Social Engineering - Account and Blizzard (pt1)

[Skuddle]

********************
NOTES FOR THIS GUIDE
********************

1. This guide is not about scamming. What you do with this information is up to you.
2. This guide is not meant to have you go around and start messing with people.
3. Social Engineering is an art. Treat it as such. You are not lying. The moment you decide to tell a little white lie, becomes the difference between social engineering and a liar.

What Social Engineering is and is not?

Social Engineering is a life skill that alot of people do not have. There also is a large misconception in facts for social engineering. When MMOwned had a scamming section I and a handful of others were the pro's when it came to social engineering. Its also come to my attention that alot of people here don't know the difference between social engineering and lying. There is a HUGE differance between them. I hope to eliminate some things, as well as maybe educate you all on some simplistic things to better your life.

Social Engineering is defined as follows:

Social engineering is the act of manipulating people into performing actions or divulging confidential information, personal information, trust, benifitting from human emotion, and cloak and dagger schemes, rather than by breaking in or using technical hacking techniques; essentially a fancier, more technical way of beating around the bush. While similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victim.

"Social engineering" as an act of psychological manipulation was popularized by hacker-turned-consultant Kevin Mitnick. The term had previously been associated with the social sciences, but its usage has caught on among computer professionals and is now a recognized term of art. Though it can be used to devious and be very... well unfortunate for some. You can use Social Engineering to your advantage. You can use it at your work center, you can use it with your friends.. and you can definatly use it on Blizzard.

How is it used to benifit, but not scam?

This is a grey area. It really depends on your definition as scamming. Since scamming usually means to benifit from ones undoing, and to gain XXX property through the use of mechanics in which you will benifit monetarily while tricking the other party into your lie. You have to be careful. Once again I reiterate, the art of Social Engineering is not lying.. but allowing the victim of the social engineer to follow with your plan. Thus you guide them to the end, rather than scam them.

Ok, so how does social engineering work exactly?

Once again, this depends on the method of Social Engineering. However since I am going to teach you White-Hat methods, here is how it runs down. The goal for this is to hold the persons hand and lead them to what you want. Here are the basic rules.

1. Never Lie ( DO NOT LIE ) the moment you lie, your scamming.
2. If your pushed into a lie or cornered, throw a "Curve". A curve is when you ask a question back, or make the other person uncomfortable.
3. Let the victim party do all the talking.
4. This is the same as 3, listen. LET THEM DO THE TALKING. The more you talk, the more you give yourself away.
5. Do not get frustrated. When you frustrate, you tend to say stupid things. If its not going the direction you wanted, try again when your calm.
6. Don't rush it. Hold there hand, and guide them to your answer

One of the popular examples of all these rules is getting an account unbanned that you are NOT the owner of. If you have great social engineering skills you can easily get an account that is not yours, unbanned without anything more than a Username and Password. You don't even need the email. Bending your words is not lying. Its the art of telling the truth, but changing the order of words to describe the truth.


Ok I think I got it.. give me some examples?

Here is an actual conversation of an account that I had unbanned. The Username was Hobgoblin900, the Password was JumpUp10. This was the only information I had on the account. *Note* This account is no longer used, which is why I do not mind sharing it.

Blizzard CS (CS): Thank you for calling Blizzard Billing Customer Support, My name is Megan, How can I help you?
Kookie(K): Hi Meg, I am having a little bit of a problem with my account and I am pretty sure I need to call you because I was looking on the forums for the site and they said to call billing tech when I need something with my account cause they cannot help me.
// Right there is the start. Start off by making it seem your desperate and looking for help. Megan now, has a little back story in her head. She is assuming I had a problem, and posted on the Customer Service Forums. Right there she also gets a little impression that someone has aided me towards CS. Note that I said, looking not posted.

