CompTIA Security+ (SY0-601) — Question 597
A security analyst discovers that a large number of employee credentials had been stolen and were being sold on the dark web. The analyst investigates and discovers that some hourly employee credentials were compromised, but salaried employee credentials were not affected.
Most employees clocked in and out while they were inside the building using one of the kiosks connected to the network. However, some clocked out and recorded their time after leaving to go home. Only those who clocked in and out while inside the building had credentials stolen. Each of the kiosks are on different floors, and there are multiple routers, since the business segments environments for certain business functions.
Hourly employees are required to use a website called acmetimekeeping.com to clock in and out. This website is accessible from the internet. Which of the following is the most likely reason for this compromise?
Answer options
- A. A brute-force attack was used against the time-keeping website to scan for common passwords.
- B. A malicious actor compromised the time-keeping website with malicious code using an unpatched vulnerability on the site, stealing the credentials.
- C. The internal DNS servers were poisoned and were redirecting acmetimekeeping.com to a malicious domain that intercepted the credentials and then passed them through to the real site.
- D. ARP poisoning affected the machines in the building and caused the kiosks to send a copy of all the submitted credentials to a malicious machine.
Correct answer: C
Explanation
The correct answer is C because it explains how DNS poisoning could redirect legitimate traffic to a malicious site, allowing for credential interception. Options A and B are less likely; A suggests a brute-force attack on the website itself, which is not indicated, and B implies a direct compromise of the website, which is not mentioned. Option D, while a plausible attack, does not account for the fact that the compromised credentials were specifically related to the website accessed from outside the building.