nerdexam
EC-Council

312-50V10 · Question #703

You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing

The correct answer is A. Social engineering. The attacker used email spoofing to impersonate an authority figure, manipulated a PDF with malicious links, and deceived the receptionist into infecting her machine - a textbook social engineering attack.

Social Engineering

Question

You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?

Options

  • ASocial engineering
  • BPiggybacking
  • CTailgating
  • DEavesdropping

How the community answered

(41 responses)
  • A
    73% (30)
  • B
    17% (7)
  • C
    7% (3)
  • D
    2% (1)

Why each option

The attacker used email spoofing to impersonate an authority figure, manipulated a PDF with malicious links, and deceived the receptionist into infecting her machine - a textbook social engineering attack.

ASocial engineeringCorrect

Social engineering manipulates people through psychological deception rather than exploiting technical vulnerabilities directly. The attacker spoofed the boss's email address to establish false trust, then replaced legitimate PDF links with malware-laden ones, exploiting the receptionist's compliance with perceived authority to gain network access.

BPiggybacking

Piggybacking is a physical security attack where an unauthorized person gains entry to a restricted area with the consent of an authorized individual, not a digital deception technique.

CTailgating

Tailgating is a physical intrusion method where an attacker follows an authorized person through a secured door without their knowledge, which is unrelated to email-based manipulation.

DEavesdropping

Eavesdropping involves passively intercepting network or communications traffic, not actively impersonating individuals and delivering malicious content.

Concept tested: Social engineering via email spoofing and phishing

Source: https://csrc.nist.gov/glossary/term/social_engineering

Topics

#email spoofing#phishing#malware delivery#social engineering

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice