1.0 Attacks, Threats, and Vulnerabilites Flashcards
1.1 Compare and contrast different types of social engineering techniques.
A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select all that apply.)
Consensus/social proof
Familiarity/liking
If an attacker purchases a fake domain that has a similar name of a real domain, and then uses the fake domain to send the legitimate company forged notices by email, which of the following attacks did the malicious user perform?
Typosquatting
Which of the following situations describes identity fraud? (Select all that apply.)
Using another person’s name
Using a stolen credit card
A social engineer intercepted an end-user’s phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user’s home with permission. What type of social engineering attack did the ISP and end-user fall victim to?
Impersonation
A user contacted customer support via the company’s WhatsApp link on a website. A few days later, the user received a lot of advertisements from outside of the country, using the same messaging service. Which of the following best describes the type of attack the user is experiencing?
SPIM
An attacker is trying to access a user’s social media account. Select the actions the attacker may use to elicit information from the user to gain access. (Select all that apply.)
Use an Internet messaging service to communicate.
Create an executable file that prompts for input.
Pose as a sales representative needing help.
An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up?
The tool claiming to fix the problem was actually a hoax attack.
Which of the following describes a social engineering technique an attacker can use if the attacker wanted the end-user to click on a link as soon as possible?
Urgency
Using social engineering, an attacker called an employee to extract the name and contact information of the Chief Information Security Officer (CISO). What social engineering deception did the attacker utilize?
Vishing
A malicious user compromised a company’s email server and bought a domain that was similar to the domain name of the company’s bank. The attacker monitored the email server and altered the account numbers of legitimate pay-off notices from the bank. The attacker then used the fake domain to send the company the notices forged with the attacker’s bank account number. Which of the following attacks did the attacker execute?
Typosquatting
An attacker gathered Open Source Intelligence (OSINT) about a company through the internet, then contacted employees of the company and used the information gathered to extract more personally identifiable information (PII). Which of the following describes this type of social engineering attack?
Trust
How would an attacker elicit information from a user to gain access to a social media account? (Select all that apply.)
Use an Internet messaging service to communicate.
Create an executable file that prompts for input.
Pose as a sales representative needing help.
Rather than use a direct social engineering method to gain user credentials, an attacker decides to use a pharming attack. This passive attack describes which of the following?
A user visits the company web page but is redirected to the attacker’s fake website.
An attacker gathered personal information from an employee by using Open Source Intelligence (OSINT). The attacker then emailed the employee and used the employee’s full name, job title, and phone number to convince the victim that the communication was legitimate. What type of scam did the attacker pull off?
Spear phishing
An attacker remotely compromised a closed-circuit television (CCTV) server and used it to steal a user’s password. Which of the following can help prevent this type of shoulder surfing?
A privacy filter