A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site.
Upon investigation, a security analyst identifies the following: -> The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
-> The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
-> All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.
-> DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.
Which of the following MOST likely occurred?
A.
A reverse proxy was used to redirect network traffic. B.
An SSL strip MITM attack was performed. C.
An attacker temporarily poisoned a name server. D.
An ARP poisoning attack was successfully executed.
B.
A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site.
Upon investigation, a security analyst identifies the following: -> The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
-> The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
-> All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.
-> DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.
Which of the following MOST likely occurred?
A.
A reverse proxy was used to redirect network traffic.
B.
An SSL strip MITM attack was performed.
C.
An attacker temporarily poisoned a name server.
D.
An ARP poisoning attack was successfully executed.
B.
The scenario describes a user being tricked into entering their username and password into a forged recruiting application website. The security analyst investigating the incident identified that the legitimate website's IP address is 10.1.1.20, and the eRecruit.local domain resolves to this IP address. However, the forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
The investigation also revealed that all three of the organization's DNS servers correctly resolve the website to the legitimate IP address. However, DNS query logs show that one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.
Based on this information, the most likely scenario is that an attacker temporarily poisoned a name server. This means that the attacker was able to modify the DNS records on one of the organization's DNS servers, causing it to return the forged website's IP address instead of the legitimate one.
Option A, a reverse proxy being used to redirect network traffic, is less likely as it requires the attacker to have control over a server between the user and the legitimate website. There is no indication of this in the scenario.
Option B, an SSL strip MITM (Man-in-the-middle) attack, is also less likely as it requires the attacker to intercept and modify encrypted traffic between the user and the legitimate website. The scenario does not mention any encrypted traffic, and the forged website's IP address is based on NetFlow records, suggesting that the traffic was not encrypted.
Option D, an ARP poisoning attack, is also less likely as it involves the attacker sending falsified ARP messages to associate their MAC address with the IP address of the legitimate website. The scenario does not mention any ARP messages, and the DNS query logs show that a DNS server returned a cached result, indicating that DNS poisoning was the more likely attack vector.
Therefore, the correct answer is C, an attacker temporarily poisoned a name server.