A penetration tester is targeting a company's sales team, who rely heavily on company-issued smartphones. The objective is to harvest their VPN credentials. The rules of engagement prohibit making direct voice calls. Which attack vector is most suitable for this scenario?
Distribute flyers in the office common areas with a QR code that leads to a malicious website.
Send a targeted SMS message appearing to be from the IT department, containing a link to a fake VPN login page.
Initiate a series of automated voice calls that spoof the IT helpdesk's number, asking users to verbally confirm their passwords.
Send a spearphishing email with a malicious attachment designed to execute a payload when opened on a desktop computer.
The most suitable attack is smishing, which involves sending a deceptive SMS message. Since the sales team primarily uses smartphones, a text-based lure is a direct and effective method for prompting them to visit a credential-harvesting site disguised as a legitimate VPN portal. Vishing is explicitly prohibited by the rules of engagement. While email-based phishing or using a QR code could work, smishing directly targets the primary communication device of the sales team, increasing the likelihood of success for this specific scenario.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is smishing and how does it work?
Open an interactive chat with Bash
Why is smishing more effective than phishing for targeting mobile users?