| layout | title | nav |
|---|---|---|
default |
Social Engineering |
se |
Social Engineering is when you use social skills to get things or information which you normally wouldn't have access to.
Imagine that someone calls a restraunt to complain about their visit and is sent a coupon for a free meal, pretty normal right? Now imagine that the person had never eaten at the restraunt and only made the complaint to obtain a free meal coupon, that's social engineering.
Most popular methods related to cybercrime revolve around getting refunds or replacements of items, when the defective item was never really pocessed by the social engineer.
One way of finding easy companies to target is by watching the news for recalls or major product defects. When a recall or major defect occurs the target company will be expecting a large influx of people calling and complaining. This allows a social engineer to slip in unnoticed.
A recent example of this is Bose Sleepbuds which were discontinued due to a faulty battery. The issue was announced in the news and within days (maybe even hours) social engineers were calling the company claiming they had the product and the battery wasn't working.
It's also worth noting that social engineering opperations can grow relatively large in size. For example in one instance observed by the author a core team had developed a script (similar to what employees at a telemarketing company would have) and then contracted several people to make the calls. The person making the phone call would be supplied with a name, address, and serial code which would be used with the script to make the order.
One key aspect in many recent social engineering methods is serial codes. A serial code is a unique identifying number created sequentially or with an algorithm. Poccessing a serial code gives the social engineer additional leverage when attempting to social engineer a free product or replacement.
The demand for serial numbers by social engineers creates a strong relationship between them and crackers. Since serial numbers are assigned sequentually or by an algorithm they can be predicted with varying degrees of success by a cracker.
Once an algorithm that assigns serial numbers is cracked the cracker essentially has access to unlimited serial numbers. Social Engineers and Crackers can work with each other in various ways. For example a cracker may sell serial codes one at a time or in bulk for a discount. Altnernatively the two might work together in running a store and split the profits made from selling social engineered items, similar to co-owners of a business.
Well working with a cracker is an ideal arrangement for a social engineer in need of serial numbers it is not the only way. Other methods used include:
- Buying the item in bulk, using the numbers, returning or reselling
- Going to the store and writing down the number without buying
- Messaging people on websites like Craigslist or eBay and saying you want to know the serial number to make sure it isn't stolen
Social engineering free items or food is nice for the casual practitioner, but for the professional their is a need to convert to cash. One of the most ideal ways to convert social engineered products and services into cash is to re-sell items. Drop-shipping is particularly suited for this, as when getting the replacement item the SE can have it shipped directly to the end customer.
Having an item shipped directly to a customer has major benefits including:
- Free shipping, unlike normal sellers.
- Each social engineered item is shipped to a seperate address, helping to avoid detection by the target company.