Ch.4 Social Engineering and Password Attacks Flashcards
Joseph receives an email notifying him that he needs to change his password due to a recent account issue. He notices that the email links him to a website using the domain amaz0n.com. What type of attack should he describe this as?
A. Typosquatting
B. Phishing
C. Smishing
D. A watering hole attack
✅ Correct Answer: B. Phishing
Explanation (Why it’s correct):
This is a phishing attack because Joseph is receiving a fraudulent email attempting to trick him into clicking a link and entering credentials on a fake site. Phishing attacks often use lookalike domains (like amaz0n.com) as part of their deception, but the core of the attack is the fraudulent communication via email.
Explanation (Why the others are incorrect):
A. Typosquatting – While the domain itself (amaz0n.com) is an example of typosquatting, the attack started through email and involved social engineering to deceive the user—making it phishing. Typosquatting is typically used to describe passive attacks where a user mistypes a URL, not when they are lured by email.
C. Smishing – This would involve a text message, not email.
D. A watering hole attack – This involves compromising websites that a target group frequently visits—not sending fake login pages via email.
When you combine phishing with voicemail, it is known as:
A. Whaling
B. Spoofing
C. Spooning
D. Vishing
✅ 2. D. Vishing
Explanation (Why it’s correct):
Phishing that occurs via voice calls or voicemails is known as vishing (voice phishing).
Explanation (Why the others are incorrect):
A. Whaling – This is targeted phishing aimed at senior executives.
B. Spoofing – This is when someone disguises their identity (email, IP, etc.)—it’s a broader technique, not specific to phishing.
C. Spooning – This is not a cybersecurity term.
While reviewing her logs, Michele notices that a remote system has attempted to log into her server via SSH using the username admin and a variety of passwords like “password” and “ninja.” What type of attack has Michele noticed?
A. A brute-force attack
B. Shoulder surfing
C. An on-path attack
D. Pretexting
✅ 3. A. A brute-force attack
Explanation (Why it’s correct):
Trying many different passwords against the same username (admin) over SSH is a classic brute-force attack.
Explanation (Why the others are incorrect):
B. Shoulder surfing – This involves visually spying on someone’s screen or keyboard.
C. An on-path attack – This involves intercepting traffic between two parties, not login attempts.
D. Pretexting – This involves creating a false story to manipulate someone—not automated password guessing.
Joanna wants to detect password spraying attacks. What type of rule should she deploy through her security systems?
A. Match attempts to log into many systems with the same username and password.
B. Match multiple attempts to log into the same user account using different passwords.
C. Match repeated use of the same password during failed login attempts for multiple usernames.
D. Match all attempts to use passwords with slight changes for the same account.
✅ 4. C. Match repeated use of the same password during failed login attempts for multiple usernames.
Explanation (Why it’s correct):
Password spraying uses a single or small set of passwords (like “Winter2024!”) across many usernames, trying to avoid lockouts.
Explanation (Why the others are incorrect):
A. Describes credential stuffing more than spraying.
B. Describes brute force (many passwords for one user).
D. Refers to slight variations—relevant to brute force but not spraying.
One of the staff at Susan’s organization has reported that a critical vendor has contacted them about an unpaid invoice. After Susan investigates, she discovers that the invoice was sent from an email account that was not typically a contact and that the invoice requested payment to a PayPal account. What type of social engineering attack has Susan most likely discovered?
A. Smishing
B. Business email compromise
C. Disinformation
D. Typosquatting
✅ 5. B. Business email compromise
Explanation (Why it’s correct):
A BEC attack involves sending convincing fake emails—like fake invoices from familiar vendors—to trick users into sending money or info.
Explanation (Why the others are incorrect):
A. Smishing – This involves SMS, not email.
C. Disinformation – This refers to false info spread to mislead public opinion, not financial scams.
D. Typosquatting – This involves fake URLs, not fake invoices.
Selah infects the ads on a website that users from her target company frequently visit with malware as part of her penetration test. What technique has she used?
A. A watering hole attack
B. Vishing
C. Whaling
D. Typosquatting
✅ 6. A. A watering hole attack
Explanation (Why it’s correct):
Selah targeted a site her victims already trust and use, injecting it with malware. That’s a watering hole attack—compromise the water source to infect those who drink from it.
Explanation (Why the others are incorrect):
B. Vishing – Involves voice-based phishing.
C. Whaling – Targets high-level executives, usually via email.
D. Typosquatting – Involves fake or mistyped domains, not compromising legitimate ones.
Ben wants to determine if brute-force password attacks are being used against his company. What log information is least likely to be useful when working to detect brute-force attacks?
