CompTIA Security Plus Mock Test Q543

Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number displayed on the caller ID matches the vendor’s number. When the purchasing agent asks to call the vendor back, they are given a different phone number with a different area code. Which of the following attack types is this?

A. Hoax
B. Impersonation
C. Spear phishing
D. Whaling


Correct Answer: B
Section: Threats and Vulnerabilities

Explanation:
In this question, the impersonator is impersonating a vendor and asking for payment. They have managed to ‘spoof’ their calling number so that their caller ID matches the vendor’s number.
Impersonation is where a person, computer, software application or service pretends to be someone or something it’s not. Impersonation is commonly non-maliciously used in client/ server applications. However, it can also be used as a security threat.

Incorrect Answers:
A: A hoax is something that makes a person believe that something is real when it is not. A hoax is usually not malicious or theft.
C: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data. As with the e-mail messages used in regular phishing expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually appear to come from a large and well-known company or Web site with a broad membership base, such as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be an individual within the recipient’s own company and generally someone in a position of authority. Spear phishing involves email spoofing rather than telephone spoofing. Therefore this answer is incorrect.
D: Whaling is a specific kind of malicious hacking within the more general category of phishing, which involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or others in powerful positions or job titles.
Hackers who engage in whaling often describe these efforts as “reeling in a big fish,” applying a familiar metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those who are engaged in whaling may, for example, hack into specific networks where these powerful individuals work or store sensitive data. They may also set up keylogging or other malware on a work station associated with one of these executives. There are many ways that hackers can pursue whaling, leading C-level or top-level executives in business and government to stay vigilant about the possibility of cyber threats. This is not what is described in this question.

References:
http://searchsecurity.techtarget.com/definition/spear-phishing
http://www.techopedia.com/definition/28643/whaling