Your Must-Have Social Engineering Toolkit.
If you're a handyman or perhaps work In the building and construction Industry, whereby you're renovating homes by knocking down old bathrooms and kitchens and replacing them with modern designs suited to your customer's needs, you must be well prepared by having "the right tools" at your disposal. Without a hammer, drill, circular saw, air compressor, nail gun, grinder and so forth, It's not possible to make a start on the job In question, let alone move forward and tackle each task towards completion. The very same principle applies to social engineering In every capacity. Be It gaining unauthorized access to a Fortune 500 company by pretending to be an employee and kindly asking another worker to punch In the building entry code for you, or SEing someone over the phone for their credit card details as though you're an agent from their electric company who's updating their account Information- It's Imperative to "have a toolkit" readily available that you can refer to and utilize as needed.
All the above Is also relative (and considerably more significant) to the new breed of human hacking, commonly known as "company manipulation and exploitation", whereby representatives are tricked by SE'ers Into Issuing refunds and replacement Items for just about anything that comes to mind. If you're actively Involved In an SEing community such as an Internet forum or Discord server, you'd know exactly what's required to research the company & carrier, select and formulate the appropriate method and effectively execute your attack vector. "All this cannot be done If you don't have the right tools" to ensure your SE runs as smooth as possible from start to finish, and that's what prompted me to write this article- to provide you a "social engineering toolkit" that's dedicated to SEing online & In-store retailers to the likes of (but not limited to) Argos, John Lewis, Target, Walmart, HP, Logitech and of course, Amazon.
Put simply, the purpose Is to give you a platform with everything you need when typically social engineering companies on every scale and by the time you've finished reading this entire article, you'll have the tools and know-how to research, prepare, execute and finalize your SE with minimal disruptions. What you're about to read Is quite a lengthy guide and although not every topic will apply to your environment, I strongly suggest to take each one on board as part of your "social engineering toolkit"- for the reason that you never know If and when you'll have the need to utilize It. To avoid congestion, I've limited every topic to a single paragraph, yet outlined and referenced the most Important elements that will help make your SEing experience a pleasant one. It does not run In chronological order, thus feel free to organize It as you see fit. So without further delay, let's begin.
List Of Companies:
Although this Is stating the obvious, many SE'ers have very little to no knowledge of where to begin with their SE, particularly those who've just started their career In the art of human hacking. Even If you're reading this from an advanced standpoint, It can be difficult to remain up-to-date with companies that are well-known and susceptible to exploitation and as such, creating a "list of companies" will give you a very good starting point, namely when selecting the Items that you're planning to SE. If you're not sure where to look, register on a social engineering board and sift through posts/threads- there'll be countless members sharing their experience. Here's a few to kick-start your list.
- Amazon
- John Lewis
- ASOS
- Argos
- SteelSeries
- Logitech
- HP (Hewlett-Packard)
- Dell
- Costco
- Walmart
- Best Buy
- Newegg
- Target
- Ultimate Ears
- Currys PC World
- Zalando
Research The Target:
Now that you have a list of companies at your disposal, It's paramount to establish how they operate not only with refunds & replacements and how they're processed, but also the type of carriers they use to service their deliveries and a lot more. You cannot perform what I call a "blind SE", whereby you have no Idea what you're up against- In doing so, your SE will come to an end way before It had the chance to start taking effect. Every company differs In the way they're structured, hence there are no hard and fast rules as to what you should specifically look for, but what you can do, Is "create a generic list" that caters for the majority, If not all retailers as per below. You will find many In their website's terms & conditions, or research by doing a "practice run" ("trial SE").
- The grounds on which replacements are Issued
- The grounds on which refunds are Issued
- The carriers used for deliveries per location
- Is a signature required when accepting the delivery
- Is an OTP (One-Time Password) required to accept the package
- Does the carrier driver takes photos of the premises
- Does the carrier driver Inspect the package on pickup
- Does the carrier driver personally visit the home when using the DNA
- Who's responsible for loss of goods during transit
- Do they offer advanced replacements
- Do they bill you when an Item Is not returned
- Who covers the cost of freight for returns
- Where Is the company's return center located
- How long Is the warranty period
- Is PayPal accepted as a payment system
Vulnerability Assessment:
In order to successfully exploit your target, there must be some type of vulnerability/flaw that will allow you to manipulate It, thereby use It to your advantage when formulating your method and executing your attack vector. This not only applies to everything relative to companies and their employees, but also their carrier service. For example, from a carrier perspective, If they're liable for loss of goods during shipment, then you can go ahead and use the "DNA" (Did Not Arrive) method. In terms of the company, If they don't have CCTV cameras monitoring the picking & packing procedures In their warehouse, this Is well-suited to the "missing Item", "partial" and the "wrong Item received" method. I cannot possibly cover every vulnerability but what I will do, Is list a few companies that have "CCTV cameras In place". This Is accurate at the time of this post.
