OP 06 March, 2021 - 09:37 PM
(This post was last modified: 07 March, 2021 - 03:12 AM by TeamSesh.)
Reply
Found this on a social engineering blog. Super informational.
[/spoiler]
Show ContentSpoiler:
Refund An Item By Manipulating The Package.
:DISCLAIMER:
I DO NOT OWN THE RIGHTS TO THIS. THIS IS TAKEN FROM www.socialengineers.net/ GO CHECK HIS STUFF OUT TO BECOME A L33T SOCIAL ENGINEER!
Before I begin with this method, I'd like to make one thing perfectly clear- It's flawed In many areas, and contains an array of Inconsistencies that ultimately result In a failed SE. So why am I documenting an article on a method that's not likely to succeed? The answer Is pretty simple. Many social engineers who are either new to the art of exploiting the human firewall, or have been In the scene for many years to date, actually believe that this does In fact work almost each and every time. Only after they've attempted to SE companies without success, have they realized that the FTID method Is not worth the time and effort they put In.
To save you from disappointment, the objective of this guide Is to make you aware of how and why this method Is not likely to work In your favor BEFORE you attempt to try It yourself and waste your valuable time, resources and money on such a deficient piece of BS. Having said that, this article Is not entirely focused on the negativity side of things, thus I will provide you with one particular methodology (further down the page) that has the best chance of a successful outcome. So what exactly Is the "FTID method?". Let's check It out now.
The FTID Method Explained:
If you're part of a social engineering online community, be It an Internet forum or chat via a Discord server, you will definitely come across this method In Its abbreviated form, namely "FTID". This simply stands for "Fake Tracking ID". Now Its title Is misleading- the "Tracking ID" Is not "fake" at all. I have no Idea why the person who came up with this method named It as such, hence Is very misleading and can be rather confusing to those who've never come across this before.
At the time of writing, there are 4 versions of an FTID eBook released by Its creator/author- that has a few options (methods) to choose from, with each one outlining how to SE a company and obtain a refund for an Item that the SE'er has no Intention of returning. In other words, "you seemingly send your Item back for a refund". I have provided a few download links at the end of this guide for the "version 3" release, and after reading this entire article, you'll see why this method Is predominantly a load of trash.
In a nutshell, the FTID method Is all about having the "Tracking number shown as delivered (carrier-wise), but the company has no physical nor administrative record of the package In their warehouse". As a result, there Is nothing assigned to the sender (the SE'er), which releases the social engineer from any liability, therefore It's the company who's responsible for loss of goods, rather than the other way around. So when the SE'er calls the company a few days later asking for a refund, because the package does not exist In their warehouse, they have no way to cross-check any details with the carrier, and will have no choice but to manually process the refund. This will make perfect sense very shortly.
This Is how It supposed to work, but the majority of the methods outlined In the eBook are flawed and for the most part, WILL fail. I'll explain the reasons for this, but before I do that, I'd like to first demonstrate one particular FTID method that has the best chance of success- not a "good" chance, but the "best" chance! So let's check It out now.
The FTID Method With A Better Chance Of Success:
Remember, "you're seemingly sending your Item back for a refund". As stated above, the objective of this method Is to simply show the "tracking number as delivered to the company, without any record of the package In their warehouse". So how Is this done? Well, you prepare an "envelope" or a very small "satchel", by removing all Identifiable details linked to your order- sender's Information, RMA Info (If any), order numbers and so forth. The only thing to keep, Is the "tracking number". This obviously must remain Intact, otherwise It will not reach Its destination.
Next, you must give It the appearance as though It's an "advertisement", by placing a sticker or two on the envelope, such as "Harry's carpet cleaning services" or "10% off your next electric bill". This way, when the company receives the envelope and given there's no Information pertaining to your order or account, they'll most likely throw It In the trash. After all, who's Interested In opening an envelope containing an ad? Because of this, the company will not have a physical nor an administrative record of your return!
It's best to wait a few days, then contact the company and kindly ask why you haven't received your refund. Upon providing them with your tracking number, they'll check with the carrier and confirm that It was In fact delivered to their warehouse, but evidently they cannot locate It because they've thrown It out. They can make up all the excuses they want to try and decline your claim, but at the end of the day, It all comes down to their Incapacity to properly process the return of goods Into their warehouse and systems. This makes them liable for losing your return, thus a refund should be Issued.
At the time of this post, this Is the only FTID method that has the "best" (but not "good") chance of a successful outcome. I've already stated that I'll elaborate on why this contains an array of Inconsistencies, so without further delay, I'll briefly cover It now.
Why The FTID Method Is Flawed:
This method has so many weaknesses and Imperfections, that It's way beyond the scope of this article to detail the lot, so I'll only outline the top three flaws that're extremely likely to cause your SE to fail. To make this easy to follow and comprehend, I've provided the examples In point form and titled accordingly as shown below.
* Change The Receiver's Address On The Label.
When I first had the displeasure of viewing this method, I couldn't believe what I was reading, and you'll understand why shortly. The way this Is (supposed) to work Is to remove all your details that're linked to your order, leave the tracking number as Is and on the label, "modify the receivers address to another destination". The objective Is for "the carrier to deliver the package to the modified address on the label", but the tracking will show that It's delivered to the correct address. Because of this, the company will not have the package In their warehouse, therefore believe It's their error and offer a refund.
