Social Engineer Blizzard - Beginner level

[Fisher]

Disclaimer: Information, methods, anything you read bellow is purely for educational purposes. Do not use anything mentioned to steal, scam or otherwise commit a crime. If you use any of the info you find here for unwanted purposes, I will send 5th Echelon after you. Do not attempt to remove a ban from your account using info you can find in the text, fail, and come to me crying, because I'm out of tissues. You may use it to have fun with Blizzard all you want.


Hello everyone,

Today, we'll be talking about social engineering and how to apply it while dealing with Blizzard. First, we'll cover some basics, after that some dos and don'ts, and finally an example of how to put it all to work. This is the first in a series of two guides, while second will come out later, targeting people familiar with basics, as well as people who took a close look at this one and used the time to practice. Lets get started!

1) What is social engineering?

Basically, social engineering is manipulation. Social engineers often rely on the natural helpfulness of people as well as on their weaknesses. They exploit people. Here's a key difference between the types:

- Good social engineer will probably, with a bit of hassle, get the info they wanted
- Great social engineer will get the info they wanted
- Expert social engineer will get the info they wanted without the people ever making a connection to him or even remembering him

Social engineering requires a lot of techniques, knowledge, patience, where patience is the key. Your primary goal is to obtain unrestricted physical access, so you can not only know everything you want, but alter that information on-site as well. Your secondary goal is to obtain access remotely, which becomes more and more popular nowadays, while kids tend to forget why is it so great to be on the site. You'd be surprised how many people write sensitive info on a sticky note, thinking hackers can't see those.

You remember, when you were a child, or a teenager, and asked for something but were denied? You knew exactly how to show sorrow, what face to make, what body language to use, when to cry, when to be silent, but in the end, no matter what, you'd get what you wanted? Congratulations, you social engineered your parents. Kids are insane social engineers, however, they can only play the emotions card, but they can't assume a different role, such as an authority figure. Only those that figure out how to do this consciously, rather than subconsciously, will advance and learn other techniques. But it's still a fun fact.

2) Adding Blizzard to the equation

Lets not joke around, Blizzard is a huge company. To get started with it, you need to get yourself familiar with them. And by familiar I mean you have to research everything. What were their good moves and bad, what was the opening line of BlizzCon couple of years ago, everything. Only after you get to know them well, you may start to think of strategies and your goals. You may simply be fishing for information, or you may want them to do something for you, weather that something is at a discounted price, or something they shouldn't do at all, such as unban you. That being said, there's a few of methods Blizzard has open as their line of communication:

- Snail mail (useless)
- Fax lines (even more useless)
- Tickets (useless for fishing, good for some types of services)
- Phone line (great for fishing, mostly good for services)

Tickets are useless for fishing information for quite a few reasons. First and foremost: every ticket you write will be read by a different person. So if you had good rapport with Janice, John over here will slap you with a templated "We can't do anything for you anymore" type of reply and close your case. Second, while you try to obtain info, you never want to leave any evidence behind. Partially because the person that you exploited can end up loosing their job, and partially because some companies do keep that information for employee training, so they get familiar with an attempt that succeeded against their colleague, thus making them paranoid and your job a lot harder.

Phone lines are awesome. While this isn't Kevin Mitnick era anymore, people still give amazing amount of information to complete strangers over the phone. What you have to learn is, how to asses someone by their voice and words they use, when they use them, how they use them etc. For example, the operator that answers with
"Hi, my name is Patrick, can I have your E-mail please"
requires a very different approach, and is usually harder to flip than
"Hello there, my name is Jack and what can I do for you on this wonderful day?"
Both of these operators require you to prepare upfront. You need to define your goal, and create a situation where they will reveal the information you are after. Or, if you are aiming for some type of service, create a situation where it's beneficial for them to provide you with it. Weather you play to their emotions, a lawsuit, a fact they lost kabillion players over the past few months and can't afford to lose you as well, doesn't matter. What does matter is that you need to create a "personality" specifically for this purpose, and think as that new persona. Go over the possible conversation in your head until you are absolutely certain you know every possible outcome of the conversation. After that, practice a few times before you make the real call. They can't catch you off your guard. If you created an angry persona, you need to stick it with, no matter what happens.

