In today's complex world of social engineering online stores by fooling their reps/agents to credit accounts when they're not supposed to, or get them to dispatch replacement Items free of charge, there's a lot Involved even before the attack vector takes place. Things like "researching their terms" to Identify vulnerabilities and establish how they operate with their refunds, warranty and replacement policies, as well as "finding a method that's well-suited to the Item that will be SEd", all play an Integral role to ensure the SE remains on target and heads In the right direction towards a successful outcome. Believe It or not, all that must be done prior to executing the attack and before getting In contact with the representative who will be handling the claim at the time.
If you haven't worked It out already, I'm referring to SEing companies on a very large scale to the likes of Zalando, Amazon, John Lewis, Currys PC World and the list goes on- all of which are susceptible to exploitation, but only If you have the aforementioned elements ("research & method preparation") applied to perfection according to the environment of the company In question, and the Item you're going to social engineer. In other words, you cannot perform what I call a "blind SE", whereby you have no Idea how the company operates, nor have any Information of the Item's packaging, weight & dimensions- your SE will fail before It has the opportunity to begin. Sure, some reps are brain-dead or simply lack common sense and approve claims on the spot, but for the most part, you will have the need to circumvent & manipulate quite a few obstacles whilst your SE Is In progress.
In order to maximize the success rate of your SE and give It the best chance to work In your favor, It's of the utmost Importance to "formulate your method against the nature of the Item you're planning to SE". That Is, It's not as simple as selecting the first method that comes to mind, and expect everything to run smoothly. There's a lot to consider and some methods are processed with an extraordinary attention to detail, one of which Is the objective of this article named the "boxing method", also known as "boxing" or "box" on Its own. If this Is the first time you've heard of It, I'd say It's very safe to assume that you're at a complete loss as to what It's all about, and rightly so- the method's title doesn't really denote Its purpose. Reset assured, I've got you covered. I will explain all there Is to know about It, so let's begin with Its Introduction.
What Is The Boxing Method?
Even If you're an advanced SE'er who's used this on many occasions, I have no doubt that there are some details that're unbeknownst to you, so do take the time to read this thoroughly. Unlike a few other traditional methods such as the missing Item/partial, wrong Item received method and of course the DNA that do not require much (If any) preparation on your end, the "boxing method" Is quite the opposite- which I'll elaborate on It shortly. First you need to familiarize yourself with Its definition, and how It's used against your target. As a general example, here's how It works. When the carrier driver delivers your package, you contact the company a little while later and say that the Item you've received, Is not working. Evidently It's fine, but you're just saying It Isn't for SEing purposes.
The rep/agent will then go through a few troubleshooting steps, which you'll remain adamant that It's still not functioning and after he's satisfied that your Item Is defective, he will arrange a refund or replacement but "only when your nonfunctional Item Is returned". Obviously, you have no Intention of doing that and that's when the "boxing method" comes Into action by returning your box/package without the Item, and making It look as though It's been tampered with during shipment. To do that, cut It on one side and seal It with different colored tape, and when the company receives It, they'll think that someone stole your Item at some point In transit and provided they take responsibility for loss of goods, they'll Issue a refund or send a replacement Item. This Isn't as easy as It sounds- It must be prepared by leaving no room for error, which brings me to my next point as per the topic below.
How To Prepare The Boxing Method:
As you're aware, the boxing method gives the appearance that you did the right thing on your end by complying with the rep's Instructions and returned your Item. However, at some stage of the delivery, someone ripped open the box, took your product and to cover up his actions, he quickly sealed the box with tape thereafter. Naturally, the entire scenario didn't happen, but rather It's "what you want the company to believe" thus In order to make your events as realistic as possible, It's paramount to use a well-calculated approach when formulating your (box) method and here's how you do It. First and foremost, "you must have knowledge of the precise weight of your Item"- as this will determine how the method will be prepared and depending on how heavy It Is, you will be using "one of two procedures" to put It together. Let's start with the first one as follows.
Using A Very Lightweight Item:
If your Item Is extremely light and does not register a weight on consignment, meaning It cannot be detected by the carrier's weighing facilities at their depot, you'd send an empty box on Its own with nothing else enclosed. Do remember to cut It on one side and seal It with different colored tape! Essentially, when the company receives your return and decides to open what's called an "Investigation", whereby they'll liaise with the carrier to check the weight of your package, their findings will be Inconclusive- for the reason that your Item Is so light, that It cannot be recorded on their scales. Remember: "You haven't sent your Item- only the box!". Because your Item weighs next to nothing, It's Impossible for the company & carrier to conclusively say that you did not return It. As such, they'll assume "that It was In the box" and due to the package being consistent with tampering, they will also think that your Item was stolen.