CS: Sure thing lets take a look at your account. Can I have your first name?
K: Sure can, but I am more worried about some thing else with the account, my account Hobgoblin900 is having some billing issue and I am trying to figure whats going on about it.
// Thats known as a Curve right there. She asked for my First Name, but instead I guided her to account name. She will plug in the name immediatly. And pull up the account looking at the first name, waiting on my response.
CS: I have your account pulled up, can you please verify the First Name and the Last name on the account?
K: Sure my name is Mark *********.
CS: Thanks Mark, unfortuntly your not the account holder so theres nothing that I can do for you.
K: I know I am not the account holder, I am the person who pays for the account, the person on the account is someone I know.
CS: There is nothing that I can do for you at this time as you are not the account holder.
k: Ok, I only had a small question rather reguarding payment. Since I pay for the account I wanted to ensure that I could pay for it since the names do not match.
CS: Oh, are you the parent or guardian of Chris?
// Thats where you just guided them. Suprisingly she gave me the name. Yes I know, this does not always happen. But you are able to roll with it when you let others talk. If you do have the account First name and Last name, then it does go this smooth as you will see.
K: No I am not, I just pay for the account.
CS: I am sorry Mark, I cannot give anymore information about the account that is registered. If you can please have the account owner contact us.
K: Thank you Megan, sorry for your troubles.
CS: Not a problem, sorry I couldn't do anything. Thank you for calling Blizzard Customer Support, is there anything else I can help you with?
K: Not unless you can help me setup the parental controls on the account.
// Once again, this is a curve. She has the account open. She already is there, and she threw out the word Parental / Guardian.
CS: Actually you can do that by logging into the World of Warcraft account management, and selecting the option that says "Parental Controls".
K: I do this on the website?
CS: Yes, navigate to World of Warcraft Community Site, on the left select the option that says Mana...
K: Is there a way that I can do this over the phone? I am not to fancy with the computer thing, all the internet security and all.
CS: Yes we do offer the option of setting up the parental control from the phone. However, it seems the accounts been temporarily disabled.
K: Oh my, for what?
CS: I unfortunatly do not have any information as that is handled through our Account Admin section. If you have a disabled account and wish to dispute or inquire about it you may by emailing [email protected] or [email protected]. Please allow several days for them to respond.
Anything else I can help you with?
K: Nope that is just fine thank you.
CS: Your welcome, have a fantasic day, and thank you for playing World of Warcraft. Good bye.
K: bye.

// What just happened is known as a bread crumb trail. You see, our call that just happened set a staging area for notes. Now there is account history and a note that says that I called CS at XXX time.

Next I contact WoWAccountAdmin with the following email:

To whom it concerns,

My account name is Hobgoblin900 and my last rememberance of a password was JumpUp10. I think it still is the same password since I can access the control panel. I contacted Customer Support and had a few questions. I have been playing this game since 2005, and I remember having XXX character on the account. A little while back someone else was using the account I assume and it was banned. I am not sure how they had access to the account or why they had access but they seemed to be using something at somepoint which was a hack or modification the email said. I was wondering what needs to be done to look at it and see if this was my mistake coming from <insert your IP here>. I am the owner of the account and lost control of the account from XX to XX. What was it disabled
for?

//The email above does seem a little on the lie, however its not. I have been playing since 2005, thats when I started playing WoW. Not since I played the account. I remember having XXX character on the account acts as a guidance point. They will look for the player account name, and put a fictious thought in there head that you are the account owner. its logic. A little while back someone else was using the account, as in the original owner. When you insert your IP it really does nothing but put false logic in someones head. If you grew up calling a banana a yellow, then someone held it up and called it a banana you would call it a yellow. When someone sees that number you threw in, then looks at a log and sees that your number that you login with is not the same number that was banned on trend, it aids in human emotion of sympathy. I lost control from XXX (account creation + a couple months) to (XXX time you purchased or gained account). What was it disabled for.. another poor me call.

The email reply is as follows:

"An investigation of the World of Warcraft account Hobgoblin900 has produced evidence that the computer(s) used to play the account were infected by a virus,

Trojan or keylogger.

To protect your privacy and security, we have temporarily disabled the account for a 24 hour period. During this time, we highly recommend that you follow

the below steps to protect yourself and the account from unauthorized third party access.

