Chapter 26 Quiz: Social Engineering Attacks
Test your understanding of social engineering psychology, techniques, tools, and defenses.
Question 1: Which of Cialdini's principles of influence is exploited when a phishing email states "Your account will be permanently deleted in 24 hours"?
A) Reciprocity B) Social Proof C) Scarcity D) Authority
Correct Answer: C
Explanation: Scarcity creates urgency by suggesting that something (in this case, account access) is limited or about to be lost. This time pressure impairs critical thinking and drives hasty action. The 24-hour deadline makes the target feel they must act immediately rather than taking time to verify the communication.
Question 2: What is the primary difference between phishing and spear phishing?
A) Spear phishing uses phone calls instead of email B) Phishing targets many people with generic messages; spear phishing targets specific individuals with personalized messages C) Spear phishing only targets executives D) Phishing is illegal; spear phishing is legal
Correct Answer: B
Explanation: Phishing is a broad-based attack sending the same message to many recipients, relying on volume for success. Spear phishing targets specific individuals with messages personalized using OSINT -- referencing their name, role, recent activities, colleagues, and other specific details. This personalization dramatically increases the success rate.
Question 3: How did the attackers in the Twitter 2020 breach gain access to internal tools?
A) By exploiting a zero-day vulnerability in Twitter's code B) By phishing employees via email with malicious attachments C) By calling Twitter employees and convincing them to enter credentials into a phishing site (vishing) D) By physically accessing Twitter's data centers
Correct Answer: C
Explanation: The Twitter attackers used vishing (voice phishing) -- calling employees by phone and impersonating internal IT support. They convinced employees to enter their credentials into a fake internal tool login page. The attackers had done enough OSINT to know employee names, internal tool names, and procedures, making the calls convincing.
Question 4: What is Business Email Compromise (BEC)?
A) Compromising an email server through technical exploitation B) A targeted attack using email to deceive employees into making unauthorized financial transactions or sharing sensitive information C) Sending mass spam from a compromised email account D) Encrypting corporate email with ransomware
Correct Answer: B
Explanation: BEC is a sophisticated form of spear phishing focused on financial fraud. Common scenarios include CEO fraud (impersonating the CEO to request wire transfers), invoice fraud (sending fake vendor invoices with altered payment details), and account compromise (using a hacked employee account to redirect legitimate payments). BEC caused over $2.7 billion in losses in 2022 according to the FBI.
Question 5: How does Evilginx2 bypass multi-factor authentication?
A) It brute-forces MFA codes B) It acts as a transparent reverse proxy between the victim and the real login page, capturing session tokens after the user completes MFA C) It disables MFA on the target account D) It intercepts MFA codes from SMS messages
Correct Answer: B
Explanation: Evilginx2 sits between the victim and the legitimate authentication service as a transparent proxy. The victim sees and interacts with the real login page (proxied through Evilginx2), enters credentials, completes MFA challenges, and receives a valid session. Evilginx2 captures the session token/cookie after authentication, which the attacker can use to access the account without needing the MFA code.
Question 6: What type of MFA is resistant to real-time phishing proxy attacks like Evilginx2?
A) SMS-based one-time passwords B) Time-based authenticator apps (TOTP) C) FIDO2/WebAuthn hardware security keys D) Email-based verification codes
Correct Answer: C
Explanation: FIDO2/WebAuthn hardware keys (like YubiKeys) are phishing-resistant because they cryptographically bind the authentication response to the legitimate origin domain. When a user attempts to authenticate through a phishing proxy, the hardware key detects the domain mismatch and refuses to authenticate. SMS codes, TOTP, and email codes can all be proxied.
Question 7: What is pretexting in the context of social engineering?
A) Writing code comments before writing code B) Creating a fabricated scenario (pretext) that justifies the attacker's contact and request C) Texting a target before calling them D) Writing a script for an automated attack
Correct Answer: B
Explanation: Pretexting is the creation of a fabricated scenario or cover story that gives the attacker a believable reason to interact with the target and make specific requests. A good pretext explains who the attacker is, why they are making contact, and why the target should comply. Examples include impersonating IT support, a delivery person, or a vendor.
Question 8: In the RSA SecurID breach, what was the initial attack vector?
A) A zero-day in RSA's web application B) A phishing email with an Excel attachment exploiting an Adobe Flash zero-day C) A brute-force attack on employee passwords D) Physical theft of SecurID tokens
Correct Answer: B
Explanation: The RSA breach began with phishing emails with the subject "2011 Recruitment Plan" containing an Excel file with an embedded Adobe Flash exploit (zero-day). Only two employees needed to open the attachment for the attack to succeed. The attackers then moved laterally through RSA's network to reach and exfiltrate SecurID seed data.
Question 9: What is a USB drop attack?