A. Source IP address or hostname
B. Failed login logs
C. The password that was used for each attempt
D. The geographic location of system being logged into
✅ 7. D. The geographic location of system being logged into
Explanation (Why it’s correct):
Geolocation of login targets doesn’t provide strong indicators of brute force. IP address, failed login logs, and attempted passwords are much more direct and useful.
Explanation (Why the others are incorrect):
A. Source IP – Useful to identify where attacks come from.
B. Failed login logs – Critical for detecting repeated attempts.
C. Password used – Can show patterns in brute-force attempts.
Melissa receives a call and the caller informs her a senior manager in her organization needs her to buy gift cards for an event that starts in an hour. The caller says that the senior leader forgot to get the cards, and that the event is critical to her organization. Melissa buys the cards and sends them to the Gmail address the caller says that the senior leader needs them sent to. What type of attack has Melissa fallen for?
A. Phishing
B. Pretexting
C. Business email compromise
D. Carding
✅ Correct Answer: B. Pretexting
Explanation (Why it’s correct):
The attacker created a false scenario (the senior manager urgently needs gift cards for an event) to manipulate Melissa into taking action. This is the definition of pretexting: fabricating a believable story or pretext to justify the request.
Explanation (Why the others are incorrect):
A. Phishing – This attack came via phone, not email or digital message. Phishing generally refers to fraudulent communication via email or digital channels.
C. Business email compromise (BEC) – This would involve a fraudulent or compromised email account. But here, the attacker called and used a Gmail address, not a spoofed company email or compromised internal account.
D. Carding – This refers to the use of stolen credit card information, not tricking someone into purchasing gift cards under false pretenses.
Alaina wants to determine if a password spraying attack was used against her organization. Which of the following indicators would be most useful as part of her investigation?
A. The time the login attempts happened
B. The passwords used for failed attempts
C. The source IP address of the attempts
D. The number of failed attempts for each user
✅ Correct Answer: B. The passwords used for failed attempts
✅ Explanation of Why the Others Are Incorrect:
A. The time the login attempts happened – Might help correlate events, but it doesn’t point directly to spraying unless combined with other data.
C. The source IP address of the attempts – Could show attacker origin, but doesn’t help confirm spraying without knowing what was attempted.
D. The number of failed attempts per user is more useful for detecting brute-force attacks, where many attempts are made against a single user.
Which of the following human vectors is primarily associated with nation-state actors?
A. Misinformation campaigns
B. Watering hole attacks
C. Business email compromise
D. Password spraying
✅ 10. A. Misinformation campaigns
Explanation (Why it’s correct):
Misinformation and disinformation campaigns are often associated with nation-state actors trying to manipulate public opinion or political outcomes.
Explanation (Why the others are incorrect):
B. Watering hole – Not exclusive to nation-states.
C. BEC – More common with cybercriminals.
D. Password spraying – Common brute-force technique, not nation-state-specific.
Nicole accidentally types www.smazon.com into her browser and discovers that she is directed to a different site loaded with ads and pop-ups. Which of the following is the most accurate description of the attack she has experienced?
A. DNS hijacking
B. Pharming
C. Typosquatting
D. Hosts file compromise
✅ 11. C. Typosquatting
Explanation (Why it’s correct):
Nicole mistyped a legitimate domain (www.smazon.com) and landed on a different site with ads/pop-ups. This is a classic case of typosquatting, where attackers register domains with slight spelling errors to exploit users’ mistakes.
Explanation (Why the others are incorrect):
A. DNS hijacking – Involves altering DNS records to redirect traffic—this is not a user typo issue.
B. Pharming – Alters host files or DNS to redirect users without typos.
D. Hosts file compromise – Would redirect based on changes to the local system file, not a mistyped URL.
Devon is a penetration tester and sets up malicious tools on his target organization’s primary internal website. What type of attack is he conducting?
A. A misinformation campaign
B. A watering hole attack
C. A typosquatting attack
D. A disinformation campaign
✅ 12. B. A watering hole attack
Explanation (Why it’s correct):
Devon compromised a legitimate internal website that his target organization uses. This is a watering hole attack—poisoning a trusted site to target specific users.
Explanation (Why the others are incorrect):
A. Misinformation campaign – Involves spreading false info to change opinions, not malware placement.
C. Typosquatting attack – Involves fake lookalike domains, not compromising real ones.
D. Disinformation campaign – Similar to misinformation but intentional—again, not relevant here.
Phishing emails sent pretending to be from a company that recipients are familiar with and likely to respond to is what type of attack?
A. Phishing
B. Pharming
C. Brand impersonation
D. Pretexting
✅ 13. C. Brand impersonation
Explanation (Why it’s correct):
This is brand impersonation—phishing that mimics legitimate companies to build trust and lure victims into clicking or giving up credentials.
