312-50V13 · Question #557
312-50V13 Question #557: Real Exam Question with Answer & Explanation
The correct answer is A: Social engineering. Explanation Option A (Social Engineering) is correct because the entire attack chain relies on psychologically manipulating the receptionist into trusting a fraudulent email - by impersonating her boss (pretexting), gaining her cooperation, and exploiting that trust to deliver ma
Question
You are tasked to perform a penetration test. While you are performing information gathering, you find an employee list in Google. You find the receptionist's email, and you send her an email changing the source email to her boss's email (boss@company). In this email, you ask for a pdf with information. She reads your email and sends back a pdf with links. You exchange the pdf links with your malicious links (these links contain malware) and send back the modified pdf, saying that the links don't work. She reads your email, opens the links, and her machine gets infected. You now have access to the company network. What testing method did you use?
Options
- ASocial engineering
- BPiggybacking
- CTailgating
- DEavesdropping
Explanation
Explanation
Option A (Social Engineering) is correct because the entire attack chain relies on psychologically manipulating the receptionist into trusting a fraudulent email - by impersonating her boss (pretexting), gaining her cooperation, and exploiting that trust to deliver malware. Social engineering is defined as manipulating people rather than systems to gain unauthorized access, which precisely describes this scenario.
The distractors are wrong for these reasons:
- Piggybacking (B) involves gaining physical access to a restricted area with someone's knowledge and consent (e.g., someone holds a door open for you)
- Tailgating (C) is similar but done without the person's consent - sneaking through a secured door behind an authorized person; both B and C are physical intrusion techniques, not digital/psychological ones
- Eavesdropping (D) involves passively listening to communications (e.g., intercepting network traffic), not actively deceiving someone
Memory Tip: Think of social engineering as "hacking humans" - any time an attacker uses deception, impersonation, or manipulation of a person (rather than exploiting a technical vulnerability) to gain access, that's social engineering. If it involves a story, a trick, or a disguise to fool someone, choose Social Engineering.
Topics
Community Discussion
No community discussion yet for this question.