Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?

A penetration tester identifies an exposed corporate directory containing first and last names and phone numbers for employees.

Which of the following attack techniques would be the most effective to pursue if the penetration tester wants to compromise user accounts?
A . Smishing
B . Impersonation
C . Tailgating
D . Whaling

View Answer

Answer: A

Explanation:

When a penetration tester identifies an exposed corporate directory containing first and last names and phone numbers, the most effective attack technique to pursue would be smishing. Here’s why: Understanding Smishing:

Smishing (SMS phishing) involves sending fraudulent messages via SMS to trick individuals into revealing personal information or performing actions that compromise security. Since the tester has access to phone numbers, this method is directly applicable.

Why Smishing is Effective:

Personalization: Knowing the first and last names allows the attacker to personalize the messages, making them appear more legitimate and increasing the likelihood of the target responding. Immediate Access: People tend to trust and respond quickly to SMS messages compared to emails, especially if the messages appear urgent or important. Alternative Attack Techniques:

Impersonation: While effective, it generally requires real-time interaction and may not scale well across many targets.

Tailgating: This physical social engineering technique involves following someone into a restricted area and is not feasible with just names and phone numbers.

Whaling: This targets high-level executives with highly personalized phishing attacks. Although effective, it is more specific and may not be suitable for the broader set of employees in the directory.