My usual approach? I act dumb. You'd be surprised what people tell you when they consider you to have IQ 40 and that you'll most likely forget anything they say, as long as you're happy with the outcome. But that's not all. What I love about the approach is that they will forget you ever contacted them as well. Maybe you'll leave an impression making them tell their colleagues "Dude I just had the dumbest customer ever" but that's all they will remember about you. Not what they told you and how you may interpret that. I don't just do it with Blizzard, I do it with most of the people I meet. Results are fascinating, but too long to write here.

Again, Blizzard being a huge company, you can't really do anything you want with them. For anything real (read: worth a lot on the black market, game changing) you would need physical access. Or a person you can flip, but first option is much better. You can, however, call multiple times and based on what they give you find whatever you are after. Just keep in mind the facts: they get more calls every day than your average support team. This means they heard it all, angry customers, crying, all of it. So your job here is to persuade them you are not the same as the next Joe claiming they got it wrong. Nope, you are special and therefor require a special treatment.

This is the 21st century. Information is worth more than money, no matter how low-ranking you think it is. Imagine if we all knew what they consider when they ban people and we adjust our accounts so we never hit the limit. But lets not kid ourselves here. You'd need to be there to know this, however, some other types of info are available. For instance, by now you all know that there's a huge disconnect between Blizzard Development Team and Blizzard Customer Service. For starters, they aren't even in the same building. Devs look at cs agents from great heights, while cs agents have to clean up any mess devs create. So when talking to a cs agent, you will never mention you are affiliated with a dev, that you know a dev, that dev is your cousin, rather, you may mention them in a negative context (not too negative), thus gaining points with whoever you are talking too.

With Blizzard, what you want to do is create a scenario where they will suggest what it is that you want. If you want unban, you create such a scenario where they suggest something like
"Well I don't see what else I can do except unban you, but.."
"Hey, that's amazing, thank you so much, I can't wait to get back in Azeroth!"
Yep, I was impolite to interrupt him, but he'd be impolite disappointing a dumb kid who wants to ride a drake all day long. Humans are a liablity.

3) Lets put it together

What I'm about to write below is a real conversation that happened some time ago, about the same time when they started removing RAF game time more seriously. The account was banned, after a bunch of tickets, there was no luck, so I decided to give them a ring. Here's how it went down:

*Stormwind music plays*
*Click*
David: Hello there, this is Blizzard Customer Support, David speaking, how may I help you?
Jason: Hi there David, this is Jason Storm, I'm calling you about my account [email protected], it appears I can't login anymore! I tried contacting you via the ticket system, however, all I got was bunch of replies that were very similar but didn't help me at all. Could it be possible for you to take a look?
David: Sure Jason, give me just a moment here to load up your account information. Ah, there we go. Would you mind answering your secret question for me - What was the name of your first pet?
Jason: Sure, my first pet was named Timmy
David: Thank you Jason. Well it appears your account has been permanently banned from our servers for...
Jason: Wait banned? What do you mean banned?!
David: Jason, could you tell me, how do you apply game time to your account? Do you buy it via credit card or apply game time codes?
Jason: I buy it from some guy at a local net caffee, I don't have a credit card, and my town is small so I can't buy a game card anywhere
David: So how does that work? Does he give you a code you enter?
Jason: Oh no, I go to the net caffee, pay him, login and leave. By the time I get home, my game time has been added. I always thought he did that for security, so nobody can figure where he keeps his game cards
David: Right, well Jason, your account was review by our recruit a friend game time team and it was flagged, as it showed signs of system abuse. This means that the system was used in a way that's not correspondent with our terms of service, and that's why it was suspended. Now, I've removed the ban from your account, but you should be cautious in the future
Jason: Okay, so I have to find a different way to buy game time and I'll go beat up the guy at the net caffee, thanks a lot for that!
David: Hold on a second Jason, I wouldn't suggest such an extreme measure, but you should avoid buying shady game time at all costs
Jason: I sure will, thanks a lot for this David. Have a great day!
David: I will, you too Jason, bye now!

