Chapter 22 Β· Flashcards

Phishing Flashcards

Click each card to reveal the answer.

0 / 16 flipped
What is the most common initial access vector in cyberattacks?
Phishing. The vast majority of breaches begin with a phishing email. It requires no technical exploit β€” it targets human behavior and conditioned responses. Combined with spear phishing (targeted, personalized), it is the preferred initial access method for both nation-state APT groups and criminal ransomware operators targeting specific organizations.
What is clone phishing and why is it effective?
An attacker takes a real, previously delivered legitimate email, replaces the link or attachment with a malicious version, and resends it from a spoofed address. Effective because the email content is authentic β€” recipients received the original and trust it. The malicious payload is the only change, and it is the part least likely to be scrutinized when the rest of the email looks exactly right.
What is pharming and how does it differ from phishing?
Pharming redirects users to malicious sites without them clicking a malicious link β€” through DNS cache poisoning or hosts file modification. The user types the correct URL and is transparently redirected to a fake site. Phishing requires the user to click a malicious link. Pharming is more dangerous for careful users β€” even correct URL entry can result in landing on a fake site.
What does SPF do in email authentication?
SPF (Sender Policy Framework) is a DNS TXT record listing which mail servers are authorized to send email for a domain. Receiving mail servers check if the sending server's IP is on the authorized list. If not, the email fails SPF. SPF validates the sending server identity only β€” it does not validate message content or prevent display-name spoofing or cousin domain attacks.
What does DKIM add to email security that SPF cannot provide?
DKIM adds a cryptographic signature to the email, verifying both that it was sent by an authorized server AND that the message content was not altered in transit. SPF only validates the sending server β€” a server could be on the SPF list but still send forged or modified content. DKIM catches in-transit modifications and provides stronger sender authorization through cryptographic proof rather than IP list matching.
What does DMARC add beyond SPF and DKIM?
DMARC specifies the POLICY β€” what to do when SPF or DKIM fails: none (monitor only, still deliver), quarantine (send to spam), or reject (block entirely). DMARC also enables reporting β€” domain owners receive aggregated reports of all authentication failures, revealing who is spoofing their domain. Without DMARC, SPF and DKIM failures are observed but not acted upon β€” emails are still delivered to inboxes.
What is typosquatting?
Registering domain names that are common misspellings or visual variations of legitimate domains: micros0ft.com (zero for O), arnazon.com (rn looks like m at small sizes), paypa1.com (one for L). Used for phishing sites, credential harvesting, and malware delivery. Users who mistype a URL or fail to verify the domain land on attacker-controlled infrastructure that may look identical to the real site.
What is a homograph attack?
Using Unicode characters visually identical to ASCII characters to create lookalike domain names. The Cyrillic letter 'Π°' (U+0430) is indistinguishable from the Latin 'a' (U+0061) in most fonts. A domain using Cyrillic characters looks identical to the real domain in the browser address bar but is technically a different domain and resolves to a different IP. Browsers may display punycode (xn--...) in some configurations as a visual warning.
What is a phishing kit?
A pre-built package for deploying a credential-harvesting site β€” mirrored HTML/CSS of a legitimate site, PHP scripts that capture and email submitted credentials, obfuscated code to evade scanners. Sold on dark web forums for $20–200. Enables non-technical attackers to deploy convincing phishing campaigns against any major service (Microsoft, Google, PayPal, banks) within hours of purchase.
What is the single most effective technical control against credential phishing?
Multi-Factor Authentication (MFA). Even when a user's password is stolen via phishing, the attacker cannot log in without the second factor. Phishing-resistant MFA (FIDO2/WebAuthn hardware keys, passkeys) is even stronger β€” credentials are cryptographically bound to the legitimate domain's origin. A phishing site cannot generate a valid authentication challenge for the real domain, making phishing-resistant MFA credentials impossible to capture and replay.
What is the hover technique in phishing defense?
Before clicking any hyperlink, hover the mouse over it to reveal the actual destination URL in the browser's status bar. The link's display text and its actual href destination are completely independent in HTML β€” a link can display "Verify your Microsoft account" while pointing to any attacker-controlled URL. Hovering exposes this discrepancy before clicking. The actual domain (the registerable portion before the first path slash) is the only trustworthy identifier.
What is credential harvesting phishing?
Phishing attacks presenting fake login pages that mimic legitimate services (Microsoft 365, Google Workspace, banking sites). When the user enters credentials, they are captured by the attacker's server. The user is then redirected to the real service and logged in normally β€” they notice no disruption and remain unaware. Harvested credentials are replayed against real services for account takeover or sold. This is the most common phishing goal.
What is smishing?
SMS phishing. Text messages impersonating package carriers (FedEx, UPS), banks, government agencies, or two-factor authentication systems, containing malicious links or fraudulent requests. Short URLs (bit.ly, etc.) completely obscure the real destination β€” there is no hover-to-preview on most SMS clients. Defense: never click links in unsolicited text messages about deliveries, payments, or account alerts β€” go directly to the official app or website.
Why is DMARC set to "none" ineffective as a defense?
DMARC "none" means even when SPF or DKIM fail, emails are still delivered normally. The "none" policy enables reporting (domain owners receive failure reports) but provides zero blocking. DMARC only actually stops spoofed emails when set to "quarantine" (spam folder) or "reject" (block entirely). Many organizations configure DMARC to "none" for monitoring during rollout but never advance to enforcement β€” gaining visibility but no protection.
What is the difference between phishing and pharming in terms of user action required?
Phishing requires the user to click a malicious link β€” it depends on user action. Pharming requires no user action beyond normal browsing β€” the malicious redirection happens transparently at the DNS level. Users who type URLs correctly, follow all link-safety advice, and never click suspicious links can still be pharmed. This makes pharming more dangerous: it defeats the most common individual defense (don't click suspicious links).
What are three hallmarks of a phishing email to check immediately?
(1) Sender address β€” expand past the display name and check the actual email domain. Does it exactly match the legitimate organization's domain? Cousin domains (microsoft-support.com, helpdesk-company-it.com) are the most common indicator. (2) Hover the link β€” does the destination URL's domain match the claimed organization? Any mismatch is a red flag. (3) Urgency or threat β€” does the email pressure immediate action and discourage verification? Urgency is a manipulation tactic. Any indicator warrants verification through an independent channel before acting.