2 Data Collection
2.1 The illegal ways
The Phishing
This phishing is the predominant method used by hackers, simply because it is the easier to use with
good results. This method consists in sending a faked login or payment page, which is more or less
identical to the original one, but with one goal: collect account name, passwords, personal data and
so on.
How does it work ?
The phishing page is just a copy of a web page which is almost unnoticeable for most people.
Let's take the example of the Facebook login:
- The hacker creates a web site with a copy of the Facebook login page. Then, he sends a phishing
mail (looking like a Facebook mail but with a ling to the phishing web site) to the victim.
- The victim clicks on the link provided, then lands on the hacked site and enters his
credentials. A message will then appear about an invalide login, please try again … The
connection is obviously not done fail but the information has been sent to the hacker !!!
- After the error message, the victim is redirected to the correct official login page. He
imagines he has mistyped his password and try again. This time it will work, but the hacker
already has the password…
In order to hide his own site, the hacker has to use a domain close to the original one because the
address of the link is visible in the mail. Therefore, a clone at https://www.facebook-h.com has more
chance to foo the visitor.
So, the phishing method is quite simple but rely on the click of the user in a mail.
The Social Engineering
The Social Engineering (or even “psychological manipulation” for the hackers) is seen as the state of
the art. The goal is to collect information from a person without any suspicions on his side.
There are mainly four methods: by phone, by (physical) mail, by e-mail or web site and by direct
contact.
How does it work ?
- By phone: The hacker calls the victims, having prepared a nice speech, an personality and a
solid story. Some are using sound box to reproduce the sound of a real working place. Some
times, a voice modifier is also used to be more realistic. He will pretend being a policeman, a
fellow, a client or a provider. The goal is to have the victim talking about a given subject to
collect information or to convince him to move money to a given back account.
- By physical mail: this is similar to the phishing method but with a real mail: the hacker writes
a letter with a nice logo, a phone number, a fax and so on and will mostly ask for the payment
of a bill. It could be a faked electricity bill with a modified bank account number.
- Using the internet: very similar to the phone one, but the hacker must have a convincing text
because he cannot interact. This text is mailed to the victim. It could be a service proposal on
your IT (web site update, disk backup) or a pseudo-friend in holidays in a foreign country
without any resources after a theft.
- By direct contact: the most difficult one, because the hacker needs to be very persuasive. He
will need to disguise, use appropriate habits and accessories.
In all methods, the Social Engineering requires very good persuasion skills, making it harder to
deploy. Hackers are now mixing both of them, sending a mail to inform of a future call or visit to
make it more realistic.
2.2 The legal ways
In order to collect data, there are illegal ways, requiring a lot of competences and some knowledge,
and there are legal ways which are accessible to everyone.
The legal methods allow collecting simple data as the name, the surname, the phone number, the email
address, the employer ...
The easiest solution to collect this data is simply to look for data that this person has published
on the Internet. For example, with the Facebook registration, you can enter your birth date, your
place of birth, your name and surname, your political views, your tastes and so on.
You can also read information on the business card of this person or in his workplace.
Based on this set of information, you will be able to create users 'profiles' .
