Applying psychology to phishing.

[DrLecter]

*Effectively manipulate emotions
*Word dropping
*Let them think they are in control
*Design of email and website

-----------------------------------------------------------------------------------------------

Effectively manipulate emotions (email)


When you have gotten someone to view your web page you have one chance to get them to do what you want, and most
people will probably make a decision of weather or not to stay on your site within 5-10 seconds.

[Tip] Your target has probably never had to used the 'account recover' section of the site you are trying to spoof, which
is why it is better to design for speed more than similar appearance of the valid website [/tip]

One of the most effective emotions you should be trying to manipulate at this point is fear. The fear that
someone out there has done something that could have them lose something they value, I.e, money or a game account.
A mistake alot of people make, I believe, is to make the account recovery page (of their phisher) look just like the
one on the website that you are spoofing. This should not be your main strategy, what should be is convenience and speed.
If someone has gone to our page then there is a very good chance they have the intent to 'save' their account. They
are trying to do this very fast, the slower they go the longer they have to consider what they are doing.


-----------------------------------------------------------------------------------------------------

Word Dropping


There are alot of books on the effects certain words have on people. One of the more interesting ones is the word
'because'. This would best be applied in a email when you are phishing. Here are two examples:

1)Accountphisher.com needs you to verify your account. Do it here accountphisher.com
2)Accountphisher.com needs you to verify your account because it may be terminated. Do it here accountphisher.com

Using the word because will improve your turnout greatly, not for any logical reason, but pycological research has shown it. This is only an example, it won't really get you any accounts, but obviously apply in wherever possible to make it seems less suss.


Use words that produce fear: account termination, stolen, criminal activities, etc...

--------------------------------------------------------------------------------------------------------

Let them think they are in control


This is important because people who think they are doing something because of themselves will be much more likely to
go farther. So try and make the whole format of whatever media you are using (website, email) more like the person
using it has made the decision to go 'recover' the account because THEY wanted to do it (out of fear nevertheless) and
not that the author of the website or email is trying to persuade them to do so.

[Tip]Don't bother with things like keeping up with ads that are on the real site, remove them altogether, because
your target may notice if you happen not to keep those ads updated[/tip]

When your target clicks the link to your website, have it go straight to the 'account recovery' section, not to the
homepage.

Also I recommend not making things too difficult for them, like if you have ever gotten rick lol'd or whatever where
you have to shutdown Firefox and stuff like that because really the people you are targeting are most likely not
the most tech savvy and then there is a better chance they will take the problem to someone who is, such as IT dept. or
a friend, who may then report your site or things to that effect. People know about things like phishers exist, so
if they do actually realize that it is one you want them to think they have outsmarted the 'hackers'. They will feel
good about themselves and probably not bother going to the trouble of reporting it because its "too much time" or
it didn't actually do anything to me", so what you have done here is actually reduce the amount of urge for 'revenge'
or 'justice' is a psychological aspect to take into account.

-------------------------------------------------------------------------------------------------------------

Design of email


A important aspect of phishing will be your email. In most cases your phisher will not show up in the first couple of
pages in search engines, and you will not want to have the trouble of putting the link out in forums manually (in which
case you will either have very few posts or get a bad reputation)

Some important aspects to consider when creating a 'spam' email is this:

1)Spelling: spam is known for having poor spelling, don't let this be a red flag in your email

2)Spelling: No you don't need to have l33t speak to get past filters IE... Viagra, V1agra...myspace, rnyspace, there are better ways.
Here is a podcast that covers the topics (along with other things, but worth hearing) http://www.binrev.com/radio/archive/binrev020.mp3

3)Font Size: Use standard professional size font like 12 point or so, a email with 36 point font and exclamation marks after every sentence just isn't going to sell!!!

4)Logos: While using logos from the company you are spoofing is a good idea why not edit maybe one pixel or so, just incase filters check images (I don't think they do but it sounds like something they might do, really I have no idea but why not take that step)

5)Flashing Icons: This is just a bad idea and nobody is going to click a flashing gif claiming you are they one zillionth person to visit their site and you need to collect your prize


Design of website


Most of the concepts for website designing are they same as they are for the emails.
One idea may be to instead of having the phishing site be

http://www.t35.com/wowaccountrecoverypage

have it be

http://www.t35.com/session79237383893208

or something to that effect, its less likely to be in use already (actually its virtually impossible) (another cool thing is the hex address, search forums, great tip)

and its looks legit, I mean session implies security right? And security means encryption doesn't it?
So why would a phisher have encrypted sessions? They wouldn't, which means this must be legit.

If you want to be really pro about it you can register the site and host it so its http://www.session79237383893208.com,
but I don't recommend that because it costs money, and it could leave a paper trail (never use my credit card online when scamming, use VCC'S.
Also if someone did ever investigate it you would seem like a more serious criminal, instead of a kid out to steal a
couple game accounts.
Also while its true colors effect people in a certain way its better to have the phisher look like the actual web site
being spoofed (common sense)



Hope this help people, I really enjoy psychology, and that's my hobby after hacking and things like that.
Here are some references if you want to learn some really cool things about psychology.

-Anything written by Carl Jung (Freud is a bad person to study, if you have ever heard of him)
-How To Get Anybody To Do Anything by David J. Lieberman
-books on Logic for college students (I have a couple but they are mostly the same)
-Art of Deception, I am sure most of you have heard of this, books on 'social engineering' are alot different that ones on 'psychology'

These books will definitely help people get started in psychology, the difference between learning this and just applying
what I wrote in this guide is similar to using a Trojan. It gets you what you want but you would be able to do alot
more if you just learned how to make your own rootkit.

Enjoy!

[dag9l]

very well written mate.

i liked it alot.

i been studying psychology for about 3 months myself.
But we haven't learned anything about social engineering yet.

[DrLecter]

very well written mate.

i liked it alot.

i been studying psychology for about 3 months myself.
But we haven't learned anything about social engineering yet.

Meh, you'll get into it eventually. Personally go for the whole 100 yards and do psychiatry. Psychology IMO is just a spruced up counsellor.

[Verye]

I find it strange that you'd choose phishing instead of direct scams. Honestly, I do not feel that psychology is involved at all in good email phishing. Just use a good fake emailer, use an exact replica of Blizzard emails and the address they send it from, and they're good.

Websites though...yes, I see what you're saying. When you design a website you definitely want to make things sound as profesional and legit as possible.

I think you'd receive a much better reception if you wrote this guide for direct trade scamming though. Psychology is a major factor in that field.

[DrLecter]

Well it can be applied to anything really, just choose the right kind of approach, I prefer phishing, easier and quicker. Scamming directly takes time, and ofc a bigger ban risk. Plus, I'm gunna milk the WotLK scam as much as I can.

[raze1225]

makes plenty of sense. i remember when my account got banned and when i saw the e-mail and the word ban in it i got scared immediately.

[LiquidShizzles]

Excellent guide, I haven't experimented with Phishing too much - but I can see how this could apply to it.

Oh, and the word 'because' is very effective because (no pun intended) it gives the person a reason why they should do what is being asked of them.