The author of this method, obviously has very little to no Idea of how carriers operate In the 21st century. Given every package Is scanned during collection, at the carrier's depot and then at the delivery point, how can a modified label convince the driver to deliver It elsewhere? Sure, you may get the odd driver who's half asleep on the job, or one who couldn't care less because It's his last day at work and deliver It as per the label's Instructions, but because "the package Is scanned", obviously It will be sent as per the tracking details. I'm at a loss as to how and why the author of this method, believes that this piece of garbage Is a reliable form of social engineering.
* Send A "Box" With Only The Barcode.
As with the method above under the title of: "The FTID Method With A Better Chance Of Success", this works on a similar principle but "the chance of failure, Is almost guaranteed". Once again, this Is performed by removing every Identifiable detail Inclusive of the tracking number, but "only leaving the barcode". This time however, It Involves "using an empty box", with the Intention of being delivered (as per the carrier's scan details) to the correct destination. When the company receives the box with no Information of where It came from, they'll throw It out. After the social engineer calls and asks for a refund, the company has no record of the box, thus cannot cross-check It and Is forced to Issue the refund.
Again, this Is yet another very poor attempt by the author of the method to social engineer a refund. Why? Well, given "the barcode Is the only thing left on the box", anyone who's employed In a return center/Inwards goods and operates by scanning every delivery received, will obviously "scan the barcode and Immediately Identify the sender!". What Is the author of this method thinking? That they'll Ignore the most Important part of the shipment, namely the "barcode" and dispose of It? Enough said.
* Weight Discrepancy Identified By The Carrier.
The above title speaks for Itself, so there's not much to say about this. Basically, "It relates to every FTID method Involved", for the fact that an empty box or envelope Is sent by the social engineer. Now because carriers obviously handle every consignment and due to the fact that they're weighed at their depot, when the SE'er claims a refund, the company will cross-check the details with the carrier's manifest.
As such, there will be a "difference In weight" with what the social engineer was supposed to send back (being "the real Item"), and the empty box/envelope that was recorded by the carrier. This Is a major drawback and for the most part, will result In a failed SE, regardless what FTID method you decide to use. As you can see, this Is yet another Inconsistency that adds to the countless flaws already mentioned In this article.
In Conclusion:
No doubt, you're well aware of why I believe the FTID method Is flawed and simply not worth wasting your time and effort performing an SE that will eventually lead to failure. As discussed toward the beginning of this guide, the author can't even get the title right- "FTID" meaning "Fake Tracking ID". Does he honestly believe that the "Tracking ID" Is fake? If so, how do packages get scanned, recorded and delivered correctly? I think my view on the matter has been clearly demonstrated.
To save you from disappointment, the objective of this guide Is to make you aware of how and why this method Is not likely to work In your favor BEFORE you attempt to try It yourself and waste your valuable time, resources and money on such a deficient piece of BS. Having said that, this article Is not entirely focused on the negativity side of things, thus I will provide you with one particular methodology (further down the page) that has the best chance of a successful outcome. So what exactly Is the "FTID method?". Let's check It out now.
The FTID Method Explained:
If you're part of a social engineering online community, be It an Internet forum or chat via a Discord server, you will definitely come across this method In Its abbreviated form, namely "FTID". This simply stands for "Fake Tracking ID". Now Its title Is misleading- the "Tracking ID" Is not "fake" at all. I have no Idea why the person who came up with this method named It as such, hence Is very misleading and can be rather confusing to those who've never come across this before.
At the time of writing, there are 4 versions of an FTID eBook released by Its creator/author- that has a few options (methods) to choose from, with each one outlining how to SE a company and obtain a refund for an Item that the SE'er has no Intention of returning. In other words, "you seemingly send your Item back for a refund". I have provided a few download links at the end of this guide for the "version 3" release, and after reading this entire article, you'll see why this method Is predominantly a load of trash.
In a nutshell, the FTID method Is all about having the "Tracking number shown as delivered (carrier-wise), but the company has no physical nor administrative record of the package In their warehouse". As a result, there Is nothing assigned to the sender (the SE'er), which releases the social engineer from any liability, therefore It's the company who's responsible for loss of goods, rather than the other way around. So when the SE'er calls the company a few days later asking for a refund, because the package does not exist In their warehouse, they have no way to cross-check any details with the carrier, and will have no choice but to manually process the refund. This will make perfect sense very shortly.
This Is how It supposed to work, but the majority of the methods outlined In the eBook are flawed and for the most part, WILL fail. I'll explain the reasons for this, but before I do that, I'd like to first demonstrate one particular FTID method that has the best chance of success- not a "good" chance, but the "best" chance! So let's check It out now.
The FTID Method With A Better Chance Of Success:
Remember, "you're seemingly sending your Item back for a refund". As stated above, the objective of this method Is to simply show the "tracking number as delivered to the company, without any record of the package In their warehouse". So how Is this done? Well, you prepare an "envelope" or a very small "satchel", by removing all Identifiable details linked to your order- sender's Information, RMA Info (If any), order numbers and so forth. The only thing to keep, Is the "tracking number". This obviously must remain Intact, otherwise It will not reach Its destination.
