From the now sadly defunct The Kernel,February 21, 2016 :
When he was just 16, Jonah made hundreds of thousands of dollars ripping off some of the world’s biggest tech companies. A self-described social engineering expert, he boasts that he could steal practically anything with just a laptop and a cellphone. He made a small fortune on an online black market. He vacationed in Switzerland, toured Paris and Rome, and crashed in luxurious Las Vegas suites, always under an assumed identity. His family and friends wouldn’t see or hear from him for years at a time.
“I made thousands, money whenever I needed it,” he boasts. “I could social engineer anything. Anything I wanted.”
Now in his early 20s, Jonah—not his real name, of course—works at a private security firm, protecting the same companies he once robbed. On the condition of anonymity, he agreed to talk about the methods he once used as a criminal.
Part theater and part science, social engineering is the method by which hackers, for lack of a better term, exploit vulnerabilities in human psychology; for Jonah, it was a key to getting anything he wanted, from televisions and laptops to smartphones and expensive wines. One of his largest takes netted him around $60,000 worth of product, he says. He showed me a Rolex Daytona watch—part of a gallery of stolen goods he’d photographed in his bedroom—which retails on Amazon for around $26,000.
Whether through face-to-face interaction, by phone, or by email, the human gatekeepers of any network can be exploited—if you know how to play the game. They’re the weakest link in any company’s security.
Almost every major electronics company is vulnerable in nearly the same way: They all have warranty-based replacement systems that can be exploited. Most companies, for instance, don’t require a defective item to be returned before mailing out its replacement. It’s likewise difficult to prove that an in-warranty item has been lost or stolen.
Through repeated phone calls, social engineers develop strategies for navigating a company’s customer help line. They get a feel for which sob stories and which “yes” or “no” responses will work best toward achieving their objective. Intelligence, temperament, and even humor all come into play. The questions and responses are then mapped out, as if composing a flowchart, with the goal of expediting the con.
Part theater and part science, social engineering is the method by which hackers, for lack of a better term, exploit vulnerabilities in human psychology.By ensuring that products can be easily replaced, in the interest of good customer service, these companies have created—perhaps unavoidably—gaping flaws in their own security.
“All the big companies—Apple, Microsoft, Razor, HP, Sony, Phillips, Casio, Rolex, Samsung—they’re all vulnerable to warranty exploitation,” Jonah says.
At this very moment, the world’s top tech manufacturers are unwittingly shipping hundreds upon thousands of dollars in free merchandise all over the world to people like Jonah. Most of them, he says, are teenagers with too much time and not enough supervision. This scam, which relies heavily on a universally flawed warranty system, has been streamlined by hackers with a high degree of technical sophistication. Now almost anyone can do it—and thousands of people are, every day.
“The problem is pretty big,” Jonah says. “There’s a lot of people doing it. It costs nothing to provide no security, so the companies just ignore it.”
A social engineer shows off his “massive 7-day haul” on a “bragging rights” forum.
According to Jamie Woodruff, the chief technology officer at Patch Penguin, a London-based cybersecurity firm, hundreds of social engineering websites exist, dedicated to the types of scams Jonah describes. “There are numerous invite-only sites online where you can learn how to rip off companies like Amazon,” he says. “Everything you need, from the method, to stolen PayPal accounts and credit cards, can be either purchased or traded for.”
In his free time, Woodruff monitors social engineering websites, studying the black markets where techniques are bought and sold. He says Amazon is one of the more vulnerable companies, because comparatively, it requires very little effort to steal an Amazon account, which can then be squeezed for all it’s worth.
“I started learning and putting my own ideas into it, my own twists on the companies and the exploits.”“I’ve talked Amazon into resetting people’s passwords with only three pieces of information: a name, home address, and an email address,” Woodruff says. “The thing is, customer support is there to help people and make it easy for their customers, but in the end they’re making it easier for hackers as well.”
After weeks of fishing for an invite, I gained access to socialengineered.net, a social engineering forum where PayPal and Amazon accounts are bought and sold for $10 or less. It was on a private forum like this one, called AstroPID, that Jonah learned how to acquire everything he wanted but couldn’t afford. There, in 2011, users exchanged tips on how to use social engineering on customer service agents. The site has since been shut down....MORE
