312-50V10 · Question #703
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing
The correct answer is A. Social engineering. The attacker used email spoofing to impersonate an authority figure, manipulated a PDF with malicious links, and deceived the receptionist into infecting her machine - a textbook social engineering attack.
Question
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
Options
- ASocial engineering
- BPiggybacking
- CTailgating
- DEavesdropping
How the community answered
(41 responses)- A73% (30)
- B17% (7)
- C7% (3)
- D2% (1)
Why each option
The attacker used email spoofing to impersonate an authority figure, manipulated a PDF with malicious links, and deceived the receptionist into infecting her machine - a textbook social engineering attack.
Social engineering manipulates people through psychological deception rather than exploiting technical vulnerabilities directly. The attacker spoofed the boss's email address to establish false trust, then replaced legitimate PDF links with malware-laden ones, exploiting the receptionist's compliance with perceived authority to gain network access.
Piggybacking is a physical security attack where an unauthorized person gains entry to a restricted area with the consent of an authorized individual, not a digital deception technique.
Tailgating is a physical intrusion method where an attacker follows an authorized person through a secured door without their knowledge, which is unrelated to email-based manipulation.
Eavesdropping involves passively intercepting network or communications traffic, not actively impersonating individuals and delivering malicious content.
Concept tested: Social engineering via email spoofing and phishing
Source: https://csrc.nist.gov/glossary/term/social_engineering
Topics
Community Discussion
No community discussion yet for this question.