Oh, so you have a team that handles recruit a friend game time? I didn't know that, thanks buddy! Now, for a social engineer, this can't be enough. You did everything proper, now you just have to validate this information by calling one or two more agents and creating a situation where they will confirm this. It can be as easy as "I want to speak to the team that's in charge for recruit a friend services". Remember, always a different identity, always a different situation. And write shit down. Or else you will mess up.

As for getting them to do something for you, such as unban you, it's a matter of getting your facts straight and creating a situation based on them. Something you should never do is admit you are guilty and beg for a second chance. That's just wrong. Instead, deny, demand a senior officer, whatever, but don't admit to anything. And don't push it. Blizzard has sent police to the few homes of the unlucky beginners that said they will kill themselves if they don't get unbanned. So be careful. One way or another, if you don't know what you are doing, I'd suggest you hire an expert in the area, rather than attempt to do it yourself, as if you fail, the account is gone, not even an expert can help. As for the debate about how all unbanners and/or similar service providers are cons, that's not always the case. How to tell if the guy selling you such services is legit? After 5 minutes of talking to a real social engineer, you'll feel they are your friend forever, be compelled to thank them even if you paid already, or have this uncontrollable desire to put their picture in your wallet. Or something along the lines. If you find yourself having second thought while talking to someone who claims they are social engineer, walk away. Simple as that.

4) Aftermath

So, for the purpose of this tutorial, lets say you obtained insane info from Blizzard, verified it, the whole 9 yards. Don't go bragging about it, that's what a child would do. Use it, abuse it, sell it, but do something and do it fast, as information, no matter how valuable, have an expiration date. What if you found out that Blizzard takes into account how many nodes you mine per hour when they decide who they ban? And after the next update, mining gets removed from the game. Okay, that was a stretch, but you are picking up what I'm putting down. Don't social engineer just for the purpose of it, you're wasting time that way. One other thing is always cover your tracks. Always. No matter how small info you just snatched (extension for the directors office) make the person forget about it. In case they don't, and in case they somehow figure out what happened, they will report it and the protocols or methods will change immediately. Once a high ranking employee gets fired, all passwords he could have known get changed an hour later. Same principle applies when they figure out someone has insider info - it gets changed. So act quickly!

Thank you for taking time to read this. If you came to this part, you won't mind participating in a little experiment. In the comments below, write have you liked the text. And if you have, does the text contain any actual information, any specific guides, or just a lot of well combined common knowledge? Now look at my signature. Exactly.

Peace!

[CryptoCombat]

Great guide. There's some master social engineers over at the hackforums. Seen similar guides there too.

[Fisher]

Great guide. There's some master social engineers over at the hackforums. Seen similar guides there too.

Thanks =) I'll do my best to show some interesting stuff in the advanced version =)

[CryptoCombat]

Thanks =) I'll do my best to show some interesting stuff in the advanced version =)

My hardest obstacle to overcome in social engineering is staying 'in character' and not getting annoyed about being treated like I'm braindead when playing the stupid card.

[yoyoyo]

Excellent read! +3rep

[CreativeXtent]

Great guide. There's some master social engineers over at the hackforums. Seen similar guides there too.

99.999% of anyone on hf are morons... sorry.


on topic, thanks for the topic, easy stuff

[Fisher]

My hardest obstacle to overcome in social engineering is staying 'in character' and not getting annoyed about being treated like I'm braindead when playing the stupid card.

Hah =) In your core, you gotta not give a single **** what people think about you. Helps a lot =)

99.999% of anyone on hf are morons... sorry.


on topic, thanks for the topic, easy stuff

Anytime, stay tuned, next one might be more interesting =)

[GoldGoblinSales]

I enjoyed the read though it's not really a guide. Well, to be fair, you can't really put Social Engineering on a step-by-step guide.

So after reading it I'm kinda paranoid(not really paranoid, but similar) as to not knowing what to think:

First what came to my mind is "Okay, this text contains something that makes me subconsciously like the author" which seemed appropiate though not really a big hassle.

Second thing that came to my mind is "Great read, but what about the author?" If he knows all of this which is moreso general stuff and nothing too specific then he must know a ton of tricks to break people down. Hell, maybe this is one of the kinds of answer you expected and I'm just another gear in the machine.