Explanation (Why the others are incorrect):
A. Phishing – True, but too broad. Brand impersonation is the more specific and accurate term here.
B. Pharming – Involves redirecting traffic using DNS or host file changes.
D. Pretexting – Involves creating a made-up scenario, not impersonating a company brand.
When a caller was recently directed to Amanda, who is a junior IT employee at her company, the caller informed her that they were the head of IT for her organization and that she needed to immediately disable the organization’s firewall. After Amanda made the change, she discovered that the caller was not the head of IT, and that they were actually a penetration tester hired by her company. What social engineering attack best describes this?
A. Smishing
B. Pretexting
C. Impersonation
D. Vishing
✅ 14. C. Impersonation
Explanation (Why it’s correct):
The attacker pretended to be the head of IT to trick Amanda into disabling the firewall. This is classic impersonation—posing as someone trusted.
Explanation (Why the others are incorrect):
A. Smishing – Involves text messages, not phone calls.
B. Pretexting – A close second, since the attacker gave a story—but impersonation is more accurate because the caller pretended to be a specific person.
D. Vishing – This was a voice call, but the attack was specifically about impersonating someone—not just using voice to phish.
Fred is concerned about text message–based attacks. Which of the following attacks relies on text messages as its primary focus?
A. Impersonation
B. Watering hole attacks
C. Smishing
D. Business email compromise
✅ 15. C. Smishing
Explanation (Why it’s correct):
Smishing is SMS-based phishing—attacks using text messages to trick users into clicking malicious links or giving up information.
Explanation (Why the others are incorrect):
A. Impersonation – Too general and doesn’t focus on text messages.
B. Watering hole attacks – Involves compromised websites.
D. Business email compromise – Relies on email, not SMS.
Sharif notices that his authentication logs have many different usernames showing failed logins with the same password. What type of attack has he discovered?
A. Credential harvesting
B. Impersonation
C. BEC
D. Spraying
✅ 16. D. Spraying
Explanation (Why it’s correct):
Sharif sees the same password tried against many usernames, which is textbook password spraying—a type of brute-force attack that avoids lockouts.
Explanation (Why the others are incorrect):
A. Credential harvesting – Involves collecting usernames/passwords through phishing or malware—not trying them.
B. Impersonation – This is not a social engineering attack.
C. BEC – Business email compromise involves scams and impersonation via email—not login attempts.
Naomi receives a report of smishing. What type of attack should she be looking for?
A. Compressed files in phishing
B. Text message–based phishing
C. Voicemail-based phishing
D. Server-based phishing
✅ 17. B. Text message–based phishing
Explanation (Why it’s correct):
Smishing = SMS phishing. It typically tricks users via links in text messages.
Explanation (Why the others are incorrect):
A. Compressed files in phishing – Irrelevant here.
C. Voicemail-based phishing – That’s vishing.
D. Server-based phishing – Not a standard attack term.
Jack’s organization wants to prevent typosquatting. What option should he select to address this issue?
A. Copyright the domain name
B. Purchase the most common typos for his organization’s domain
C. Trademark the domain name
D. Disable typo resolution for the domain
✅ 18. B. Purchase the most common typos for his organization’s domain
Explanation (Why it’s correct):
To defend against typosquatting, organizations often register common misspellings of their domain to prevent malicious use.
Explanation (Why the others are incorrect):
A. Copyright the domain name – Copyright does not apply to domain names.
C. Trademark the domain name – May help legally, but it doesn’t prevent typosquatting.
D. Disable typo resolution – Not a real or feasible feature.
Gwyne’s company has been contacted by customers asking about a new social media account operating under the company’s brand. The social media account is advertising cryptocurrency, which Gwyne’s organization does not sell or work with. What type of attack best describes what Gwyne’s organization has encountered?
A. Impersonation
B. Brand impersonation
C. Mis-branding
D. Crypto-phishing
✅ 19. B. Brand impersonation
Explanation (Why it’s correct):
A fake social media account posing as the company and promoting fake services is brand impersonation—using a company’s identity to deceive.
Explanation (Why the others are incorrect):
A. Impersonation – Close, but too general; brand impersonation is the more precise term.
C. Mis-branding – Not a cybersecurity concept.
D. Crypto-phishing – Not an official term; also too narrow to describe the broader impersonation.
Nation-state-driven social media campaigns about the trustworthiness of the U.S. election in 2016 are an example of what type of social engineering?
A. Smishing
B. Pretexting
C. Disinformation
D. Spraying
✅ 20. C. Disinformation
Explanation (Why it’s correct):
This is intentional false information spread to manipulate public opinion—a textbook case of disinformation, often linked to nation-state actors.
Explanation (Why the others are incorrect):
A. Smishing – SMS-based phishing—not social media campaigns.
B. Pretexting – Involves creating false scenarios in personal interactions.
D. Spraying – Password attack, not related to influence operations.