Next, you must give It the appearance as though It's an "advertisement", by placing a sticker or two on the envelope, such as "Harry's carpet cleaning services" or "10% off your next electric bill". This way, when the company receives the envelope and given there's no Information pertaining to your order or account, they'll most likely throw It In the trash. After all, who's Interested In opening an envelope containing an ad? Because of this, the company will not have a physical nor an administrative record of your return!
It's best to wait a few days, then contact the company and kindly ask why you haven't received your refund. Upon providing them with your tracking number, they'll check with the carrier and confirm that It was In fact delivered to their warehouse, but evidently they cannot locate It because they've thrown It out. They can make up all the excuses they want to try and decline your claim, but at the end of the day, It all comes down to their Incapacity to properly process the return of goods Into their warehouse and systems. This makes them liable for losing your return, thus a refund should be Issued.
At the time of this post, this Is the only FTID method that has the "best" (but not "good") chance of a successful outcome. I've already stated that I'll elaborate on why this contains an array of Inconsistencies, so without further delay, I'll briefly cover It now.
Why The FTID Method Is Flawed:
This method has so many weaknesses and Imperfections, that It's way beyond the scope of this article to detail the lot, so I'll only outline the top three flaws that're extremely likely to cause your SE to fail. To make this easy to follow and comprehend, I've provided the examples In point form and titled accordingly as shown below.
* Change The Receiver's Address On The Label.
When I first had the displeasure of viewing this method, I couldn't believe what I was reading, and you'll understand why shortly. The way this Is (supposed) to work Is to remove all your details that're linked to your order, leave the tracking number as Is and on the label, "modify the receivers address to another destination". The objective Is for "the carrier to deliver the package to the modified address on the label", but the tracking will show that It's delivered to the correct address. Because of this, the company will not have the package In their warehouse, therefore believe It's their error and offer a refund.
The author of this method, obviously has very little to no Idea of how carriers operate In the 21st century. Given every package Is scanned during collection, at the carrier's depot and then at the delivery point, how can a modified label convince the driver to deliver It elsewhere? Sure, you may get the odd driver who's half asleep on the job, or one who couldn't care less because It's his last day at work and deliver It as per the label's Instructions, but because "the package Is scanned", obviously It will be sent as per the tracking details. I'm at a loss as to how and why the author of this method, believes that this piece of garbage Is a reliable form of social engineering.
* Send A "Box" With Only The Barcode.
As with the method above under the title of: "The FTID Method With A Better Chance Of Success", this works on a similar principle but "the chance of failure, Is almost guaranteed". Once again, this Is performed by removing every Identifiable detail Inclusive of the tracking number, but "only leaving the barcode". This time however, It Involves "using an empty box", with the Intention of being delivered (as per the carrier's scan details) to the correct destination. When the company receives the box with no Information of where It came from, they'll throw It out. After the social engineer calls and asks for a refund, the company has no record of the box, thus cannot cross-check It and Is forced to Issue the refund.
Again, this Is yet another very poor attempt by the author of the method to social engineer a refund. Why? Well, given "the barcode Is the only thing left on the box", anyone who's employed In a return center/Inwards goods and operates by scanning every delivery received, will obviously "scan the barcode and Immediately Identify the sender!". What Is the author of this method thinking? That they'll Ignore the most Important part of the shipment, namely the "barcode" and dispose of It? Enough said.
* Weight Discrepancy Identified By The Carrier.
The above title speaks for Itself, so there's not much to say about this. Basically, "It relates to every FTID method Involved", for the fact that an empty box or envelope Is sent by the social engineer. Now because carriers obviously handle every consignment and due to the fact that they're weighed at their depot, when the SE'er claims a refund, the company will cross-check the details with the carrier's manifest.
As such, there will be a "difference In weight" with what the social engineer was supposed to send back (being "the real Item"), and the empty box/envelope that was recorded by the carrier. This Is a major drawback and for the most part, will result In a failed SE, regardless what FTID method you decide to use. As you can see, this Is yet another Inconsistency that adds to the countless flaws already mentioned In this article.
In Conclusion:
No doubt, you're well aware of why I believe the FTID method Is flawed and simply not worth wasting your time and effort performing an SE that will eventually lead to failure. As discussed toward the beginning of this guide, the author can't even get the title right- "FTID" meaning "Fake Tracking ID". Does he honestly believe that the "Tracking ID" Is fake? If so, how do packages get scanned, recorded and delivered correctly? I think my view on the matter has been clearly demonstrated.
:DISCLAIMER:
I DO NOT OWN THE RIGHTS TO THIS. THIS IS TAKEN FROM www.socialengineers.net/ GO CHECK HIS STUFF OUT TO BECOME A L33T SOCIAL ENGINEER!
[/spoiler]
PLEASE LEAVE A LIKE! I LIKE TO LOOK HQ! NO LIKE = LEACH = BAN!
This leak has been rated as working 1 times this month. (1 times in total)