Third thought was "Okay, this guy runs an Unbanning Service, right? He's obviously good at it, so this must be Content Advertising." So yeah, I came to the conclusion that this one thought was the most accurate combining the first and second. With Content Marketing being more effective nowadays than conventional marketing and remembering all I knew about the subject I figured this was the perfect bait.
-"Let's make them think they know what the pros know and come to me once they fail." Or something among those lines. However, it is quite obvious that although you gave us a good starter kit, it's not nearly enough for a normal person to pull it off properly.
Though you were cautious not to go overboard with the "unbanning" references, the regular reader of this piece of work will think "YIZZZ I can use this to get unbanned" Instead of "Maybe I can obtain some massive information to never get banned again". Which leads them again to you unbanning them once they failed.

I'm not pointing fingers or anything, just tried to break down the article a POSSIBLE line of thought. I'm not claiming I'm right, maybe I'm just an over-paranoid post-ruining douchebag.

Nevertheless, the read encouraged me to learn more about Social Engineering so thanks for that

[Sephiroth]

I enjoyed the read though it's not really a guide. Well, to be fair, you can't really put Social Engineering on a step-by-step guide.

So after reading it I'm kinda paranoid(not really paranoid, but similar) as to not knowing what to think:

First what came to my mind is "Okay, this text contains something that makes me subconsciously like the author" which seemed appropiate though not really a big hassle.

Second thing that came to my mind is "Great read, but what about the author?" If he knows all of this which is moreso general stuff and nothing too specific then he must know a ton of tricks to break people down. Hell, maybe this is one of the kinds of answer you expected and I'm just another gear in the machine.

Third thought was "Okay, this guy runs an Unbanning Service, right? He's obviously good at it, so this must be Content Advertising." So yeah, I came to the conclusion that this one thought was the most accurate combining the first and second. With Content Marketing being more effective nowadays than conventional marketing and remembering all I knew about the subject I figured this was the perfect bait.
-"Let's make them think they know what the pros know and come to me once they fail." Or something among those lines. However, it is quite obvious that although you gave us a good starter kit, it's not nearly enough for a normal person to pull it off properly.
Though you were cautious not to go overboard with the "unbanning" references, the regular reader of this piece of work will think "YIZZZ I can use this to get unbanned" Instead of "Maybe I can obtain some massive information to never get banned again". Which leads them again to you unbanning them once they failed.

I'm not pointing fingers or anything, just tried to break down the article a POSSIBLE line of thought. I'm not claiming I'm right, maybe I'm just an over-paranoid post-ruining douchebag.

Nevertheless, the read encouraged me to learn more about Social Engineering so thanks for that

In regards to your third though, Fisher had terminated his Unban Service quite some time ago.

[GoldGoblinSales]

In regards to your third though, Fisher had terminated his Unban Service quite some time ago.

Welp, you got me then ^^ I wasn't aware

[lordangelo1019]

great post.. read from top to bottom +rep

[Fisher]

... don't wanna long quote ...

Dude you're awesome I like how your paranoia works, I swear, it hits me too like that sometimes =) The line of thought was similar to that one, except the unbans part, as Sephi said I terminated it long ago, I just mentioned it a few times to stress the important of not trying it yourself and coming back here blaming "my method" for failing to restore the account =)

As for the rest, this is just a beginners guide, well more of a "How-to" and "How-not-to". With the exp I had, a whole lot of people make same mistakes talking to Blizzard, so I'd just thought to point out some basics here, lay it out for everyone =) I do plan on doing a more advanced version, just a bit busy now. It's extremely hard to put stuff like this into definitions when there's endless examples and thought processes to get you anywhere, and it's extremely engineer/mark dependent. But this is some general, some "why the hell not" stuff. Extremely nice catch, about content marketing. I did something similar on a different forum, where you need to pay to advertise your stuff, nobody caught it yet =D Good work!

By breaking stuff down like that, you learn. By analyzing anything and everything, you progress, no matter how small the step may be, it's always a good job, so you aren't an over-paranoid post-ruining douchebag, just keep it up =)

Peace!