Niflheim World

Welcome to Niflheim !

  • First 5 messages from new users (pre-moderated user) will be checked for flood/spam before being posted on the forum. Users will also be checked for a multi-account.
    If you want to communicate without delay, get a free Huscarl status (how to get - User Groups), or buy premium status (how to buy - Premium status)

SE THE TRIPLE DIP METHOD


Hiotcek

Publisher
Staff member
Lenderman
Joined
Oct 8, 2020
Messages
4,659
Reaction score
3,071
NL COIN
23,594
1655726842326.png
SEing An Item Three Times In A Row From The Same Company
Every social engineering attack targeting companies that operate on a large scale, such as Logitech, Adidas, Nike, Amazon, SteelSeries, Apple etc, with the Intention to trick their representatives to generate refunds and dispatch replacement Items, must be done with extreme accuracy to give the SE the best opportunity to succeed. If you're not familiar with the online store, or perhaps never dealt with them before, you cannot perform what I call a "blind SE", whereby you have very little to no Idea what you're up against - the claim will prematurely come to an end, specifically when reps follow protocol and thoroughly assess every detail.

As such, It's paramount to "research the company beforehand", Inclusive of establishing "the carriers used to service their deliveries". In doing so, you'd have a very good Insight of what to expect when the time comes to start thinking about how to execute your attack, but that's only half the job done - there's one very Important element that each and every SE cannot do without - namely what's called a "method". If you're reading this as an advanced SE'er, you'd be well aware that methods are the backbone of all SEs, hence they're used to support what you're aiming to achieve - preferably funds credited Into your bank account.

There are an array of traditional methods to choose from, with the most popular being the DNA (Did Not Arrive), the wrong Item received, the missing Item/partial, boxing and the sealed box method - all of which can be formulated with precision by social engineers of all shapes & sizes. However, the same cannot be said for "the triple dip method", that Involves SEing the same product three times In a row from the same company, by combining and using three different types of methods with each attack vector.

Confused? And so you should be! The triple dip method Is NOT suited to those who've just started their career In the art of "company manipulation and exploitation", and If you're part of that equation, I strongly suggest checking out my Beginner SEing Tutorials and when finished, you can continue from this point onwards.

Okay, what you will learn today, Is all about a "standard social engineering attack", followed by "the double dip method" - both of which will prepare you to fully understand the Ins and outs of the "triple dip method" that's discussed towards the end of this article. Don't worry, this will make perfect sense as each topic moves forward. First and foremost, It's vital to familiarize yourself with what a social engineering method entails, so without further ado, let's rip Into It.


What Is A Social Engineering Method?

After researching the company and their carrier that will be delivering your goods, the next step Is to create a "strategy" as to how you're going to deceive the representative for a refund on the Item you're currently SEing. That Is, you need a "plan" that will be used to guide your SE right from the get-go, and the "plan" Is the "method" and without It, your SE will not move forward. Allow me to provide an analogy that you can relate to. We'll say you've bought a computer desk workstation from Walmart that comes with shelves, draws, cabinets etc, In Its collapsed form.

In order to put It together, you'd need the "assembly Instructions" and If they happen to be missing or they belong to the wrong unit, you cannot complete your project. The very same principle pertains to social engineering methods. In this case, the "assembly Instructions" Is the "method" that tells the SE exactly where It's heading, and the purpose It will serve - tricking the rep/agent to approve the claim! Now that you comprehend the way methods are structured and what they're designed to do, you're ready to see a standard social engineering attack In action as outlined below.


A Standard Social Engineering Attack

As per the title of this topic, this Is how a "standard social engineering attack" Is performed In the normal course of events, meaning It's an average run-of-the-mill SE that focuses on refunding or replacing an Item (or a bunch of Items) "once" from a given store/retailer. Essentially, the company will open "only the one claim" with the product(s) your SEing and after It's been assessed and finalized, that's where It ends - no further action Is required on your part. To simplify how It works, I'll demonstrate the DNA method as follows.

As Its name Implies, the "DNA" (Did Not Arrive) method Is used to say that the package that was scheduled for delivery by the carrier driver, did not arrive at your address or drop house. Evidently, you did receive It, but you're stating otherwise for SEing purposes. The good thing about the DNA, Is that It's not tied to any specific product, for the fact that you're purely claiming you didn't receive your shipment, thus the Item weight & dimensions are Irrelevant, but do exercise common sense and good judgement.

For Instance, If It's a huge "1,000 L fridge with a weight of around 180 Kg" and worth In the thousands of dollars, the carrier will not drop It off at the doorstep, but rather make sure It's delivered correctly by taking photos or asking for an OTP (read my guides, both can be circumvented). Okay, when you've received your package, contact the rep/agent the day after and tell him that It hasn't come yet. Under the circumstances, they'll most likely open an Investigation to try and locate the whereabouts of the package.

