4.6.3 Quiz – Social Engineering Attacks Answers Full 100% 2023 2024

  1. What type of threat allows an attacker to obtain the credentials of a bank client by spoofing the login webpage of a financial institution?

    • piggybacking
    • vishing
    • whaling
    • malvertising

      Explanation & Hint:

      Malvertising involves incorporating malicious ads on trusted websites. Users who click these ads are inadvertently redirected to sites hosting malware.

  2. What is a watering hole attack?

    • an attack carried out in a phone conversation
    • an attack targeted at high-profile business executives and key individuals in a company
    • an attack that exploits a website that is commonly accessed by members of a targeted organization
    • an attack performed by an unauthorized person who tags along with an authorized person to gain entry to a restricted area

      Explanation & Hint:

      A watering hole attack is targeted when an attacker profiles websites the intended victim accesses. The attacker then scans those websites for possible vulnerabilities.

  3. What is the act of gaining knowledge or information from a victim without directly asking for that particular information?

    • influence
    • elicitation
    • interrogation
    • impersonation

      Explanation & Hint:

      Elicitation is the act of gaining knowledge or information from people. In most cases, an attacker gets information from a victim without directly asking for that particular information.

  4. A threat actor has altered the host file for a commonly accessed website on the computer of a victim. Now when the user clicks on the website link, they are redirected to a malicious website. What type of attack has the threat actor accomplished?

    • phishing
    • vishing
    • pharming
    • tailgating

      Explanation & Hint:

      Pharming is an impersonation attack in which a threat actor redirects a victim from a valid website or resource to a malicious one that could be made to appear as a valid site to the user. Pharming can be done by altering the host file on the victim’s system, through DNS poisoning, or by exploiting a vulnerability in a DNS server.

  5. Why would a threat actor use the Social-Engineering Toolkit (SET)?

    • to send a spear phishing email
    • to spoof a phone number
    • to manipulate users by leveraging XSS vulnerabilities
    • to practice social engineering elicitation, interrogation, and pretexting skills

      Explanation & Hint:

      The Social-Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET can be used to create spear phishing emails easily.

  6. Which option is a voice over IP management tool that can be used to impersonate caller ID?

    • SpoofCard
    • Asterisk
    • SpoofApp
    • Nikto

      Explanation & Hint:

      Several call spoofing tools can be used in social engineering attacks. Asterisk is one of these tools. It is a legitimate voice-over IP (VOIP) management tool that can also be used to impersonate caller ID.

  7. A salesperson is attempting to convince a customer to buy a product because limited supplies are available. Which social engineering method of influence is being used by the salesperson?

    • social proof
    • authority
    • likeness
    • scarcity

      Explanation & Hint:

      Scarcity is a method of influence that can create a feeling of urgency in a decision-making context. Salespeople often use scarcity to manipulate clients.

  8. What method of influence is characterized when a celebrity endorses a product on social media?

    • social proof
    • scarcity
    • authority
    • fear

      Explanation & Hint:

      Social proof is a method of influence in which an individual cannot determine the appropriate mode of behavior. For example, a person might see others acting or doing something in a certain way and assume it is appropriate. Social engineers may manipulate multiple people at once by using this technique.

  9. Apple is a company constantly working towards making its products and processes more environmentally friendly. Therefore, the Apple brand is associated with ideals and values that customers can relate to and support. What method of influence is being used by Apple?

    • fear
    • scarcity
    • authority
    • likeness

      Explanation & Hint:

      Likeness is a method of influence in which things or people can influence individuals they like—most individuals like what is aesthetically pleasing.

  10. A threat actor has sent a phishing email to a victim stating that suspicious activity has been detected on their bank account and that they must immediately click on a provided link to change their password. What method of influence is being used by the threat actor?