- John Lewis
- Argos
- ASOS
- My Very
- EBuyer
- Mindfactory
List Of Methods:
Methods are the backbone of every SE and play an Integral role In determining where It's heading, and of greater Importance, they decide If the outcome will work In your favor- successfully refunded or the Item replaced. If you don't have a method that's suited to the nature of the Item you're SEing, Inclusive of (where applicable) the company's environment, your SE will prematurely come to an end. Sure, some reps are half-asleep on the job and approve your claim with no questions asked, but for the most part, there will be many obstacles to circumvent and having a method that supports your attack, Is absolutely crucial. There are many methods to choose from and each has Its pros and cons, therefore It's vital to familiarize yourself with their objective, and whether the one you plan to use, Is compatible with your skill set. The following list Is traditionally used by SE'ers of all shapes and sizes.
- The wrong Item received method
- The Missing Item method
- The partial method
- The boxing method
- The faulty Item method
- The DNA method
- The sealed box method
- The corrupted file method
- The leaking battery method
- The serial number method
- The blood method
- The stale food method
- The broken glass method
- The disposed the faulty Item method
Contact Options:
There are not too many social engineers who take note of the type of contact options that are available when planning their SE, but rather focus on the methods used and how to make sure their efforts are rewarded with their account being credited or replacement Items shipped free of charge. No doubt, It's a very good approach, however If you cannot communicate effectively over a particular gateway, you'll find that your SE will not move forward and In the worst-case scenario, It will be declined- all because you don't have the capacity to tackle the rep's requests, questions and concerns accordingly. As a result, you must select a contact option that you're comfortable and most Importantly, "confident with". For Instance, speaking over the phone Is Instant, It happens there and then and If you're an SE'er who has difficulties with replying In real time, opt for another point of contact such as "shooting off an email"- you have all the time In the world to think of your reply. Whatever you decide as your preferred contact, be sure you're well and truly competent In using It.
Anonymity Tools & Implementations:
Believe It or not, companies think that every SE Is a legit claim and If you treat It as such by manipulating It according to the nature of your attack, there's nothing wrong with using your real credentials, however there are occasions when your movements must be anonymized. An example of this, Is when you receive an unexpected email from Amazon, saying that your account has been locked due to violating their policies with a high number of refunds or otherwise. If It's a temporary lock, you'd need to provide verification details or ID documents to get It activated again. On the other hand, accounts can be "permanently locked" which means exactly that- no chance of reinstating It. The former (temporary lock) Is not really an Issue, but the latter means that you need to "change every Identifiable detail" when creating a new account. Here's what I recommend.
- Change of full name (family & given name)
- Change of date of birth (where applicable)
- Change of full residential address (If need be, use a drop)
- Change of email address (no need to explain this!)
- Change of phone number (new SIM on a fake account or a Burner service)
- Navigate via a VPN (NordVPN, IPVanish, ExpressVPN will suffice)
- Use a different device (one that was NEVER used with previous accounts)
- Change your MAC address (this free tool does an excellent job).
- Use a VCC- Virtual Credit Card (there's heaps of providers online)
- Use a GC- Gift Card (an alternative to a virtual credit card)
- Use a different password (nothing similar to the old account)
- Navigate via a private search engine (prevent your online behavior being tracked)
A Backup Plan:
Regardless of your level of expertise as a social engineer, Inclusive of how well you've researched your target, perfectly formulated your method against your findings and flawlessly executed your attack vector, there's no guarantee that your SE will succeed each and every time. If you haven't already experienced failure, you will at some stage with subsequent SEs and when It happens, It's Imperative that you have what I call "a backup plan" In place that will give you the opportunity to rescue your failed SE. What many SE'ers don't know, Is that just because a representative decides to decline the claim, It doesn't necessarily mean It's put an end to the SE In Its entirety. There are certain payment systems that you can use to reverse the transaction, and credit your account for the full cost of the purchase Item. At the time of this article, there's less than a handful that you can choose from as follows.
- PayPal (file a "dispute" and escalate It to a "claim")
- Credit card chargeback (used If PayPal fails to resolve It)
- Bank reversal (same as the above, but done via your bank/merchant)
- Section 75 (for UK residents- can be used to retrieve funds from the credit card provider)
Alternative Delivery Point:
SEing has Its fair share of complexities, some of which Involve the carrier driver visiting the SE'ers house (when the DNA method Is used) and asking why the package was claimed as not delivered, or If you're living with your parents, they'd most likely question why so many packages are being sent to their address- which can be pretty difficult to legitimately justify. If that's not enough to concern you, some companies who offer "ARs" (Advanced Replacements) actually bill the SE'ers account If the defective Item Is not returned to them- HP Is one company who does It. To avoid all that, you can use a "drop house", often referred to as a "drop" to accept deliveries from carrier drivers. In simple terms, It's a home that doesn't belong nor have any association to the SE'er, but "It must be vacant when the package Is delivered". Here's a few ways on how to locate a drop.
