1.1 Compare and contrast different types of social engineering techniques.
Which of the following social engineering techniques has less of a chance of arousing suspicion and getting caught? (Select all that apply.) a.Familiarity b.Authority c.Liking d.Intimidation
a.Familiarity & b.Authority
How would an attacker elicit information from a user to gain access to a social media account? (Select all that apply.) SELECT ALL THAT APPLY a.Pose as a sales representative needing help. b.Produce a fraudulent invoice with payment details. c.Use an Internet messaging service to communicate. d.Create an executable file that prompts for input.
a.Pose as a sales representative needing help. c.Use an Internet messaging service to communicate. d.Create an executable file that prompts for input.
Where do most companies and employees post a large amount of information about themselves and their businesses, which can exploit the vulnerabilities of the business? a.Social media b.Dark net c.Deep web d.Dark web
a.Social media
After a social engineer used Open Source Intelligence (OSINT) to gather information about the victim, the attacker then used this information to email the victim, then personalized the message to convince the victim to click a malicious link. What type of social engineering attack does this describe? a.Spear phishing b.Vishing c.SMiShing d.Phishing
a.Spear phishing
Which of the following describes a social engineering technique an attacker can use if the attacker wanted the end-user to click on a link as soon as possible? a.Urgency b.Consensus/social proof c.Familiarity/liking d.Authority
a.Urgency
An attacker remotely compromised a closed-circuit television (CCTV) server and used it to steal a user's password. Which of the following can help prevent this type of shoulder surfing? a.An access list b.A privacy filter c.A colocation d.An ID badge
b.A privacy filter
A social engineer used vishing and polite behavior to persuade a target to visit a fake website with fake reviews. The attacker then persuaded the victim to enter personally identifiable information (PII) in a web form. Which of the following did the attacker use to make the site appear more legitimate? (Select all that apply.) SELECT ALL THAT APPLY a.Urgency b.Familiarity/liking c.Consensus/social proof d.Authority
b.Familiarity/liking c.Consensus/social proof
A user contacted customer support via the company's WhatsApp link on a website. A few days later, the user received a lot of advertisements from outside of the country, using the same messaging service. Which of the following best describes the type of attack the user is experiencing? a.Spam b.SPIM c.Spear phishing d.Whaling
b.SPIM
A malicious user compromised a company's email server and bought a domain that was similar to the domain name of the company's bank. The attacker monitored the email server and altered the account numbers of legitimate pay-off notices from the bank. The attacker then used the fake domain to send the company the notices forged with the attacker's bank account number. Which of the following attacks did the attacker execute? a.Domain hijacking b.Typosquatting c.Kiting d.Tasting
b.Typosquatting
Which of the following best describes spam email? a.Fake security alert b.Unsolicited email c.Fraudulent invoice d.Bulk text messages
b.Unsolicited email
A social engineer impersonated an IT security staff member of a company and called an employee to extract personally identifiable information (PII) from the employee. Which of the following attacks did the impersonator conduct? a.Phishing b.Vishing c.Pharming d.SMiShing
b.Vishing
If an attacker performs open source intelligence (OSINT) gathering and social engineering on the CEO and creates an email scam for the upper management department of a company, what type of attack occurs? a.A watering hole attack b.Whaling c.A lunchtime attack d.Tailgating
b.Whaling
Rather than use a direct social engineering method to gain user credentials, an attacker decides to use a pharming attack. This passive attack describes which of the following? ANSWER a.An attacker compromises a pizza website that the user visits often. b.A user's credential for a bank web portal is sold on the black market. c.A user visits the company web page but is redirected to the attacker's fake website. d.An attacker registers a similar web domain name hoping the user will misspell it.
c.A user visits the company web page but is redirected to the attacker's fake website.
After performing reconnaissance on a victim, a social engineer spoofed the phone number of the doctor's office the target frequently visits. Posing as the receptionist, the attacker called the victim and requested the victim's Social Security Number (SSN). What type of social engineering attack did the social engineer exercise? a.Urgency b.Consensus c.Authority d.Liking
c.Authority
An end-user received a web pop-up that claimed to identify a virus infection on their computer. The pop-up offered a link to download a program to fix the problem. After clicking the link, the security operations center (SOC) received an alert from the computer that the user downloaded a Trojan. Which of the following is most likely true about the pop-up? a.The tool claiming to fix the problem was actually a phishing attack. b.The tool claiming to fix the problem was actually a rogueware attack. c.The tool claiming to fix the problem was actually a hoax attack. d.The tool claiming to fix the problem was actually a spyware attack.
c.The tool claiming to fix the problem was actually a hoax attack.
An attacker gathered Open Source Intelligence (OSINT) about a company through the internet, then contacted employees of the company and used the information gathered to extract more personally identifiable information (PII). Which of the following describes this type of social engineering attack? a.Tailgating b.A lunchtime attack c.Trust d.Shoulder surfing
c.Trust
Which of the following situations describes identity fraud? (Select all that apply.) SELECT ALL THAT APPLY a.Creating fake security messages b.Entering behind another person c.Using another person's name d.Using a stolen credit card
c.Using another person's name d.Using a stolen credit card
Using social engineering, an attacker called an employee to extract the name and contact information of the Chief Information Security Officer (CISO). What social engineering deception did the attacker utilize? a.Pharming b.SMiShing c.Vishing d.Phishing
c.Vishing
A social engineer, impersonating a suppliant, rummaged through the garbage of a high-ranking loan officer, hoping to find discarded documents and removable media containing personally identifiable information (PII). Which of the following social engineering techniques did the attacker utilize? a.A lunchtime attack b.Shoulder surfing c.Piggy backing d.Dumpster diving
d.Dumpster diving
A social engineer intercepted an end-user's phone call to an internet service provider (ISP) about a home internet outage. Pretending to be the caller reporting the outage, the attacker immediately contacted the ISP to cancel the service call, dressed up as an internet tech, and then proceeded to enter the end-user's home with permission. What type of social engineering attack did the ISP and end-user fall victim to? a.Pharming b.Hoax c.Tailgating d.Impersonation
d.Impersonation
An attacker is attempting to gather information about a person by using text messages. Which of the following describes the attacker's phishing technique? a.SPIM b.Spam c.Vishing d.SMiShing
d.SMiShing
A group of college students receives a phone call from someone claiming to be from a debt consolidation firm. The solicitor tried to convince the students that for a limited time, a rare offer will expire, which could erase their student loan debt if they provide their Social Security Number and other personally identifiable information (PII). Which of the following tactics did the caller use? a.Consensus and social proof b.Familiarity and liking c.Authority and intimidation d.Scarcity and urgency
d.Scarcity and urgency
An attacker gathered personal information from an employee by using Open Source Intelligence (OSINT). The attacker then emailed the employee and used the employee's full name, job title, and phone number to convince the victim that the communication was legitimate. What type of scam did the attacker pull off? a.SMiShing b.Phishing c.Vishing d.Spear phishing
d.Spear phishing