Lesson 4: Identifying Social Engineering and Malware

An individual receives a text message that appears to be a warning from a well-known order fulfillment company, informing them that the carrier has tried to deliver his package twice, and that if the individual does not contact them to claim it, the package will not be delivered. Analyze the scenario and select the social engineering technique being used. A. SMiShing B. Phishing C. Vishing D. Prepending

A. SMiShing SMiShing attempts use short message service (SMS) text communications as the vector. Phishing is a combination of social engineering and spoofing. It persuades or tricks the target into interacting with a malicious resource disguised as a trusted one, traditionally using email as the vector. Vishing is a phishing attack conducted through a voice channel, such as telephone or VoIP. Vishing attempts may succeed when a target finds it more difficult to refuse a request made in a phone call compared to one made in an email. Prepending can make a phishing or hoax email more convincing. Used offensively, prepending means adding text that appears to have been generated by the mail system.

A hacker is able to install a keylogger on a user's computer. What is the hacker attempting to do in this situation? A. Key management B. Encryption C. Obfuscation D. Steal confidential information

D. Steal confidential information Keyloggers actively attempt to steal confidential information by recording the keystrokes of a user. Key management is the process of administering cryptographic keys and managing their usage, storage, expiration, renewal, revocation, recovery, and escrow. It does not describe something that a hacker would install. Encryption is a way of encoding data into ciphertext, which is unreadable unless it is decoded. Keyloggers are only interested in recording keystrokes, not decrypting data. Obfuscation is a technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users. Keyloggers do not want to hide anything, they want to steal useful information by capturing keystrokes.

Which situation would require keyboard encryption software be installed on a computer? A. To set up single sign-on privileges B. To comply with input validation practices C. For the purpose of key management D. To protect against spyware

D. To protect against spyware Keyboard encryption software is used to protect against keyloggers, which record keystrokes for the purpose of stealing data. Keyloggers are spyware. Single sign-on is a technology that enables a user to authenticate once and receive authorizations for multiple services. It does not require keyboard encryption. Input validation involves limiting the type of data a user can enter into specific fields, such as not allowing special characters in a user name field. Encryption is not a concern. Key management is the process of administering cryptographic keys and is performed by a Certificate Authority. It is not applicable to keyboard encryption.

A system administrator has just entered their credentials to enter a secure server room. As the administrator is entering the door, someone is walking up to the door with their hands full of equipment and appears to be struggling to move items around while searching for their credentials. The system administrator quickly begins to assist by getting items out of the person's hands, and they walk into the room together. This person is not an employee, but someone attempting to gain unauthorized access to the server room. What type of social engineering has occurred? A. Familiarity/liking B. Consensus/social proof C. Authority and intimidation D. Impersonation

B. Consensus/social proof Consensus/social proof revolves around the belief that without an explicit instruction to behave in a certain way, people will follow social norms. It is typically polite to assist someone with their hands full. Familiarity/Liking is when an attacker uses charisma to persuade others to do as requested. They downplay their requests to make it seem like their request is not out of the ordinary. Authority and Intimidation can be used by an attacker by pretending to be someone senior. The person receiving the request would feel the need to take action quickly and without questioning the attacker. Impersonation may involve someone calling an employee and stating they are from the IT department and need a password to correct a problem.

Which of the following depict ways a malicious attacker can gain access to a target's network? (Select all that apply.) A. Ethical hacking B. Phishing C. Shoulder surfing D. Mantrap

B. Phishing C. Shoulder surfing Phishing and shoulder surfing are social engineering attacks. Phishing occurs when an attacker sends a legitimate-looking, spoofed email to a user of the spoofed site to trick the user into revealing private information. Shoulder surfing is used to obtain someone's password or PIN by observing a user typing it on the keyboard. Social engineering is malicious behavior meant to get users to reveal confidential information. Ethical hacking is trying to identify weaknesses in a network. It is done with permission and is not malicious in intent. A mantrap is a physical security measure, not a way to gain access to a network. A mantrap is an entrance with two gateways, only one of which is open at any one time.