What they'll do, Is use "GPS/tracking Information" to try and decline your claim, by saying It was dispatched to the right destination, but It's pretty much useless - for the reason that It only confirms delivery to an "address" and NOT to a "person". In other words, your "address" received It and not "yourself", and given you did not personally accept It nor have ownership/possession of the package, your claim cannot be declined solely based on tracking records. As such, a refund/replacement will be forthcoming. That's It, job done, the company was SEd only "once" - which Is how a standard SE operates. Next, we'll take a look at the "double dip method".


The Double Dip Method

As you're aware, when SEing a company In a typical/standard social engineering attack, It's only done "once", and the representative will credit the account for the cost of the purchased Item. However, when using the "double dip method", the SE'er will SE the same company and the same Item "twice", hence "double dipping!". Now this part Is very Important, so pay attention to what I'm saying. A refund cannot be generated on the first SE, because If It Is, you won't have an Item to double dip - the claim will end there and then, therefore a "replacement" must Initially be sent.

So how do you say that you'd prefer a "replacement" Instead of a refund? Well, although many companies give the option to choose one or the other, some reps would rather refund your account, but It's easy to convince the agent for a replacement by simply saying you need the product for a gift. It doesn't get much easier than that, does It? Moving forward, here's how the the double dip method works. For the purpose of this tutorial, I will be referencing the SE'er from a third-person perspective, and not yourself.

Let's pretend the social engineer wants to SE "two AirPods from the same company", without paying a single dime for either of them. Firstly, "he orders just the one pair" and decides to use the DNA method. After satisfying the company the Item was (seemingly) not received, they sent out a "replacement" - meaning another set of AirPods. The social engineer now has two AirPods, but only paid for one. That Is how a standard SE Is performed. Next comes the double dip. The SE'er then calls the company and says the replacement AirPods (that they just sent), are defective.

After going through a few routine troubleshooting steps, the rep/agent asks to send them back. The SE'er uses the boxing method, thus only sends the box without the AirPods. Remember: So far, the social engineer still has two AirPods but only purchased one. The representative thinks that they were stolen In transit, and "refunds the AirPods". As a result of every event, the social engineer has SEd "two AirPods" - one using the DNA method and the other with the boxing method. In other words, he's double dipped! Because he was given a full refund, he now has both AirPods without spending a single penny. Okay, It's time to check out the "triple dip method", which brings me to the next topic.


The Triple Dip Method

Now that you've reached this stage of the article, you're well and truly ready to delve Into how the "triple dip method" Is formulated & executed. And If you think the standard social engineering attack and In particular, the double dip method has Its fair share of difficulties, wait until you see what's Involved with the triple dip method! Before I start discussing It, I'd like to make one thing perfectly clear - due to the nature of Its application, namely the complexities with repeated SEs, It takes an exceptional set of skills to get the job done In Its entirety.

Moreover, Its failure rate Is greater than every other standalone traditional method you've used (or perhaps planning to use), but If you follow this guide every step of the way and fully absorb my advice and recommendations, you'll attain the knowledge needed to use It to Its full potential, thereby achieve a favorable outcome more often than not. No doubt you're eager to rip Into the method, so let's get cracking. If you haven't already realized by Its title, the triple dip Is all about SEing the same Item from the same company "three times" In a row, by using a combination of three different types of methods.

Yes, you read that right - the exact same Item will be social engineered three times at absolutely no cost to you. It's similar to the way the double dip method Is utilized, but In this case, "both the first and second Item must be a replacement", otherwise the method will not move forward towards the third and final part of Its objective - a refund Issued to conclude the triple dip.

Because the triple dip method takes a number of steps to complete, It can be somewhat confusing, so to simplify It for you, I've listed the three dips with their respective methods In the subtopics below. The product that will be SEd, Is an "Apple Watch Series 7". I'll begin by Introducing each method (per dip) - with how the replacement Item succeeded In the first two dips, and the refund In the last dip - ultimately resulting In a "triple dip".


1. The First Dip (Replacement) - Using The Missing Item Method

The missing Item method Is used by saying that the Item ordered from an online store, was missing when the package/box was opened right after It was delivered by the carrier. For example, you've bought an Apple Watch Series 7 with a case weight of 39 grams from (who else but) Amazon, and had It sent to your home by their carrier partner. Upon "opening the box", you'd contact Amazon and tell the rep that nothing was Inside - the watch Itself was missing. Unless the rep/agent Is brain-dead and approves the claim on the spot, there's every chance the company will open an Investigation, and liaise with the carrier who serviced your delivery.

What they specifically check, Is the "weight" recorded at the carrier's weighing facilities - to establish whether the watch was enclosed In the package. But because the Apple Watch Series 7 Is as light as a feather (at 39 grams) It bypassed detection, therefore there was no evidence to suggest It was In the package, and the claim was finalized In the SE'ers favor. Prior to the representative attempting to generate a refund, the SE'er said he lost his credit card and had to cancel It, hence there was no choice but to dispatch a "replacement Item". Clever thinking, yes? I think so too! That's the first dip over and done with, next Is the second dip.


