]
11-28-2012, 10:10 PM
Xeronations' Ultimate Guide to the Fundamentals of Social Engineering
I. Introduction
II. Methods of Contact
III. PIDs
IV. Receipts
V. Box Method
VI. Drop Houses
VII. Protection
I. Introduction
Putting it in the simplest way possible, social engineering is the art of manipulating someone to benefit in some way. Whether that's seducing a women into bed, getting your friend to tell you a secret, or exploiting weaknesses in companies to get free goods, it's all social engineering. What we will be focusing on for this guide is exploiting companies for free goods.
II. Methods of Contact
The firs thing you are going to need to do to social engineer, or SE a company is to contact them. There are usually 3 ways of doing this. Email/Ticket support, live chat, or phoning. Finding out which of these options the company you wish to SE has is a simple matter of going to their website and clicking the "Contact Us" button. Now that you have seen your options, you will need to choose one. Each of the 3 methods have their own pros and cons. Email is the safest for beginners, calling-in is best for intermediate and up, and live chat is a combination of the two.
+ You have time to think of your answers, and you can research and come up with any information you may need.
+ You can fake confidence, even if you are super nervous.
- The customer support agent you are talking to will also have more time to inspect what you say, make sure your receipts are valid, etc.
- You cannot manipulate them with your emotions very much. An angry call is much more effective than an angry email.
Calling-In
+ You can use your emotions to more effectively manipulate your customer support agent. Use things like anger, frustration, and kindness at the right moments can be very effective in getting what you want.
+ The agent has very little time to respond. They need to be in constant conversation with you. That means they will not take an hour to check over your fake receipt, and they will not ponder little details that would've thrown them of in live chat or email.
- If you are not confident when talking on the phone, or you sound nervous, it will automatically raise red flags. Why would someone be so nervous when they are just asking for support with a product?
Live Chat
-+ You can manipulate your emotions better than on email, but less than with calling-in.
+ You can fake confidence.
- The agent still has time to look for any inconsistencies
III. PIDs
PIDs, also known as Product ID numbers, or S/Ns, are all the same name for the serial number on a product. When you are trying to SE something like an electronic, companies will almost always ask you for a PID. The PID tells them what product you have, if it is still in warranty, as well as some other details. Now getting a PID may seem like an impossible task, considering that you do not actually have the product, but it's actually quite easy. There are a few methods to obtain a PID.
eBay/Cragislist Method
1. Go to eBay or Craigslist.
2. Search the item you want, and filter it so it shows Auctions only.
3. Find a sellers of the item with a low amount of feedback. Below 100 is ideal, but around 200-400 is also fine. This is not positive feedback percentage, but the amount of feedback itself.
4. Mass message the sellers with something like this. This is an example for electronics only.
Quote:Hey! I really want to buy your XXX. I've been wanting them forever and I finally saved up enough to buy them. Could I have the PID for the headset? They should be a bunch of numbers either on the box or somewhere on the headset. The reason I want these numbers is so that I can check with Tritton to make sure that the headset is still under warranty. The last thing I want to do is to break them then find out that I can't get them replaced. Thanks in advance.
5. If you send something like this to around 5 sellers, one of them should eventually give you a PID.
6. Getting PIDs this way is the best in terms of quality because the PIDs are almost always under warranty and un-used.
Youtube Method
1. Go on Youtube and search for something like "XXX Unboxing". Where the X's are, you should fill in the name of your product.
2. Look through the video, and sometimes, a shot of the PID is shown.
3. When this happens, screenshot it, crop out the rest of web page, and there you go! Your very own PID.
PID Generator
1. Download the latest version of AstroPID from here:
[To see links please register here]
2. Generate whatever PID you want!
It doesn't have every product, but there are quite a few popular electronic brands and things like that in there. The downside to this method is that sometimes, the PIDs are already used by other SErs. It works fairly well most of the time though.
IV. Receipts
A lot of the time, a company will ask you for a receipt. There is an easy way around this. Simply generate a fake one! Use the tutorial below to do so.