    • social proof
    • authority
    • likeness
    • urgency

      Explanation & Hint:

      Scarcity is a method of influence that can create a feeling of urgency in a decision-making context. Specific language can be used to heighten urgency and manipulate the victim. In this scenario, the email appeared to be sent from a bank, an authoritative body in the eyes of the victim. The attacker also created a perception of urgency, and a scarcity of time, which increased the likelihood of action.

  11. Which social engineering physical attack statement is correct?

    • In the tailgating attack, an unauthorized person tags along with an authorized person to gain entry to a restricted area with the person’s consent.
    • In the piggybacking attack, an unauthorized person tags along with an authorized person to gain entry to a restricted area without the person’s consent.
    • Badge cloning attacks cannot be performed by software.
    • Shoulder surfing can be prevented by using special screen filters for computer displays.

      Explanation & Hint:

      There are various types of physical attacks. With piggybacking, unauthorized person tags along with an authorized person to gain entry to a restricted area, usually with the person’s consent. Tailgating is the same but usually occurs without the authorized consent of the person. In badge cloning attacks, specialized software and hardware can perform such attacks. With shoulder surfing, someone obtains information such as personally identifiable information, passwords, and other confidential data by looking over the shoulder of the victim. There are special screen filters for computer displays to prevent someone from seeing the screen at an angle.

  12. Which tool provides a threat actor a web console to manipulate users who are victims of cross-site scripting (XSS) attacks?

    • Asterisk
    • SET
    • BeEF
    • Nikto

      Explanation & Hint:

      Browser Exploitation Framework (BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities. The tool starts a web service on port 3000 by default. From there, the attacker can log in to a web console and manipulate users who are victims of XSS attacks.

  13. Which Apple iOS and Android tool can be used to spoof a phone number?

    • SpoofApp
    • Nessus
    • Asterisk
    • BeEF

      Explanation & Hint:

      Several call spoofing tools can be used in social engineering attacks. SpoofApp is an Apple iOS and Android app that can easily spoof a phone number. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. BeEF and Nessus are not called spoofing tools.

  14. What two physical attacks are mitigated by using access control vestibules? (Choose two.)

    • shoulder surfing
    • dumpster diving
    • tailgating
    • badge cloning
    • piggybacking

      Explanation & Hint:

      Piggybacking and tailgating can be defeated through access control vestibules, formerly mantraps. An access control vestibule is a small space that usually fits only one person. It has two sets of closely spaced doors; the first set must be closed before the other will open, creating a sort of waiting room where people are identified (and cannot escape).

  15. Which two access control options are commonly used in conjunction with access control vestibules? (Choose two.)

    • proximity card and PIN
    • turnstile
    • security guard
    • toll collector
    • biometric scan

      Explanation & Hint:

      Multifactor authentication is often used in conjunction with an access control vestibule. For example, a proximity card and PIN may be required at the first door and a biometric scan at the second.

  16. Which resource would mitigate piggybacking and tailgating?

    • security guard
    • camera
    • “no trespassing” warnings
    • badge/card access

      Explanation & Hint:

      An access control vestibule is an example of a preventive security control. Turnstiles, double entry doors, and security guards can eliminate piggybacking and tailgating and help address confidentiality. These options are less expensive and less effective than access control vestibules.

  17. Which tool can launch social engineering attacks and be integrated with third-party tools and frameworks such as Metasploit?

    • BeEF
    • Nessus
    • SET
    • Asterisk

      Explanation & Hint:

      Social-Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks and can be integrated with third-party tools and frameworks such as Metasploit. SET is installed by default in Kali Linux and Parrot Security.

  18. Who is the target of a whaling attack?

    • upper managers such as the CEO or key individuals in an organization
    • ordinary users
    • user groups of social networks such as Facebook and Twitter
    • companies that use animals in product testing

      Explanation & Hint:

      Whaling is an attack targeted at a company’s high-profile business executives and key individuals. The main goal in whaling attacks is to steal sensitive information or compromise the victim’s system and then target other key high-profile victims.