- Use up-to-date firewall, antivirus, and anti-spyware software to scan your system regularly for viruses, Trojans, and key-loggers.
- Keep your operating system and other software up-to-date and be careful when downloading new software.
- Be wary of "spoof" and scam websites and e-mails that pose as Blizzard Entertainment and request account or personal information. As a reminder, Blizzard

Entertainment representatives will *never* ask you for your password.
- Keep your login information confidential. Account access can only be shared with one minor of whom you are the parent or guardian. Sharing access with

anyone else is a violation of the game's Terms of Use. You are also responsible for every use of an account on which you are listed as the registered player,

whether the use was authorized or not.
- Use separate, unique passwords for your email, World of Warcraft, and any other online accounts.
- Change your passwords regularly and keep World of Warcraft account information updated using the Account Management page at

http://www.worldofwarcraft.com/account/.

For additional security tips and information, please visit the following sites:

- Account Security: Blizzard Support
- Unauthorized Account Access Policy: Blizzard Support
- World of Warcraft Account Security: Blizzard Support

If you are looking for an added layer of security, we currently offer the Blizzard Authenticator, an optional device that can help prevent unauthorized account access. For more information about how the Authenticator works or how to add one to a World of Warcraft account, please visit the Blizzard

Authenticator FAQ at Blizzard Support.

Please be aware that if viruses, Trojans or keyloggers are found again on computer(s) the account is played from, it may lead to the account being disabled again.

Please contact us at [email protected] if you have any questions or concerns. Thank you for your understanding and cooperation.

Regards,

Account Administration
Blizzard Entertainment
http://www.worldofwarcraft.com"


-------------------------

Hopefully you can all understand how Social Engineering works now. Its a great tool and something that would be a vital asset for everyone to learn at some point in there life. If you have any questions please let me know. I would be glad to help anyone learning this art, as long as its used for NON SCAMMING purposes.

Happy Social Engineering


µKookie

[Trygve]

Really good

[Numi2]

Ive been looking in on social engineering for some time now.
Thanks for this great "guide"

+rep

[Zytan]

Just awesome! Social Engineering is what a lot of people need, it can be used in sooo many ways that it can help you out in many situations. This will be helpful for anyone :P

+Rep you deserve it.

PS: I'll give rep soon, seems I have given too much rep already
PS2: I gave the +Rep now

[Alkin]

Sigh...naive and poor people. I am sorry but i will rain on your parade a bit. Its all interesting and looks smooth BUT you only showed one example as well as it is very possible you got not really bright rep. If she would took a little more time to deduct, she would end this call. First of you deflected a direct question about the name. No person under normal condition will respond the way you did. The first and obvious response for real owners who being asked of their name would be to give it. She should have had all bells ringing in her head that something wrong. Next, she gave you the name. OMG she cant possible be that stupid. Dude you theory is right, but the way you use it, is raw and blunt. I do not believe you can manipulate some one who at least paying attention to what they say.

[Zytan]

Sigh...naive and poor people. I am sorry but i will rain on your parade a bit. Its all interesting and looks smooth BUT you only showed one example as well as it is very possible you got not really bright rep. If she would took a little more time to deduct, she would end this call. First of you deflected a direct question about the name. No person under normal condition will respond the way you did. The first and obvious response for real owners who being asked of their name would be to give it. She should have had all bells ringing in her head that something wrong. Next, she gave you the name. OMG she cant possible be that stupid. Dude you theory is right, but the way you use it, is raw and blunt. I do not believe you can manipulate some one who at least paying attention to what they say.

We might have a debate how stupid people can be. By now you should know there are incredibly stupid people in the world, and I'm not saying those that it because they have problems psychologically, they are just persons, errrr I cant explain it.... Well anyways to be honest there are people in the world that might go on the street and start shouting they have 1000$ in their wallet.
Second, if you can have a batter example you might want to share it to help HIM and US not just flaming like there.

[void07]

Sigh...naive and poor people. I am sorry but i will rain on your parade a bit. Its all interesting and looks smooth BUT you only showed one example as well as it is very possible you got not really bright rep. If she would took a little more time to deduct, she would end this call. First of you deflected a direct question about the name. No person under normal condition will respond the way you did. The first and obvious response for real owners who being asked of their name would be to give it. She should have had all bells ringing in her head that something wrong. Next, she gave you the name. OMG she cant possible be that stupid. Dude you theory is right, but the way you use it, is raw and blunt. I do not believe you can manipulate some one who at least paying attention to what they say.

I'm sorry to say, but that is simply not how call centers operate. If you had ever had any background in such things you wouldn't have posted this.

