312-50v13 Exam Dumps : Certified Ethical Hacker Exam (CEHv13)

SMS Phishing, commonly called smishing, is the correct answer because the attack method is a deceptive text message sent to mobile devices that lures recipients into clicking a malicious link. In CEH-aligned social engineering coverage, smishing is a direct extension of phishing that uses SMS as the delivery channel. The attacker typically creates urgency or authority, such as “critical account update needed,” to trigger fast compliance. The message then pushes the victim to a malicious URL that can deliver malware, prompt credential entry, or enroll the device into a monitoring or management profile depending on platform and permissions. The key indicators in the question are company phones, a crafted message, and a link that installs monitoring software, which fits smishing exactly.

Bluebugging is a Bluetooth-based attack where the attacker exploits Bluetooth weaknesses to gain unauthorized access to a device, read data, place calls, or send messages, and it does not rely on sending a deceptive SMS link. Call spoofing is manipulating caller ID to impersonate a trusted number during voice calls, not delivering a malicious installation link through text. OTP hijacking focuses on intercepting or tricking users into revealing one-time passwords, often through SIM swapping, malware, or real-time phishing, but the scenario emphasizes installing monitoring software through a link rather than capturing a one-time code.

Defenses highlighted in ethical security training include mobile security awareness, blocking unknown links, using mobile threat defense, restricting app installation from untrusted sources, enforcing MDM controls, and monitoring SMS-based social engineering indicators.

CEH v13 explains that reflected XSS occurs when malicious input supplied by an attacker is immediately returned in the HTTP response without sanitization. This type of XSS is typically exploited through a crafted URL containing embedded JavaScript payloads. When a victim clicks the link, the vulnerable server reflects the injected script back to the browser, executing it within the user’s session context. CEH emphasizes that reflected XSS relies on social engineering to deliver the payload, often via links sent through email, messaging platforms, or compromised pages. The goal may include stealing session cookies, redirecting users, or manipulating page content. Brute-forcing credentials (Option A) has no relation to XSS. SQL injection (Option C) targets backend databases, not client-side script execution. Directory traversal (Option D) concerns file path manipulation, not dynamic script injection. Therefore, embedding a malicious script in a URL is the correct method to exploit reflected XSS.

The CEH SQL Injection module defines stacked (piggybacked) queries as attacks where an attacker appends an additional SQL statement using a statement delimiter such as a semicolon.

In this scenario, the attacker executed a second query (DROP TABLE users) after the original query, resulting in destructive behavior.

Option B is correct.

Option A retrieves data, not execute destructive commands.

Option C infers logic outcomes.

Option D relies on error messages for data extraction.

CEH classifies stacked queries as high-impact SQL injection attacks.