- Homes advertised for rent (almost all are vacated)
- Homes advertised for sale (mostly vacated, but not always- requires research)
- A foreclosed home (guaranteed to be empty)
- Using someone else's home (they must be on vacation or at work when the delivery arrives)
Editing Tools & Software:
Over 90% of SEs are performed by purchasing the Item first, and having It refunded or a replacement sent. The biggest advantage of this, Is the array of methods that you can use and depending on the Item's nature, there could be more than one suitable method, hence you can pick the one that fits your environment. However, not everyone has the funds to pay upfront and what's commonly used Instead, Is the "serial number method", by obtaining a serial that's still under warranty and use that to SE. Now because you don't have the Item, the rep/agent will ask for a "POP" (Proof Of Purchase) to verify It was purchased from them and your claim will not move forward until you provide It. This Is easily circumvented by editing the POP with various tools and software, Here's a list of what you should Include as part of your toolkit.
- Adobe Photoshop (for editing PDF files)
- Adobe Acrobat (as above)
- Metadata remover/editor (to not show signs of file tampering. Can use Photoshop)
- Online receipt/Invoice generator (this site will serve your needs)
- Online fake receipt maker (use this website)
Corrupted File Tools:
Further to the above topic, If for some reason you cannot provide a POP by Photoshopping an existing Image or creating one of your own, you'd need to find another alternative to keep your SE alive. One way to do It, Is by using the "corrupted file method", whereby (as Its name Implies) you send a file that's corrupted/nonfunctional and assure the rep that It's working perfectly fine on your end. No doubt, you'll be asked to resend It, so you do exactly that but In a different file format and keep repeating the process with every request. This gives the Impression that you're In full compliance with what the representative Is asking, and you're also doing your utmost best to resolve the matter. If you persevere and push the SE to Its limit, the rep will assume that he's at fault and will most likely approve your claim. You can use any of the three sites below to corrupt your file.
SE'ing Log Book:
Of all the tools, resources and services that are documented In this article, I'd say that keeping a record of every SE performed, Is the least used commodity by the majority of social engineers. When you're hitting one SE after another for many months on end, be It success or failure, It's literally Impossible to remember when every event took place- Inclusive of the Items refunded and/or replaced, as well as the timing between each one, the names of the companies and a lot more. As such, It's vital to keep an "SEing log book" to record your actions as they happen. So why Is this Important? Well, have you ever wondered why your SE failed for no apparent reason? Or your account was unexpectedly locked? Perhaps you SEd too many high value Items, or used the same method a lot of times In succession, or may be didn't allow a sufficient gap from the last SE to the next. Clearly, you can see why a log book must be Included In your toolkit. I've created a (non-exhaustive) list below.
- Names of companies
- Nature of every Item
- Value of every Item
- Dates & times of every event
- Methods used
- Carriers used for deliveries
- Number of refunds
- Number of replacements
- Timing between each SE
- Number of successful results
- Number of failed attempts
- Number of credit card chargebacks
- Number of PayPal disputes & claims
- Number of legit purchases
Availability Of Funds:
This Is very much stating the obvious, but I've personally come across a handful of SE'ers who've spent days or weeks researching their target, getting their method together and asking for assistance by creating a thread on a forum, only to find that they had no money In their account when It came to perform their SE. Although In this case nothing was lost financially, the time and effort was a complete waste that could've and most Importantly, "should have" been used productively. On the other hand, one SE'er had Insufficient funds on his credit card but his provider allowed an "overdraft" (credit extension), hence he was still able to make purchases with nothing In his account. What he didn't know however, Is that his bank charged an "overdraft fee" for each transaction that the SE'er made, which meant that he had to repay the fee Inclusive of the Interest charged for each purchase. The equation Is pretty simple- check your availability of funds prior to SEing.
Fake Documents:
Before I make a start on this, I just want to make one thing perfectly clear- I do not condone any behavior that Involves fraudulent activity by using fake IDs for financial gain or otherwise, nor do I encourage any type of Illegal activity associated with what you're about to read. How you decide to use the following Information, Is entirely your choice and completely out of my hands. Okay, moving forward, In the event your account has been permanently banned/locked or you've used the DNA method and your package was redirected to your local post office for pickup, In both circumstances, you'd need fake credentials to verify your Identity. The first one Is to open a new account under another Identity, and the second one Is to pick up your package using another ID, thus It wasn't "you" who collected It. Of course, there are countless other uses, but I've simply given a couple of examples. Here's a small list to get you started.
- Fake SSN (Social Security Number)
- Fake driver's license
- Fake birth certificate
- Fake credit card
- Fake Police report
- Fake receipts and Invoices
In Conclusion:
There are a handful of other things that you can add to your SEing toolkit, but they're very rarely used and rather Insignificant to company manipulation and exploitation. What I've done, Is documented those that are
very common when SEing any company & Item, so be sure to keep "every one" In your toolkit. Now I'm not suggesting that you need to use the lot with every SE performed, but rather
pick & choose the ones that are relevant to your SE at the time. I can confidently say that you will utilize each one at least once, hence the main reason why every SE'er must have an
"SEing toolkit" at their disposal.
:DISCLAIMER:
I DO NOT OWN THE RIGHTS TO THIS. THIS IS TAKEN FROM www.socialengineers.net/ GO CHECK HIS STUFF OUT TO BECOME A L33T SOCIAL ENGINEER!