A gaming company decides to add software on each CD it releases. This software will install itself on the user's system, gain administrative rights, and hide itself from detection. The company's objective is to prevent the CD from being copied, however, the software will also capture data on the user's gaming habits. This is done without the knowledge or consent of the user, and the software cannot be uninstalled. Analyze how each of the following malware types behave and select the type being utilized by the gaming company. A. Spyware B. Keylogger C. Rootkit D. Trojan

C. Rootkit A rootkit is characterized by its ability to hide itself by changing core system files and programming interfaces and to escalate privileges. The gaming company accomplished this. Spyware monitors user activity and may be installed with or without the user's knowledge, but it cannot gain administrative privileges or hide itself. A rootkit is a type of spyware, or Trojan. A keylogger is also a type of spyware that records a user's keystrokes. It occurs without a user's knowledge, but it cannot hide itself or gain privileges. Trojans cannot conceal their presence entirely and will surface as a running process or service. While a rootkit is a type of Trojan, or spyware, it differs in its ability to hide itself.

Before leaving for lunch, an employee receives a phone call, but there is no one on the line. Distracted by the odd interruption, the employee forgets to log out of the computer. Earlier that day, a person from the building across the street watched the employee entering login credentials using high-powered binoculars. Which form of social engineering is being used in this situation? A. Vishing B. Lunchtime attack C. Shoulder surfing D. Man-in-the-middle attack

C. Shoulder surfing Shoulder surfing is stealing a password by watching the user type it. Although the attacker was not looking over the employee's shoulder, the login credentials were obtained through observation. Vishing is a phishing attack conducted through a voice channel. With no clue about the nature of the call received by the employee, it cannot be assumed to be part of an attack and would not be the best answer. While a lunchtime attack involves leaving a workstation unattended, it does not involve obtaining a password. Rather, physical access to the system is gained through a logged-in computer. A man-in-the-middle attack occurs when an attacker sits between two communicating hosts to intercept information. It is not social engineering.

Analyze the following attacks to determine which best illustrates a pharming attack. A. A customer gets an email that appears to be from their insurance company. The email contains a link that takes the user to a fake site that looks just like the real insurance company site. B. An employee gets a call from someone claiming to be in the IT department. The caller says there was a problem with the network, so they need the employee's password in order to restore network privileges. C. A company's sales department often has after-hour training sessions, so they order dinner delivery online from the restaurant across the street. An attacker is able to access the company's network by compromising the restaurant's unsecure website. D. A customer enters the correct URL address of their bank, which should point to the IP address 172.1.24.4. However, the browser goes to 168.254.1.1, which is a fake site designed to look exactly like the real bank site.

D. Pharming is a means of redirecting users from a legitimate website to a malicious one that relies on corrupting the way the victim's computer performs IP address resolution. This is illustrated in the bank customer scenario. Phishing is a type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source to try to elicit private information from the victim. This is exhibited in the insurance customer scenario. Vishing is a phishing attack conducted through a voice channel. This is seen in the IT department scenario. A watering hole attack relies on the circumstance that a group of targets may use an unsecure third-party website. This is shown in the sales department scenario.

An employee calls IT personnel and states that they received an email with a PDF document to review. After the PDF was opened, the system has not been performing correctly. An IT admin conducted a scan and found a virus. Determine the two classes of viruses the computer most likely has. (Select all that apply.) A. Boot sector B. Program C. Script D. Macro

B. Program C. Script Both a program and script virus can use a PDF as a vector. The user stated that a PDF file was recently opened. A program virus is executed when an application is executed. Executable objects can also be embedded or attached within other file types such as Microsoft Word and Rich Text Format. A script virus typically targets vulnerabilities in an interpreter. Scripts are powerful languages used to automate operating system functions and add interactivity to web pages and are executed by an interpreter rather than self-executing. PDF documents have become a popular vector for script viruses. A boot sector virus is one that attacks the disk boot sector information, the partition table, and sometimes the file system. A macro virus uses the programming features available in Microsoft Office documents.

A tech concludes that a user's PC is infected with a virus that appears to be a memory resident and loads anytime the operating system is restarted. Examine the options and determine which describes the infection type. A. Uses a local scripting engine. B. Written to the partition table of a fixed disk. C. Replicates over network resources. D. Monitors local application activity.

B. Written to the partition table of a fixed disk. With a boot virus, code is written to the disk boot sector or the partition table of a fixed disk or USB media. The code executes as a memory resident process when the OS starts. Script and macro viruses use the programming features available in local scripting engines for the OS and/or browser, such as PowerShell. A computer worm is memory-resident malware that can run without user intervention and replicate over network resources. Spyware is malware that can perform adware-like tracking, but also monitor local application activity, take screenshots, and activate recording devices.