1.0 Attacks, Threats, and Vulnerabilites Flashcards

1.1 Compare and contrast different types of social engineering techniques.

1
Q

A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select all that apply.)

A

Consensus/social proof

Familiarity/liking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

If an attacker purchases a fake domain that has a similar name of a real domain, and then uses the fake domain to send the legitimate company forged notices by email, which of the following attacks did the malicious user perform?

A

Typosquatting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Which of the following situations describes identity fraud? (Select all that apply.)

A

Using another person’s name

Using a stolen credit card

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

A social engineer intercepted an end-user’s phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user’s home with permission. What type of social engineering attack did the ISP and end-user fall victim to?

A

Impersonation

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

A user contacted customer support via the company’s WhatsApp link on a website. A few days later, the user received a lot of advertisements from outside of the country, using the same messaging service. Which of the following best describes the type of attack the user is experiencing?

A

SPIM

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

An attacker is trying to access a user’s social media account. Select the actions the attacker may use to elicit information from the user to gain access. (Select all that apply.)

A

Use an Internet messaging service to communicate.

Create an executable file that prompts for input.

Pose as a sales representative needing help.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?

A

The tool claiming to fix the problem was actually a hoax attack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Which of the following describes a social engineering technique an attacker can use if the attacker wanted the end-user to click on a link as soon as possible?

A

Urgency

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Using social engineering, an attacker called an employee to extract the name and contact information of the Chief Information Security Officer (CISO). What social engineering deception did the attacker utilize?

A

Vishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

A malicious user compromised a company’s email server and bought a domain that was similar to the domain name of the company’s bank. The attacker monitored the email server and altered the account numbers of legitimate pay-off notices from the bank. The attacker then used the fake domain to send the company the notices forged with the attacker’s bank account number. Which of the following attacks did the attacker execute?

A

Typosquatting

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

An attacker gathered Open Source Intelligence (OSINT) about a company through the internet, then contacted employees of the company and used the information gathered to extract more personally identifiable information (PII). Which of the following describes this type of social engineering attack?

A

Trust

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How would an attacker elicit information from a user to gain access to a social media account? (Select all that apply.)

A

Use an Internet messaging service to communicate.

Create an executable file that prompts for input.

Pose as a sales representative needing help.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Rather than use a direct social engineering method to gain user credentials, an attacker decides to use a pharming attack. This passive attack describes which of the following?

A

A user visits the company web page but is redirected to the attacker’s fake website.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

An attacker gathered personal information from an employee by using Open Source Intelligence (OSINT). The attacker then emailed the employee and used the employee’s full name, job title, and phone number to convince the victim that the communication was legitimate. What type of scam did the attacker pull off?

A

Spear phishing

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

An attacker remotely compromised a closed-circuit television (CCTV) server and used it to steal a user’s password. Which of the following can help prevent this type of shoulder surfing?

A

A privacy filter

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

A social engineer suspects the upper management department of a company is more vulnerable to ordinary phishing attacks than the normal IT staff since the management staff is reluctant to learn basic security procedures. Therefore, the attacker crafted a campaign targeting these individuals. What type of attack did the social engineer perform?

A

Whaling

17
Q

After performing reconnaissance on a victim, a social engineer spoofed the phone number of the doctor’s office the target frequently visits. Posing as the receptionist, the attacker called the victim and requested the victim’s Social Security Number (SSN). What type of social engineering attack did the social engineer exercise?

A

Authority

18
Q

After an attacker gathered Open Source Intelligence (OSINT) from a social media site on an employee, the attacker called the employee and extracted important information regarding the company the employee works for. Which of the following did the social engineer successfully perform?

A

Trust

19
Q

Which of the following social engineering techniques has less of a chance of arousing suspicion and getting caught? (Select all that apply.)

A

Familiarity

Liking

20
Q

A social engineer, impersonating a suppliant, rummaged through the garbage of a high-ranking loan officer, hoping to find discarded documents and removable media containing personally identifiable information (PII). Which of the following social engineering techniques did the attacker utilize?

A

Dumpster diving

21
Q

An attacker is attempting to gather information about a person by using text messages. Which of the following describes the attacker’s phishing technique?

A

SMiShing

22
Q

Where do most companies and employees post a large amount of information about themselves and their businesses, which can exploit the vulnerabilities of the business?

A

Social media

23
Q

A group of college students receives a phone call from someone claiming to be from a debt consolidation firm. The solicitor tried to convince the students that for a limited time, a rare offer will expire, which could erase their student loan debt if they provide their Social Security Number and other personally identifiable information (PII). Which of the following tactics did the caller use?

A

Scarcity and urgency

24
Q

After a social engineer used Open Source Intelligence (OSINT) to gather information about the victim, the attacker then used this information to email the victim, then personalized the message to convince the victim to click a malicious link. What type of social engineering attack does this describe?

A

Spear phishing

25
Q

If an attacker performs open source intelligence (OSINT) gathering and social engineering on the CEO and creates an email scam for the upper management department of a company, what type of attack occurs?

A

Whaling

26
Q

An attacker corrupted the database of a domain name server (DNS) in a small office. When users attempt to login to the company’s homepage using a browser bookmark, they connect directly to the attacker’s web portal. What type of attack has occurred?

A

Pharming

27
Q

A social engineer impersonated an IT security staff member of a company and called an employee to extract personally identifiable information (PII) from the employee. Which of the following attacks did the impersonator conduct?

A

Vishing

28
Q

An attacker sends a phishing email to bank employees regarding their compromised bank accounts, and they need to click a link to change their passwords as soon as possible. Which of the following describes a social engineering technique the attacker used?

A

Urgency

29
Q

Which of the following best describes spam email?

A

Unsolicited email