On the above grounds, they'll have no choice but to give you a refund or dispatch a replacement Item at no extra cost. The question I keep getting asked by SE'ers of all shapes & sizes Is: "What's the maximum Item weight I can use with the box method?". My recommendation Is not to exceed "120 grams", and that's actually pushing It to Its absolute limit. Personally, I'd prefer you work with a product that's In the range of "50-80 grams", which has proven to have a very high chance of success. But what If you're looking to SE something way over the above figure- perhaps a GHD ceramic hair straightener at "900 grams?". It's too heavy, so you must substitute It with a commodity of equal weight, namely "dry Ice", so we'll see how It's done next.
Boxing With Dry Ice:
Before I make a start on this, you need to understand what "dry Ice" Is all about and why It's so effective when "used as a weight substitute". I'll provide an example that you can relate to. When you've attended a birthday party or someone's wedding, have you witnesses a kind of foggy or smoky atmosphere on the dance floor? Of course you have. This Is In fact, the result and effect of "dry Ice"- which Is "frozen carbon dioxide In a solid form". Now when It's exposed to external conditions, such as being placed In a box that Is not airtight, It turns to "gas"- which Is called "sublimation". Unlike normal frozen Ice (that you have In your freezer) that melts Into water If you take It out and leave It lying around the kitchen, dry Ice Is quite the opposite- It does not melt, but rather "turns directly to gas" and doesn't leave anything behind- water or otherwise.
That's precisely why social engineers use It with the boxing method- when It sublimates (turns to gas), It leaves no trace that It ever existed, hence there's no evidence to suggest that It was used at the time of the SE. So the way you prepare and apply the box method with dry Ice, Is really quite simple. Let's say the Item that you're supposed to return Is "900 grams" which Is obviously too heavy, therefore you'll add dry Ice In the box (to take Its place) that's a little bit heavier- just to allow extra time to sublimate (turn to gas) when your package Is In storage. As mentioned In the other method above, you'd then tear the underside of the box to a length that's slightly bigger than your Item, and seal It with different colored tape.
This gives the Impression that someone took your Item when your return was In transit and when the company receives your package, the dry Ice would've turned to gas, thus they're left with "only an empty box". No doubt, they'll notice that your package/box Is not In perfect condition and after seeing that It's been taped, It Indicates that some Individual opened It, grabbed your Item, and re-taped It thereafter. As a result, they don't have anything to try and decline your claim, so expect your account to be credited for the full cost of your purchased Item or If you prefer a replacement, you can ask the representative to send one out to you. It doesn't get much easier than that. Now the boxing method, Is not all sunshine and rainbows- there are certain events that may happen beyond your control, which I've covered In the next topic.
What To Expect With The Boxing Method:
Every method has Its pros & cons, some of which flow rather smooth with minimal disruption, while others trigger all sorts of events that Inevitably require the SE'ers undivided attention to make sure the SE has a successful outcome. The boxing method Is certainly part of the latter, whereby there will be a series of events that take place whilst the SE Is In progress, hence It's crucial to comply with all requests from the company's representative. For example, apart from SEing very low value Items costing only a few dollars or so, It's almost guaranteed that an "Investigation will be opened" when social engineering mid to high value Items and as such, you must agree with (almost) everything that Is asked of you- a commonality being a "PR", meaning a "police report".
You'll find that It's part of many Investigations and needed when your claim Is being assessed, however a lot of SE'ers are reluctant to provide one- for the reason that they think they'll get In trouble with the law. I can assure you that nothing could be further from the truth. The PR Is simply a bit of paperwork that's required by reps (as per their protocol) to move forward with your claim and nothing more, but If you don't get It done, your claim (most likely) will not go any further and will eventually be declined & closed. So when you're asked for a police report, head over to your local police station and file one. You can also do It online by completing the report with the relevant details, but depending on where you reside and If It needs to be done locally, not every police station allows you to file a report on the Internet. Whichever option you choose to file a report, rest assured, there's no cause for concern.
In Conclusion:
Due to the length and context of this article, you may be under the Impression that It's an extremely difficult process to prepare and apply the boxing method, but If you've followed my guide, you shouldn't encounter any Issues with tearing the box and sealing It with different colored tape to make It appear as though It's been tampered with during shipment. The part that requires fine attention to detail, Is when using "dry Ice"- you've only got one shot to get It right, thus It must be perfected on the very first attempt. If you're not too confident with It, perform a "practice run" (trial SE), by using a friend's house as the delivery point and calculate the amount of time It takes to sublimate from sender to receiver. This will give you a good Indication of what to expect when It's time to SE for real.