A) Physically damaging USB ports on target computers B) Leaving malicious USB devices in locations where employees will find and plug them in C) Dropping data transfer speeds on USB connections D) Disconnecting USB devices remotely
Correct Answer: B
Explanation: USB drop attacks exploit human curiosity by leaving malicious USB devices (containing malware, Rubber Ducky payloads, or data exfiltration tools) in locations like parking lots, break rooms, and conference areas. When curious employees plug the devices into their computers, the malicious payload executes. In authorized testing, non-destructive payloads that simply report the insertion are used.
Question 10: Which tool is an open-source phishing framework commonly used in professional assessments?
A) Burp Suite B) GoPhish C) Metasploit D) Nmap
Correct Answer: B
Explanation: GoPhish is an open-source phishing framework designed for professional phishing assessments. It provides campaign management, email template creation, landing page cloning, credential capture, and detailed analytics (open rates, click rates, submission rates). Burp Suite is for web application testing, Metasploit is an exploitation framework, and Nmap is a network scanner.
Question 11: What is tailgating in the context of physical social engineering?
A) Following a car to discover someone's home address B) Following an authorized person through a secured entrance without presenting credentials C) Monitoring someone's online activity D) Intercepting wireless communications from behind a building
Correct Answer: B
Explanation: Tailgating (also called piggybacking) involves physically following an authorized person through a secured entrance (door with badge reader, mantrap, etc.) without presenting valid credentials. It exploits social norms -- most people feel uncomfortable challenging someone walking behind them or will hold the door as a courtesy.
Question 12: What cognitive bias causes people to underestimate the likelihood of being targeted by a social engineering attack?
A) Anchoring bias B) Confirmation bias C) Normalcy bias D) Availability heuristic
Correct Answer: C
Explanation: Normalcy bias causes people to underestimate the probability of disaster or negative events. "It won't happen to me" or "our company is too small to be targeted" thinking causes employees to ignore warning signs and fail to take social engineering threats seriously. This bias is a significant challenge for security awareness programs.
Question 13: In a professional social engineering assessment report, how should individual employees who fell for simulated attacks be identified?
A) By full name and employee ID B) By department and job title only C) They should be anonymized -- never identified by name in the report D) By email address
Correct Answer: C
Explanation: Professional social engineering reports should never identify individual employees by name. The purpose of the assessment is to evaluate organizational controls and awareness, not to shame individuals. Results should be reported in aggregate (department-level statistics) with anonymized examples of specific interactions that illustrate common failure modes.
Question 14: What is smishing?
A) Social engineering via social media platforms B) Social engineering via SMS/text messages C) Social engineering via smoke signals D) A combination of phishing and malware
Correct Answer: B
Explanation: Smishing (SMS phishing) is social engineering conducted via text messages. Smishing is effective because text messages have higher open rates (approximately 98%) than email, mobile devices show less security context, and people are conditioned to act quickly on text messages. Common pretexts include fake delivery notifications, bank alerts, and MFA verification requests.
Question 15: How do DPRK (North Korean) threat actors typically approach cryptocurrency company social engineering?
A) Mass phishing campaigns to random employees B) Creating convincing recruiter profiles on LinkedIn, conducting fake job interviews, and sending trojanized coding challenges C) Physical break-ins at cryptocurrency exchanges D) Exploiting zero-day vulnerabilities in blockchain protocols
Correct Answer: B
Explanation: DPRK threat actors (Lazarus Group, APT38) use LinkedIn to create fake recruiter profiles that contact blockchain developers with lucrative job offers. They conduct multi-round fake interviews, send "take-home coding tests" with malicious dependencies, and provide trojanized applications. This patient, relationship-based approach has enabled the theft of billions in cryptocurrency.
Question 16: What is the most important metric in a security awareness program?
A) How many employees click phishing links B) How many employees report suspicious emails C) How many employees complete training D) How many emails are blocked by filters
Correct Answer: B
Explanation: The report rate -- how many employees report suspicious communications -- is the most important metric because it reflects organizational resilience. One employee reporting a phishing email can protect the entire organization. A culture where employees feel comfortable reporting without fear of blame enables rapid detection, collective intelligence, and continuous improvement.
Question 17: What is the Social Engineering Toolkit (SET) primarily used for?
A) Scanning networks for vulnerabilities B) Automating various social engineering attack vectors for authorized security testing C) Managing social media accounts D) Encrypting communications
Correct Answer: B
Explanation: SET (Social Engineering Toolkit), created by David Kennedy of TrustedSec, is an open-source tool that automates social engineering attack vectors including spear phishing, website cloning/credential harvesting, infectious media generation, and various payload delivery mechanisms. It is designed for use in authorized penetration testing and security awareness assessments.
Question 18: Which defense mechanism is most effective against deepfake-powered vishing attacks?
A) Caller ID verification B) Voice recognition software C) Out-of-band verification through a separate, pre-established communication channel D) Simply asking the caller to prove their identity verbally
Correct Answer: C
Explanation: Out-of-band verification -- contacting the supposed caller through a separate, pre-established channel (calling back on a known number, verifying via a different communication platform) -- is the most reliable defense against deepfake vishing. Caller ID can be spoofed, voice recognition can be fooled by quality deepfakes, and verbal identity proofs can be prepared by the attacker.