONLY when the (supposedly) broken Item Is returned. So far, there's no cause for concern - the boxing method can be used to avoid sending It back and If need be, dry Ice will be added to substitute the Item weight. That's In an Ideal world of boxing, however to ensure the Item Is securely returned, some carriers/companies will Instruct you to "leave the package open for the driver to Inspect Its contents" before Its sealed and dispatched.  

It can be done by either picking up the package from your house, or when It's taken to a designated collection point. SEing Is all about manipulating your target Into performing an action that they're not supposed to do, and here's how you'll do that to circumvent the need to have the package checked. Instead of trying to stop the driver from examining It (which can be almost Impossible to do), you'll focus on "the reasons why you're not able to meet the carrier's request". The aim Is to convince them that you're more than happy to use another carrier service (who does not Inspect packages) and to provide reassurance, you will Immediately give them the tracking details. Okay, let's see how to bypass the Inspection of goods.    

How To Circumvent Inspection Of Goods

As you are aware, the Intention Is to SE the customer service rep as to "why you won't be available to meet up with the carrier driver at your residential address". It also applies to another pickup location that they've specifically requested - such as dropping off your package at a collection point as arranged by the company or their carrier partner. It's very likely you'll face a number of difficulties, namely with stubborn reps who refuse to budge with everything you throw at them. But the key to success Is to "remain firm with the details you're giving to the rep/agent", and to not take "no" for an answer under any circumstances. Here's a few excuses to use.

  • Absent due to work commitments
  • In the process of moving house
  • Called for jury duty (In court)
  • In hospital as an Inpatient
  • Away on a business trip

CCTV Cameras In Operation:

Before I make a start, I'd like to point out that due to the nature of warehouse logistics, Inventory management, racking systems & shelving, and particularly packing benches & procedures, It's way beyond the scope of this article to cater for each and every environment. What I will do, Is give you a general and very accurate example of how "CCTV cameras" are utilized In modern warehousing during the packing process, as well as discuss how the cameras will affect your SE to the point of failure. Here's how It works. 

Once you've placed your order, the storeman will be given a picking slip with descriptions and quantities for each product, and will pick the Items from their respective locations In the shelf/racking. He will then place the box on a conveyor belt, where "the packers" are standing by to receive It. This Is the stage where all the action happens. Right above each packing table are overhead CCTV cameras Installed, which record precisely "how the Items are packed In each box" - by their description and quantity. Now we'll say you're SEing a sweater that comes In clear packaging by using the wrong Item received method.

After the package was delivered by the carrier, you got In touch with the company and said that you received a totally different Item to what was originally ordered and as expected, an Investigation was opened to try and Identify where the error occurred. Behind the scenes, they referred to their CCTV camera footage, and It clearly showed that your sweater was In fact correctly packed and dispatched, therefore your claim was declined. If you have no Idea that the company has cameras actively monitoring their movement of stock, say goodbye to almost every attempt to SE them with the wrong Item received, the partial and missing Item method. That being said, there Is a way to "render their footage Inconclusive", so let's see how It's done.        

How To Deem CCTV Camera Footage Inconclusive

Irrespective of the circumstances Involved, there's always a way to manipulate a given situation or event, and CCTV camera footage Is certainly no exception as follows. For this to work, "the Item must be enclosed In a box" and It's crucial that the product cannot be viewed externally without opening It. That Is, the box Itself cannot contain any type of clear film that would potentially expose Its contents, hence It must be fully covered In cardboard on all six sides. For Instance, a SanDisk 1 TB Extreme Portable SSD, comes In Its factory state without a window (film) on any side of the box - It's only wrapped In cardboard, which Is Ideal for the method I'm about to explain, so I'll reference this as the Item that will bypass the camera footage.

If you've read my article linked above pertaining to the missing Item method, you'd know that It can be used against a "manufacturer error", whereby you'd say that when you opened the box, the Item was missing. Essentially, the manufacturer neglected to put the Item Inside and sent It to the company, and only the box was delivered to you. Of course, nothing of the sort happened - It's simply claimed for SEing purposes. Because the SSD Is sitting In a box that's purely covered In cardboard, "the CCTV cameras will not detect It" - they cannot see what's "Inside", thus the footage Is useless! Be sure to use the same methodology with all goods "fully packed In a cardboard box".  


A Cease & Desist Notice:

Even though this Is not common In the social engineering sector, It's of the utmost Importance to bring a "Cease and Desist" (often abbreviated as "C&D") notice to your attention, namely due to the seriousness of Its nature. You'll understand what I mean shortly. On the grounds you've been SEing the same company an excessive amount of times In succession, or perhaps operate as a refunder In a similar fashion, I strongly suggest absorbing every word from this point onwards. Here's what takes place with a Cease and Desist notice.

When a social engineer goes too far with obtaining refunds or replacements against a company, or Infringes the rights of Individuals, a "C&D" letter Is sent (by the company) to the SE'er asking to stop his activities there and then. It's basically a warning to alert him that his actions are In breach of the company's contract and/or terms, and to Immediately stop what he's doing. Now this Is where It begins to get serious. 

If the SE'er Ignores the C&D and continues with his SEs, meaning he keeps refunding the same company after the notice was sent, legal action can be taken and In the worst-case scenario, legal proceedings could already be In progress - which will be stated In the letter. As you can see, It's very significant, hence don't think for a minute that the company who Issued the Cease and Desist notice will forget about It - they WILL take the matter further If the SE'ers behavior remains unchanged. A C&D notice cannot be circumvented, but rather dealt with accordingly as per the subtopic below.         

How To Deal With A C&D Notice

Once you have been hit with a C&D notice, It's pretty much common sense In the way It should be dealt with, however when you're on a winning streak with refunds that keep going your way and the dollars are rolling In, It's very easy to get carried away and disregard the letter altogether. Let me tell you that a Cease and Desist notice Is no joke! Noncompliance will result In serious consequences and the last thing you need, Is to put on your favorite suit In readiness to attend a court hearing. The message Is loud and clear - don't allow "greed" to Impair your judgment, end your SEing the moment a C&D notice Is received


In Conclusion:

No doubt, there are a lot more events that complicate matters, but as you can appreciate, I cannot possibly cater for the lot - If I did, this 28 paragraph article will turn Into a 500+ page eBook. Instead, I've focused on those that have a huge Impact on every SE, thus may cause claims to be declined by customer service representatives, and/or litigation filed by the company - "If the appropriate measures and precautions are not applied by you, the social engineer". Given you've thoroughly read every topic and recommendation, you're now well aware of what to expect and how to effectively tackle all the aforementioned events, thereby the risks and difficulties Involved, are significantly reduced.       


Comments

  1. Hi there, any idea on the best way for me to SE a desk? Trying to use DI method and they've asked for a video.

    ReplyDelete

Post a Comment