__________ __ ________________ / _____/ \ / \/ _ \__ ___/___ _____ _____ \_____ \\ \/\/ / /_\ \| |_/ __ \\__ \ / \ / \\ / | \ |\ ___/ / __ \| Y Y \ /_______ / \__/\ /\____|__ /____| \___ >____ /__|_| / \/ \/ \/ \/ \/ \/ [ 1998 - 2010 - Hacking, Phreaking & Anarchy in the UK ] January 12 2010 . Author -=The Firestarter=- ---------------------------------------------------------- [ A theoretical inside job ] ---------------------------------------------------------- (done by me for originally another 'zine - never released) I'm sat here typing the fist article / text that will appear on Urban Terrorist (UT), a lot of the material i have to go in here consists of files and stuff that i've written in the past for past projects, the same goes for material submitted by my comrades. I'm thinking what i can do to set the scene. do i go all out for controversy and release stuff that would be facinating to read, but probably get me locked up, or do i surf the line of "controvercy"and maybe in the future take things beyond freenet; but to do that one must compromise ones anonymity. a tough call. Well any how, lets just see how it goes! Introductions aside, lets look at something that i've noticed about a place i once worked, i'm sure that many people can learn from it. This project would involve fleecing the target company of its assets. in this instance we would chose an IT company, and with a bit of inside knowledge, acquire a whole host of equipment. This whole flaw is based around the company having upgraded its IT system in the last 18 months, and thus, those using it start from day one as far as records go. For example, since the new IT system has been put in place, there are companies out there that once did business with ourselves but have not traded in the last year and a half. You know, all those soliciters that open an account with a company for the simple reason of buying a couple of goods and paying by invoice, then never using it again. Well maybe not solicitors, but other IT companies that have since found better suppliers and moved on. So, the new system goes live, 18 months down the line, there account with us is still active, yet there are no records of them ever doing business with us. ideal. although this scam doesn't really need "node" accounts, any account can be targeted. Now this company, if you have an account, will take your order and ship out the goods either to yourself or directly to your customer. So, working there you soon learn what the routine is. fone rings. "Good morning, whatever company, , how can i help?" "Hi its john, from balls company, account number 1234" "hi john, how can i help" thats all there is too it really. "John" phones up, identifies himself to the person on the end of the phone and places an order, gets it sent to his customer and pays the invoice that arrives at the end of the month. Here we exploit the system. All we need to do is get one of our friends thats lives a fair distance from where the companies based. (this IMHO is vital so that the comapny does not fully suspeect an inside job, but if the company is based in a large city i can't see it mattering.). to set up a drop site where we can have goods delivered. You on the inside provide all of the information on what account numbers or whatever to use for your assailent to identify himself to your companies sales staff. Usually this is mearly his (bogus) name and either company name, account number or post code. now bearing in mind, a lot of companies have people working from home or on the field, when the person that calls has a withheld number or a different one that what is registered to the company, it doesn't look too suspect, neither does it look suspect if they need to call you back on a number other than that of the companies. So, you call up, identify yourself, and get a quote for some half decent bits and pieces. REMEMBER:- target the companies most expensive products that they keep in stock, this allows not only for simple overnight delivery, but also makes you more wedge if you have to sell it on the blackmarket/ebay. Even if you can't use the items that you acquire, with a bit of planning you will be able to sell them. If you can use the shit that you fleece from your company, then all the better. Now, once the order for all the goods is placed and your friend asks to "ship it direct ot my customer", they give them the address of the drop house and asks for a pre 10:30 or even better a pre 9am delivery for the next day. Most companies use external courier companies like UPS to do there dirty work, so the driver won't suspect shit. So the items that are ordered are in stock, they get sent on an overnight delivery to an address of your choice, your friend answers the door, signs for the package with the name "Ivor Biggun" and promptly fucks off with the goods to a safe house for later. *OPTIONAL* call the company that you just ripped off and ask for a POD on the delivery. At this point the purchase has gone thru the companies system and at the end of the month an invoice will be sent to the companies who's identity you've stolen. They will turn around to your company and tell them to fuck off as far as oweing them for something they didn't order, the account will go on hold and if they don't get sued for it, they'll work out it was a scam and have to write off the debt. The thing here is, they may suspect is was an inside job, this usually depends on how the company works/if they're competent/how you pull off this scam. But if done right, its easy to pull of and its easy for your "loving" employer to pick up the tab. *HINTS* When you have your friend call the company, have them call direct a specific person - i.e. the new boy or some incompenent twat you work with that you'd like ot see quizzed by management about a call that cost them coinage 3 weeks ago. - Don't target a company that uses the victim company on a regular basis as the sales staff may either suspect something or mention said order that was placed, pick companies that aren't likely to call in the next few weeks. - If you have to use a purchase order number then make them somewhat match the target company (assuming there is records of past purchases) - Don't take the piss with your order. i'll let you decide on that one. So, to summerise the whole basis of this scam: - you call the company and blag the salesman that your from X company - place an order in an orderly fassion - ask to be sent direct to site - give them drop ship address - ask for pre 10:30 or pre 9:00 delivery over night - ensure someone is there to collect the goods (bearing in mind the courier might well be late) - company who's ID was stolen gets invoiced a few days later - same company bitches about shit they didn't order - victim company disputes this - some form of inquiry goes ahead - vicitim company rights off debt Now even if the police are informed then technially nothing has been stolen so there's fuck all they can do. of course it could also have been a genuine mistake somewhere down the line. easy.