Social Engineering & Fraud: Tips to Mitigate Risk and Other Hacker Tactics. posted by: Ganesh Venkataraman

A Lesson in Social Engineering - How We Were Fooled and Learned to Love Fraud

1. TL;DR

  1. Balanced was fooled by a simple yet clever social engineering scheme a few years ago which involved phone conversations/email exchanges and a marital dispute.
  2. Avoid distractions and misdirections. Focus on the problem.
  3. Train your customer support agents on social engineering. Information must be provided on a “need to know” basis.

2. Some background

The incident happened when we were known as “PoundPay.” Later, we rewrote the entire product and re-branded ourselves as “Balanced,” which differs from “PoundPay” in the one key aspect - Balanced is a white labeled solution. PoundPay on the other hand was not, requiring the buyer to checkout via an iframe, and the merchant to register themselves on our web site. We served our own form, had our phone number on the soft descriptor (this is what appears in your credit card statement) and handled all customer support - both phone and email. What I am going to describe happened in one of our marketplaces. Let’s call it selltoys.com.

2. The Incident

2.1 Phone Call.

We received a call from a woman stating she could not identity the $510.00 charge on her credit card. She does not know PoundPay, blah blah. We asked her the usual stuff - “Do you know about selltoys.com?”, “Did you make a purchase of star wars collectors DVD?” etc. She was furious.

2.2 Email contact

So, we decided to ask the marketplace to contact the payer directly and ask him if he made the purchase and if this is a misunderstanding (well, sometimes both husband and wife share the same card; the wife makes the purchase and the husband checks the bill and freaks out). So, the marketplace sends out an email:

    Hi <Customer Name>,

    XYZ from SellToys here. I represent the online marketplace where your 
    credit card was reportedly used fraudulently (your wife spoke to our 
    credit card processing partners PoundPay). Unfortunately we were unable 
    to stop the item you purchased from being shipped and UPS is reporting 
    that the item was delivered to your address.


    If a package was received please do not open it. Or if you did open it, 
    please return its contents and keep it in a safe place. We will take 
    care of this situation but we will need that item back.

    Please get in touch with me soon. Thanks, and have a nice day!


    XYZ
    SellToys Community Manager

For which we got this response:

    My wife is fucking douche. I feel I need to get divorced. She poisons my life every minute.  
    I don't know what to do with it. I just opened the package and tried to look into it. 
    She whipped a card off my hand and tore it. She just ripped it to shreds. 
    I am lost and desperate.  I hate this fucking goose.

3. Our Preliminary Conclusion

This is just plain old domestic dispute gone bad. Husband wants to get something and wife does not. We will present this evidence to the bank and fight the chargeback if needed.

4. Of course we were wrong, here’s why

Let’s step back a bit and look at magician’s trick (I promise, this is relevant). So, you have this magician who does what appears to be pulling out a rabbit from thin air. How does he do this? You have now clue. What you do know is that there’s a hot scantily dressed woman standing right next to him. Wait a second. Why do you need to notice the girl? Duh, she’s right there! But, what did you just miss? Weren’t you supposed to be looking at the magician? Well, you thought you did, but you really didn’t, so he just pulled a rabbit from his long sleeve dress (again, why do all magicians wear long sleeves?). Of course, after you know how he did it, it’s simple, until then it’s magic.

What has this to do with fraud or social engineering or the above incident? Everything! All the distractions with bad wife and irresponsible husband made us ignore the simple truth - what is the true cost of the DVD collection? It just happens to be $80 and well below the listed price of $510.0 AND it got sold out in minutes. In the words of Sherlock Holmes, “elementary, my dear Watson,” This was definitely fraud. As for the wife, he wanted to divorce - she is the hot girl who made us not look at the magician’s long sleeve.

5. Summary

  1. Social Engineering is about creating distractions. Distractions take you away for core reality and focus on the illusion. Watch out for distractions.
  2. It is heavily used by fraudsters. Be careful and train your support agents on social engineering. It goes way beyond the incident described in the post. Professional social engineers have a way of getting information from your agents and sometimes this could be stuff your support agent must never disclose. Train all your agents on social engineering.
  3. Within your organization, information must be provided to everyone only on a ‘need to know’ basis. This has nothing to do with trust, but merely a common sense way of preventing someone from releasing information he/she really shouldn’t. If you don’t know something, no amount of social engineering’s going to help. Above comment is not directly related to the post, but something we picked by talking to fellow anti-fruadsters.