2. The Second Dip (Replacement) - Using The Wrong Item Received Method

Errors In picking & packing orders happen In every warehouse environment, regardless of the company's state of the art logistics facilities and as such, social engineers use "the wrong Item received method" by saying that the product ordered, was not the one that was received. Of course, It was the correct Item, but you're stating It wasn't for SEing purposes. Now you will be asked to return the (seemingly) wrong Item and you'd do exactly that, but It's crucial to be methodical with "the nature of the wrong Item", and not just send something at random.

Here's what I mean. The first thing to do, Is create a fake online account that's not associated to your main/primary account. Next, buy a very cheap Item from the same company that weighs roughly the same as the one you're SEing (In this case, It's the Apple Watch Series 7), be sure It's sent to another address, and "use that as the wrong Item you'll be returning". When the company receives It, It'll be scanned and because It's part of their Inventory, they'll assume they did In fact send you an Incorrect Item. To force a "replacement", use the approach as discussed In the topic above - a lost credit card.

3. The Third Dip (Refund) - Using The Disposed Of The Faulty Item Method

This Is the third and final dip which will essentially complete the double dip method, whereby the SE will succeed with having "three Items In your possession" - all without costing you a cent. In this demonstration, the "disposed of the faulty Item method" will be used, so let's begin. When a product Is purchased that requires some type of functionality to operate, It doesn't always come shipped In Its faultless condition. Manufacturing defects are Inevitable, and although most are fixed during the final Inspection by the quality control team, many go unnoticed and leave the factory with Imperfections, which Is why the disposed of the faulty Item method Is quite effective.

To maximize the SE's success, It's of the utmost Importance to be selective with "the reason why you've disposed of the Item". You'll see what I mean shortly. Okay, after the carrier driver dropped off your package, get In touch with the company and say that the Apple Watch Is dead - no power whatsoever. Under the circumstances, the representative will ask a few questions to try and determine why the watch Is not working, and when It's deemed defective, he'll request to return It - this Is standard practice with almost every online retailer.

Naturally, you're one step ahead of the rep by saying: "The Apple watch exploded and It was Immediately thrown out for safety concerns". Yes, the watch Is susceptible to exploding out of nowhere! In addition to that, you've also mentioned: "I've sustained a burn to my hand, but the doctor said It's nothing to worry about". Can you see what just happened here? You not only used health & safety as the reason for disposing the Item, but also ensured that It (apparently) caused an Injury to your hand.

Companies have protocols In place to deal with customers who report personal Injuries, thus they take health & safety very seriously and as a result, they're obligated to address all Issues at hand. Given your claim of the watch exploding Is factual and certainly justified, the severity of the Incident warrants a refund at the minimum, so be sure to tell the rep/agent to credit your bank account. If he Insists on dispatching a replacement, say that you're fearful of experiencing the same (exploding) episode again, and you'll find he'll generate a refund with very little hesitation. The entire triple dip method Is complete - you have three Apple watches absolutely free!


Method Combinations For The Triple Dip

What you've just had the pleasure of reading pertaining to the methods used with the triple dip, purely serve as an example - for the purpose of allowing you to grasp how the triple dip Is structured and applied. Sure, you can use my combinations with your SEs (that's simply stating the obvious), but because no two SEs are ever alike, the needs, wants and preference of every social engineer differ to some extent. As such, you'd have to formulate a combination suited to your SEing environment, so to help you along the way, I've created three combinations below, and referenced each one to their respective guides. Feel free to pick, choose and swap them around as you see fit.


Combination - Example One

1. The Partial Method
2. The Leaking Battery Method
3. The DNA Method

Combination - Example Two

1. The Infected Item Method
2. The Wrong Item Received Method
3. The Sealed Box Method

Combination - Example Three

1. The Broken Glass Method
2. The Missing Item Method
3. The Boxing Method


In Conclusion

After sifting through the first few topics of this article, you may be under the Impression that there was a lot of off-topic discussions, but nothing could be further from the truth. My objective was to first build your foundation and familiarization with the definition of a method, as well as how a standard social engineering attack Is performed and subsequent to that, the Introduction of the double dip method. Have you worked out why I used this approach?

The answer Is evident - It provided you with the perfect Ingredients to fully comprehend every facet of "the triple dip method", which ultimately puts you In a commanding position to prepare and execute It with the highest degree of efficiency and accuracy. In closing, I'd like to reiterate that due to the complexity of the triple dip method, It Is prone to failure but having said that, you've now acquired the skill set to give It the best chance to succeed - more often than not.

Source - https://www.socialengineers.net/2022/06/the-triple-dip-method.html
 
shape1
shape2
shape3
shape4
shape7
shape8
Top