Exam PT0-002 topic 1 question 310 discussion

This is worded badly. Executive impersonation should be the answer because if I think my boss is demanding my info, it narrows the attack, making it more likely for me to respond. However SMS phishing is exactly what this is describing. This is a phishing attack, but if I'm pentesting, it's against a company. Crowdstrike shows as the top ten social eng attacks: Phishing Whaling Baiting Diversion Theft Business Email Compromise (BEC) Smishing Quid Pro Quo Pretexting Honeytrap Tailgating/Piggybacking

Terrible question, but the answer is C. SMS makes option A incorrect.

C. This technique involves pretending to be a high-ranking executive (e.g., CEO, CFO) to manipulate employees into performing actions such as installing remote access software or providing sensitive information. This is highly likely to lead to a remote session if employees are convinced of the impersonation. • A. SMS: This technique involves sending text messages to trick individuals into divulging sensitive information or clicking on malicious links. While effective, it does not directly indicate the creation of a remote session. • B. Dumpster: This involves searching through physical trash to find sensitive information. Although it can provide useful information, it does not directly lead to establishing a remote session. • D. BeEF: This involves exploiting browser vulnerabilities to gain remote access. While this can be part of a social engineering attack, it is more technical and typically involves exploiting a browser rather than relying on social manipulation alone.

There's a lot of assumptions in this question, not much context. SMS, phones might not be part of company network. Executive, no mention relative to remote session. The nearest assumption I can think of in real life is that - an executive in a meeting with client got locked out and needs password reset in order to login remotely. This have both authority and urgency.

SMS phishing (or smishing) involves sending deceptive messages to trick individuals into taking actions that compromise security, such as clicking on malicious links that lead to remote sessions being established. This technique directly targets the individual's actions through their mobile device, making it a plausible method for achieving remote access.