  19. What is the purpose of a vishing attack?

    • to create emails and web pages to collect sensitive information from a user
    • to convince a victim on a phone call to disclose private or financial information
    • to use text messages to send malware or malicious links to mobile devices of users
    • to use USB sticks to compromise the systems of victims

      Explanation & Hint:

      Vishing is a social engineering attack carried out in a phone conversation. The attacker persuades the user to reveal private personal and financial information or information about another person or company. The goal is typically to steal credit card numbers, Social Security numbers, and other information that can be used in identity theft schemes.

  20. Which Apple iOS and Android tools can spoof a phone number, record calls, and generate different background noises?

    • Nessus
    • Asterisk
    • SpoofCard
    • BeEF

      Explanation & Hint:

      Several call spoofing tools can be used in social engineering attacks. SpoofCard is an Apple iOS and Android app that can spoof a number and change a voice, record calls, generate different background noises, and send calls straight to voicemail. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. BeEF and Nessus are not called spoofing tools.

  21. A threat actor has sent a text message to a victim stating that they have won bitcoins in a bank contest. To claim their prize, the victim must click the provided link and enter their bank account information. What social engineering attack can be accomplished if the user enters their banking information?

    • vishing
    • SMS phishing
    • whaling
    • watering hole

      Explanation & Hint:

      One example of social engineering attack is Short Message Service (SMS) phishing. SMS phishing is the bitcoin-related SMS scams that have surfaced in recent years. Numerous victims have received messages instructing these users to click on links to confirm user accounts and claim Bitcoin.

  22. Which tool permits post-exploitation activities, such as Windows reverse VNC DLL and reverse TCP shell?

    • BeEF
    • SET
    • Nessus
    • Nikto

      Explanation & Hint:

      Social Engineer Toolkit (SET) is a tool that can be used to launch numerous social engineering attacks. It allows the performance of some post-exploitation activities, such as spawning a Meterpreter shell, Windows reverse VNC DLL, reverse TCP shell, Windows Shell Bind_TCP, and Windows Meterpreter Reverse HTTPS.

  23. Which tool can send fake notifications to the browser of a victim?

    • Nexpose
    • BeEF
    • Nikto
    • Asterisk

      Explanation & Hint:

      Browser Exploitation Framework (BeEF) is a tool that can be used to manipulate users by leveraging XSS vulnerabilities. BeEF can perform numerous attacks (including social engineering attacks). For example, the attacker can send fake notifications to the victim’s browser. Asterisk is a legitimate VoIP management tool that can also be used to impersonate caller ID. Nikto and Nexpose are vulnerability scanning tools.

  24. A new employee is celebrating their position with a large company by posting a picture of their access identification on social media. What kind of physical attack has the new employee unknowingly enabled?

    • watering hole
    • pivot
    • badge cloning
    • shoulder surfing

      Explanation & Hint:

      Attackers can perform different badge cloning attacks. Attackers can often leverage pictures of people´s badges on social media. Attackers can often obtain detailed information about corporate badges’ design (look and feel) from social media websites such as Twitter, Instagram, and LinkedIn when people post photos showing their badges when they get new jobs or leave old ones.

  25. A user has found a USB pen drive in the corporate parking lot. What should the user do with this pen drive?

    • throw the pen drive away
    • deliver the pen drive to the security sector of the company
    • plug the pen drive into a computer of the company, try to delete all the files, and use the pen drive for personal use
    • plug the pen drive into a computer of the company, try to access the files to identify who the pen drive belongs to

      Explanation & Hint:

      Many pen testers and attackers have used Universal Serial Bus (USB) drop key attacks to successfully compromise victim systems. This attack involves leaving USB sticks (USB keys or USB pen drives) unattended or placing these pen drives in strategic locations. Frequently, users think these devices are lost and insert these pen drives into the systems to figure out whom to return the devices to;w it, they download before they know and install malware. Plugging in that USB stick lying on the street outside an office could lead to a security breach. The best thing to do is to deliver the pen drive to the security sector of the company.

Subscribe
Notify of
guest
0 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments