Which of the following options describes common characteristics of phishing emails?
Correct Answer: C
Phishing emails often share common characteristics designed to manipulate the recipient into taking immediate action. One of the hallmark features is the use of urgency, threatening language, or promising subject lines in the emails. These tactics are intended to create a sense of urgency or fear, compelling the recipient to respond quickly without giving due consideration to the legitimacy of the email. Phishing emails may claim that the recipient's account has been compromised, that they need to confirm personal information immediately, or that they have won a prize. The goal is to trick the recipient into clicking on malicious links, opening attachments, or providing sensitive information. References:The Certified Incident Handler (ECIH v3) program by EC-Council covers the identification and handling of phishing incidents, including the analysis of phishing emails and the importance of educating users on recognizing and responding to phishing attempts.
212-89 Exam Question 17
Elena, a first responder at a multinational firm, receives multiple reports from employees claiming they were asked to update their payroll information through an email that appears to be from HR. The email includes a URL directing users to a login page identical to the company's intranet but hosted on an unfamiliar domain. Elena immediately informs the IH&R team, preserves the email headers, captures screenshots of the spoofed page, and blocks the domain at the network level. What type of email security incident is Elena handling?
Correct Answer: D
This scenario is a clear example of a deceptive phishing attack, which is extensively covered in the ECIH Email Security Incident module. Deceptive phishing involves impersonating a trusted internal entity-such as HR-to trick recipients into disclosing sensitive information like credentials or personal data. Option D is correct because the email impersonates HR, uses social engineering, and directs users to a visually identical but fraudulent login page hosted on an unfamiliar domain. These characteristics are classic indicators of deceptive phishing. Option A refers to DNS manipulation and is not evidenced here. Option B involves overwhelming email volume rather than deception. Option C refers to unsolicited bulk email without impersonation. Elena's actions align with ECIH best practices: preserving headers for forensic validation, capturing screenshots to document fraudulent infrastructure, and blocking malicious domains to prevent further exposure. Correctly categorizing the incident as deceptive phishing ensures appropriate eradication, awareness, and reporting measures.
212-89 Exam Question 18
An international insurance provider observed a sharp rise in endpoint infections across geographically dispersed offices. The IR team correlated the infections with recent access to a series of trusted informational websites visited during routine research activities. After cross-referencing network telemetry and endpoint logs, analysts uncovered that these sites had been covertly altered by threat actors to include obfuscated scripts that launched on page render. Upon visiting the tampered content, a series of exploit chains were executed, targeting unpatched vulnerabilities in rendering engines of commonly used client applications. The malicious code was injected directly into volatile memory, allowing the payload to operate stealthily without initiating file creation events or prompting user interaction. Security tools failed to detect the compromise in real time due to the absence of conventional indicators such as user-triggered executions or external file transfers. Which web-based malware delivery technique is MOST consistent with the described attack?
Correct Answer: C
The EC-Council Incident Handler (ECIH) curriculum defines drive-by download attacks as web-based attacks where malicious code is automatically executed when a user visits a compromised website. These attacks often exploit browser or rendering engine vulnerabilities without requiring user interaction or explicit file downloads. In this scenario, trusted informational websites were covertly modified to include obfuscated scripts that executed upon page rendering. The exploit chains targeted unpatched vulnerabilities and injected payloads directly into memory, avoiding file creation and traditional detection mechanisms. This behavior is characteristic of drive-by download attacks leveraging exploit kits. Option A involves email-based delivery, which is not described. Option B relates to manipulating search engine rankings but does not inherently describe memory-based exploit execution. Option D involves malicious advertisements; however, the scenario specifically references compromised websites rather than third-party ad platforms. ECIH emphasizes patch management, browser hardening, memory analysis, and exploit mitigation technologies to defend against drive-by downloads. Therefore, the most consistent technique is a drive-by download attack exploiting vulnerabilities.
212-89 Exam Question 19
Zaimasoft, a prominent IT organization, was attacked by perpetrators who directly targeted the hardware and caused irreversible damage to the hardware. In result, replacing or reinstalling the hardware was the only solution. Identify the type of denial-of-service attack performed on Zaimasoft.
Correct Answer: C
A Permanent Denial-of-Service (PDoS) attack, also known as "phlashing," is a form of attack that targets hardware, causing irreversible damage to the hardware components, thereby making the device unusable without a replacement or significant hardware intervention. In the scenario described with Zaimasoft, the attackers' actions leading to the damage of hardware components align with the characteristics of a PDoS attack. Unlike Distributed Denial-of-Service (DDoS) or Denial-of-Service (DoS) attacks, which generally aim to overwhelm a system's resources temporarily, or DRDoS (Distributed Reflection Denial of Service), which involves amplification techniques using third-party servers, a PDoS attack directly damages the physical hardware, necessitating its replacement or reinstallation. This makes PDoS particularly severe due to its permanent impact on the targeted organization's hardware infrastructure. References:Incident Handler (ECIH v3) educational resources detail various types of denial-of-service attacks, including PDoS, highlighting the distinct nature of each attack and its implications on the affected systems, with PDoS being noted for its physical, irreparable impact on hardware components.
212-89 Exam Question 20
SafeGuard Inc., a cloud storage company, identified attackers exploiting a Server-Side Request Forgery (SSRF) vulnerability, leading to internal network reconnaissance. Which measure should SafeGuard Inc. prioritize to mitigate this vulnerability?
Correct Answer: D
SSRF vulnerabilities allow attackers to coerce a server into making unauthorized internal or external requests. The ECIH Web Application Security module states that controlling outbound traffic is the most effective mitigation against SSRF. Option D is correct because restricting outbound traffic ensures that even if an SSRF flaw exists, the server cannot access internal resources or attacker-controlled endpoints. ECIH emphasizes network-level egress filtering as a primary defensive control for SSRF. Option A reduces attack surface but does not stop exploitation. Option B addresses client-side risks, not server-side requests. Option C improves detection but does not prevent exploitation. Thus, outbound traffic restriction is the priority mitigation measure.