4.6.3 Quiz – Social Engineering Attacks Answers

Explanation: Malvertising involves incorporating malicious ads on trusted websites. Users who click these ads are inadvertently redirected to sites hosting malware.

Explanation: A watering hole attack is targeted when an attacker profiles websites the intended victim accesses. The attacker then scans those websites for possible vulnerabilities.

Explanation: Elicitation is the act of gaining knowledge or information from people. In most cases, an attacker gets information from a victim without directly asking for that particular information.

Explanation: Pharming is an impersonation attack in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as a valid site to the user. Pharming can be done by altering the host file on the victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.

Explanation: The Social-Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET can be used to create spear phishing emails easily.

Explanation: Several call spoofing tools can be used in social engineering attacks. Asterisk is one of these tools. It is a legitimate voice-over IP (VOIP) management tool that can also be used to impersonate caller ID.

Explanation: Scarcity is a method of influence that can create a feeling of urgency in a decision-making context. Salespeople often use scarcity to manipulate clients.

Explanation: Social proof is a method of influence in which an individual cannot determine the appropriate mode of behavior. For example, a person might see others acting or doing something in a certain way and assume it is appropriate. Social engineers may manipulate multiple people at once by using this technique.

Explanation: Likeness is a method of influence in which things or people can influence individuals they like—most individuals like what is aesthetically pleasing.

Explanation: Scarcity is a method of influence that can create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. In this scenario, the email appeared to be sent from a bank, an authoritative body in the eyes of the victim. The attacker also created a perception of urgency, and a scarcity of time, which increased the likelihood of action.

Explanation: There are various types of physical attacks. With piggybacking, unauthorized person tags along with an authorized person to gain entry to a restricted area, usually with the person’s consent. Tailgating is the same but usually occurs without the authorized consent of the person. In badge cloning attacks, specialized software and hardware can perform such attacks. With shoulder surfing, someone obtains information such as personally identifiable information, passwords, and other confidential data by looking over the shoulder of the victim. There are special screen filters for computer displays to prevent someone from seeing the screen at an angle.

Explanation: Browser Exploitation Framework (BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities. The tool starts a web service on port 3000 by default. From there, the attacker can log in to a web console and manipulate users who are victims of XSS attacks.

Explanation: Several call spoofing tools can be used in social engineering attacks. SpoofApp is an Apple iOS and Android app that can easily spoof a phone number. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. BeEF and Nessus are not called spoofing tools.

Explanation: Piggybacking and tailgating can be defeated through access control vestibules, formerly mantraps. An access control vestibule is a small space that usually fits only one person. It has two sets of closely spaced doors; the first set must be closed before the other will open, creating a sort of waiting room where people are identified (and cannot escape).

Explanation: Multifactor authentication is often used in conjunction with an access control vestibule. For example, a proximity card and PIN may be required at the first door and a biometric scan at the second.

Explanation: An access control vestibule is an example of a preventive security control. Turnstiles, double entry doors, and security guards can eliminate piggybacking and tailgating and help address confidentiality. These options are less expensive and less effective than access control vestibules.

Explanation: Social-Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET is installed by default in Kali Linux and Parrot Security.

Explanation: Whaling is an attack targeted at a company’s high-profile business executives and key individuals. The main goal in whaling attacks is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

Explanation: Vishing is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or company. The goal is typically to steal credit card numbers, Social Security numbers, and other information that can be used in identity theft schemes.

Explanation: Several call spoofing tools can be used in social engineering attacks. SpoofCard is an Apple iOS and Android app that can spoof a number and change a voice, record calls, generate different background noises, and send calls straight to voicemail. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. BeEF and Nessus are not called spoofing tools.

Explanation: One example of social engineering attack is Short Message Service (SMS) phishing. SMS phishing is the bitcoin-related SMS scams that have surfaced in recent years. Numerous victims have received messages instructing these users to click on links to confirm user accounts and claim Bitcoin.

Explanation: Social Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks. It allows the performance of some post-exploitation activities, such as spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell, Windows Shell Bind_TCP, and Windows Meterpreter Reverse HTTPS.

Explanation: Browser Exploitation Framework (BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities. BeEF can perform numerous attacks (including social engineering attacks). For example, the attacker can send fake notifications to the victim’s browser. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. Nikto and Nexpose are vulnerability scanning tools.

Explanation: Attackers can perform different badge cloning attacks. Attackers can often leverage pictures of people´s badges on social media. Attackers can often obtain detailed information about corporate badges’ design (look and feel) from social media websites such as Twitter, Instagram, and LinkedIn when people post photos showing their badges when they get new jobs or leave old ones.

Explanation: Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This attack involves leaving USB sticks (USB keys or USB pen drives) unattended or placing these pen drives in strategic locations. Frequently, users think these devices are lost and insert these pen drives into the systems to figure out whom to return the devices to;w it, they download before they know and install malware. Plugging in that USB stick lying on the street outside an office could lead to a security breach. The best thing to do is to deliver the pen drive to the security sector of the company.