Exam CS0-003 topic 1 question 228 discussion

Based on the MFA logs provided in the image, the most likely occurrences are: C. Impossible geo-velocity: The logs show logins from geographically distant locations (United States and Russia) within a short time frame, which is not physically possible. B. Push phishing: Multiple successful MFA log-ins suggest that someone might be tricking the user into approving authentication requests. Push phishing is a better option because it aligns more closely with the observed pattern of multiple successful MFA log-ins from different locations, suggesting the user might be unknowingly approving fraudulent requests. SIM swapping would not account for the impossible geo-velocity observed in the logs.

Fun fact: US and Russia are only 3.8 km apart.

The most likely occurrences based on the MFA logs are: B. Push phishing C. Impossible geo-velocity Explanation: Impossible geo-velocity (C) The logs show logins occurring from two geographically distant locations (United States and Russia) within a short time frame (17:28 UTC and 17:31 UTC). It is highly unlikely that the user could physically travel from the United States to Russia within minutes. This suggests that an attacker may have gained access to the user's credentials and is logging in from a different country. Push phishing (B) In the entry at 17:31 UTC, the MFA device matches the access device in Russia (3.4.5.6). This indicates that the attacker successfully completed the MFA process, likely by tricking the user into approving an MFA push notification. Push phishing attacks involve repeatedly sending MFA requests until the user accidentally or mistakenly approves one, granting access to the attacker.

Step 1: The victim, jdoe, logs in normally from the U.S. using their MFA device. Step 2: The attacker, from Russia, logs into the same services using stolen credentials and a SIM swap. At first, the MFA device still shows as the U.S. because the attacker hadn’t yet completed the SIM swap or might still have needed to approve the login using the victim's compromised phone. Step 3: By 17:31 UTC, the attacker fully controls both the access and the MFA device, indicating that the SIM swap has been completed, and they now control the victim’s phone number in Russia.

B and C. If it was SIM swapping, the MFA device would be Russian on the first try. Since the MFA device was US after being prompted from Russia, it's most likely the victim accidentally confirmed the login out of habit which is what happens with push phishing. And C is obvious.

C. Impossible geo-velocity : cant have made it from USA to Russia in 1 min D. Subscriber identity module swapping :Same with the device , SIM must have been cloned

You couldn't be up to them...