1. Download the Receipt Generator
[To see links please register here]
.2. Open the .rar and launch the .exe
3. Fill it in with the info you want. Copy the name of the item directly from Amazon.com, as well as the price of the item. If you are SEing it to your house, or drop, put in real information obviously. You do not need to put a real name. For the date, make sure you put it 2 weeks back from the current date. This is to make it seem like it took 1 week to get the item, and then another week before you made the complaint.
4. Click generate, and close the .exe. A receipt in the form of an .html should then appear in the .rar file.
5. Extract the receipt somewhere, and open it up with notepad.
6. Seach for the line:
amazon-com.gif
7. Replace it with this link:
Code:
[To see links please register here]
8. Save the notepad file/receipt.
9. Still in notepad, copy all the code.
10. Go to emkei.cz.
11. Fill in the form as follows:
Code:
From E-mail: noreply@
[To see links please register here]
.comTo: (Your e-mail)
Subject: For this, open up the receipt on google/firefox, and copy the part that says Final Details for Order XXXXX.
Content: Paste everything from the notepad file.
Content-Type: Click the circle that says "text/html".
12. Enter the CAPTCHA and press send, and BAM! A perfect fake receipt. Now, simply screenshot the receipt from your email and upload it to a website like imgur.
It should look something like
[To see links please register here]
once it is finished.NOTE: Do NOT send the fake receipt to a hotmail email. They identify it as malicious and it will not look proper.
V. Box Method
The box method is basically the ultimate way to get past the point where the company tells you to send back a product, even after you have given a PID and receipt.
1. Get a box, and a rock approximately the same weight as the object you are SEing.
2. Put the rock in the box, and seal it.
3. Send it to the company.
4. In a few days, the company should email/call you back telling you that there was a rock in the box.
5. Contact them back, sounding very distressed, and tell them it must've been stolen. Make your email/call very emotional.
6. They will most likely give you the product you wanted.
For a more detailed method to boxing, check out this eBook. It is not written by me.
VI. Drop Houses
Drop houses are most commonly used when doing something called advanced replacement. This is when the company sends you the product before asking for it back. The only catch for this is that they ask you for a credit card to charge, in case you don't send the item back. This can easily be bypassed by giving them a VCC or Virtual Credit Card. I cannot post VCCs here, but you can google for them elsewhere.
Anyhow, when they send out the product first, you're going to want to give them a drop address. This is basically an abandon house that you can get your product mailed to. The purpose of a drop house is so that they do not bill you. Once they learn that your VCC doesn't have much money in it, they will try to bill your house. That is why you use a drop. So that you do not get billed.
You can find a drop easily, by either looking around your neighbourhood for an abandon house, or by finding a for sale house. If you find a for sale house, an easy trick to make sure it is abandoned is to ring the doorbell, then run and hide. If they open the door, obviously you can't use that house. If they don't try repeating that process 2 or 3 more times at different times and days. Once you are sure that there is no one occupying the house, you can use it as your drop.
Another method is to email a local realtor. Tell them you are looking for a house in whatever neighbourhood you are in, with the owners already moved out. Tell them you want to be able to move in ASAP. Include some detail. Below is an example.
Quote:Hello, XXX. I have seen you as the realtor for a couple of "For Sale" houses recently, and I was wondering if it would be possible for you to find me and my family a suitable place to live in the neighbourhood of XXX. We are looking for a house with a price of $400,000-$800,000, and we are looking for the house to be already empty. We are incredibly sick of living in our current location. Our youngest child, Marla, recently had to be taken to the hospital due to infected cockroach bites she got from the insects inhabiting our apartment. We need to move ASAP.
If the realtor asks you to meet in person, just tell him/her that you want them to show you some available properties in the area via email before meeting in person.
If you are worried about the owners of your drop house getting in trouble, don't be. As soon as they say that the name on the package is not theirs, they will not get in trouble.
You do not need a drophouse for things like food coupons, Microsoft electronics, and other smaller items. It is only if you are doing advanced replacement, or are SEing a high price item such as a laptop.
VII. Protection
Social Engineering can be a dangerous game if you do not take the proper precautions. Here are some things you should do to avoid be caught.
1. When calling, use an internet phone like Skype.
2. Never give out your real name.
3. Use a drop whenever you can, for higher priced items.
4. Use a VPN when doing live chats.
