CompTIA Security+ (SY0-601) — Question 850

A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following:

• The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
• The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
• All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.
• DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the approximate time of the suspected compromise.

Which of the following MOST likely occurred?

Answer options

• A. A reverse proxy was used to redirect network traffic.
• B. An SSL strip MITM attack was performed.
• C. An attacker temporarily poisoned a name server.
• D. An ARP poisoning attack was successfully executed.

Correct answer: C

Explanation

The correct answer is C, as it indicates that an attacker was able to temporarily poison a DNS server, causing it to return the incorrect IP address for the website. This explains why the user was misled to the forged site despite the legitimate DNS servers resolving correctly. Options A, B, and D do not account for the DNS resolution issue observed in the logs.