A user recently entered a username and password into a recruiting application website that had been forged to look like the legitimate site. Upon investigation, a security analyst identifies the following:
– The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
– The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
– All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.
– DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the
approximate time of the suspected compromise.
Which of the following MOST likely occurred?
A. A reverse proxy was used to redirect network traffic.
B. An SSL strip MITM attack was performed.
C. An attacker temporarily poisoned a name server.
D. An ARP poisoning attack was successfully executed.
– The legitimate website's IP address is 10.1.1.20 and eRecruit.local resolves to this IP.
– The forged website's IP address appears to be 10.2.12.99, based on NetFlow records.
– All three of the organization's DNS servers show the website correctly resolves to the legitimate IP.
– DNS query logs show one of the three DNS servers returned a result of 10.2.12.99 (cached) at the
approximate time of the suspected compromise.
Which of the following MOST likely occurred?
A. A reverse proxy was used to redirect network traffic.
B. An SSL strip MITM attack was performed.
C. An attacker temporarily poisoned a name server.
D. An ARP poisoning attack was successfully executed.