Social Engineering Attacks Explained

Questions and Answers

What type of threat allows an attacker to obtain the credentials of a bank client by spoofing the login webpage of a financial institution?

• Malvertising
• Vishing
• Whaling
• Piggybacking (correct)

What is a watering hole attack?

• An attack carried out in a phone conversation
• An attack targeted at high-profile business executives and key individuals in a company
• An attack performed by an unauthorized person who tags along with an authorized person to gain entry to a restricted area
• An attack that exploits a website that is commonly accessed by members of a targeted organization (correct)

What is the act of gaining knowledge or information from a victim without directly asking for that particular information?

• Impersonation
• Elicitation (correct)
• Influence
• Interrogation

A threat actor has altered the host file for a commonly accessed website on the computer of a victim. Now, when the user clicks on the website link, they are redirected to a malicious website. What type of attack has the threat actor accomplished?

Pharming (A)

Why would a threat actor use the Social-Engineering Toolkit (SET)?

To send a spear phishing email (B)

Which option is a Voice over IP management tool that can be used to impersonate caller ID?

Asterisk (C)

A salesperson is attempting to convince a customer to buy a product because limited supplies are available. Which social engineering method of influence is being used by the salesperson?

Scarcity (D)

What method of influence is characterized when a celebrity endorses a product on social media?

Social proof (A)

Apple is a company constantly working towards making its products and processes more environmentally friendly. Therefore, the Apple brand is associated with ideals and values that customers can relate to and support. What method of influence is being used by Apple?

Likeness (B)

A threat actor has sent a phishing email to a victim stating that suspicious activity has been detected on their bank account and that they must immediately click on a provided link to change their password. What method of influence is being used by the threat actor?

Urgency (A)

Which social engineering physical attack statement is correct?

Shoulder surfing can be prevented by using special screen filters for computer displays. (A)

Which tool provides a threat actor a web console to manipulate users who are victims of cross-site scripting (XSS) attacks?

BeEF (D)

Which Apple iOS and Android tool can be used to spoof a phone number?

SpoofApp (A)

What two physical attacks are mitigated by using access control vestibules? (Choose two.)

Piggybacking (A), Tailgating (B)

A threat actor has sent a text message to a victim stating that they have won bitcoins in a bank contest. To claim their prize, the victim must click the provided link and enter their bank account information. What social engineering attack can be accomplished if the user enters their banking information?

SMS phishing (A)

Flashcards

What is a watering hole attack?

An attack that exploits a website commonly visited by members of a targeted organization to compromise its users.

Elicitation

Gaining information from a victim without directly asking.

Pharming

Altering a host file to redirect users to malicious websites.

BeEF (Browser Exploitation Framework)

Used to manipulate users via web console, leveraging XSS vulnerabilities.

SpoofCard

VoIP management tool used to impersonate the caller ID.

Scarcity

Attempting to convince a customer to buy a product because limited supplies are available

Social Proof

Celebrity endorses a product

Phishing with Urgency

Creates urgency to change account password.

Tailgating

An unauthorized person follows an authorized person into restricted area.

Social-Engineer Toolkit (SET)

Tool for social engineering and integrates with Metasploit.

Whaling attack

Targeting high-profile individuals.

Vishing attack

Convincing victim to disclose information via phone call.

Mitigation of tailgating and piggybacking

Physical attacks are mitigated by using access control vestibules

SMS phishing

Tool sends text messages to a victim stating that have won bitcoins

Badge cloning

New employee posting a picture of their access identification on social media

Study Notes

Social Engineering Attacks Quiz

• Attackers can spoof the login webpage of a financial institution to obtain bank client credentials.
• A watering hole attack exploits a website commonly accessed by members of a targeted organization.
• Elicitation is the act of gaining knowledge or information from a victim without directly asking.
• A threat actor altering the host file for a commonly accessed website on a victim's computer, redirecting the user to a malicious website, is an example of pharming.
• The Social-Engineering Toolkit (SET) is used by threat actors to send spear phishing emails.
• Asterisk is a Voice over IP management tool that can be used to impersonate caller ID.
• A salesperson convincing a customer to buy a product because limited supplies are available is using the social engineering method of scarcity.
• A celebrity endorsing a product on social media is characterized as social proof.
• Apple associates its brand with ideals and values that customers can relate to and support.
• A threat actor sending a phishing email stating suspicious activity on a bank account and urging immediate password change uses the method of urgency.
• Piggybacking is a physical attack where an unauthorized person tags along with an authorized person to gain entry to a restricted area without the authorized person's consent.
• BeEF provides a threat actor with a web console to manipulate users who are victims of cross-site scripting (XSS) attacks
• SpoofApp for Apple iOS and Android can be used to spoof a phone number.
• Access control vestibules mitigate tailgating and piggybacking physical attacks.
• Proximity card and PIN or turnstile are used in conjunction with access control vestibules.
• Security guards can mitigate piggybacking and tailgating.
• SET can launch social engineering attacks and integrate with third-party tools and frameworks such as Metasploit.
• Upper managers such as the CEO or key individuals in an organization are the target of a whaling attack.
• The purpose of a vishing attack is to convince a victim on a phone call to disclose private or financial information.
• SpoofCard spoof a phone number, record calls, and generate different background noises,
• SMS phishing is a social engineering attack when a user enters bank information after receiving a text message about winning bitcoins.
• BeEF permits post-exploitation activities, such as Windows reverse VNC DLL and reverse TCP shell.
• BeEF can send fake notifications to the browser of a victim.
• A new employee posting a picture of their access identification on social media unknowingly enabled badge cloning.
• A user should deliver a found USB pen drive to the security sector of the company.