The rep was fine, she did her job. She did NOT give out any significant information other than the account was closed, which, the caller had already known.

Call centers and help desks are there to serve the customer, not to hang up on them. Blizzard and all other companies who operate help desks and call centers have strict policies that dictate when you can terminate a call and most of them have to do with inappropriate language, an extremely irate customer or harassment. Just because someone dodged a question does not mean they are trying to scam you.

Also, even though she gave out the first name on the account, it is utterly insignificant. It may not even be information they protect under their policies. So now you have the first name... You still need the last name and other information that no rep is going to give you if they value their job.

This isn't the cleanest or the best social engineering i have ever seen but it was effective and that is what counts. Due to the sheer volume of calls these reps take every day it's easy to create these little trails without people paying much attention.

[richieboy]

I am the owner of the account and lost control of the account from XX to XX. What was it disabled
for?

They will look for the player account name, and put a fictious thought in there head that you are the account owner. its logic.

Yeah, you also said you were the account owner, which you're not. A lie right there. Unless you meant ORIGINAL owner. But it's still a flaw, imho. Sorry if I misunderstood you.

[pred.is.god]

Sigh...naive and poor people. I am sorry but i will rain on your parade a bit. Its all interesting and looks smooth BUT you only showed one example as well as it is very possible you got not really bright rep. If she would took a little more time to deduct, she would end this call. First of you deflected a direct question about the name. No person under normal condition will respond the way you did. The first and obvious response for real owners who being asked of their name would be to give it. She should have had all bells ringing in her head that something wrong. Next, she gave you the name. OMG she cant possible be that stupid. Dude you theory is right, but the way you use it, is raw and blunt. I do not believe you can manipulate some one who at least paying attention to what they say.

I say this to a lot of people. you will be amazed at the number of stupid people that there are in the world.
However, dont rely on someones stupidity, but NEVER discount it.

[Zytan]

Yeah, you also said you were the account owner, which you're not. A lie right there. Unless you meant ORIGINAL owner. But it's still a flaw, imho. Sorry if I misunderstood you.

If he is actually the one paying for the account and you play it because someone has GIVEN it to you it means it's YOURS so actually he didn't say any lie.

[Kartio]

Sigh...naive and poor people. I am sorry but i will rain on your parade a bit. Its all interesting and looks smooth BUT you only showed one example as well as it is very possible you got not really bright rep. If she would took a little more time to deduct, she would end this call. First of you deflected a direct question about the name. No person under normal condition will respond the way you did. The first and obvious response for real owners who being asked of their name would be to give it. She should have had all bells ringing in her head that something wrong. Next, she gave you the name. OMG she cant possible be that stupid. Dude you theory is right, but the way you use it, is raw and blunt. I do not believe you can manipulate some one who at least paying attention to what they say.

It was a she, doesn't that explain it all?
*waits for ban*

[Aldun]

Even though it's a nice post, it's still a repost from mine

[Alkin]

Yes i do agree that there is an large amount of not very intelligent people around. Also i agree this is not a psych problem but rather personality or even absence of attention. My point was that if person would pay attention to conversation and follow logic they will get in unwanted situations much less. Also as void07 said i do not have much experience in customer service and yes the girl (Meg) didn't divulge such crucial information but still. BUT it is common seance. If someone avoiding direct question it must be something wrong.

[Zytan]

Yes i do agree that there is an large amount of not very intelligent people around. Also i agree this is not a psych problem but rather personality or even absence of attention. My point was that if person would pay attention to conversation and follow logic they will get in unwanted situations much less. Also as void07 said i do not have much experience in customer service and yes the girl (Meg) didn't divulge such crucial information but still. BUT it is common seance. If someone avoiding direct question it must be something wrong.

Well the thing is that after having answered 100 calls in one day you stop paying attention, maybe you should try to work in a support call center. After the day you will notice you are stressed, and psychologically tired. After that day try to pay attention with crazy people shouting you through the phone because something is wrong. You will start to answer a bit randomly like yes yes or give the true info just to have a rest before the next call.

[Alkin]

Zytan
Ok than it is not Social Engineering that is at work but simple human tiredness))) In that case there is nothing here but being in right place at the right time