Cards Collection
Browse all game cards by type
Expert Phishing Detection
Special Challenge - Expert
Advanced phishing detection - analyze carefully!
From:
noreply-update@microsoft.com
Subject:
Mandatory update of terms of service
Real link:
https://account.microsoft.com.security-policy.net
â Is this legitimate or dangerous?
đĨ Dangerous
đĄ Main domain = security-policy.net, not microsoft.com. The subdomain trick makes it look legitimate.
Password Strength Expert
Special Challenge - Expert
Which password is truly the strongest?
Which is really the strongest password?
- A. &T4p9Lm!2
- B. GreenButterflyHitsAWallIn2025
- C. N!k0lA5-R00
- D. %zF3-@Lp
đĨ N/A
đĄ A long passphrase beats a short complex password. Length > complexity for security.
Social Engineering Attack
Special Challenge - Expert
Real enterprise threat scenario
A "technician" calls you: "We need to reset your MFA due to an issue. I'll send you a code, read it to me to validate."
đ The call seems internal (company number displayed)
â Is this legitimate?
đĨ No - Attack
đĄ This is reverse-MFA (very common attack). Real IT never asks you to read MFA codes over phone.
Mixed Content Security
Special Challenge - Expert
Technical web security analysis
A website uses HTTPS, but loads an external script via HTTP.
đ Main page: https:// | External script: http://
â Is this secure?
đĨ No - Insecure
đĄ Unencrypted script allows Man-in-the-Middle attacks. One HTTP resource compromises entire HTTPS page.
Evil Twin WiFi
Special Challenge - Expert
Network security threat detection
Employee connects to "Company-Secure" (WPA2, normally no captive portal).
đ Phone suddenly opens a login page like a captive portal
â Bug or security risk?
đĨ Security Risk
đĄ Probable rogue access point (Evil Twin attack). Real network doesn't use captive portal.
Modern Malware Behavior
Special Challenge - Expert
Identify advanced malware characteristics
Which behavior indicates modern stealthy malware?
- A. PC overheating
- B. Screen flickering
- C. No visible symptoms
- D. Pop-ups appearing
đĨ N/A
đĄ Serious malware shows NO symptoms. Obvious signs = amateur malware or adware.
Technical Email Phishing
Special Challenge - Expert
Very tricky phishing detection
From:
support@paypal.com
Subject:
Security verification required
Link displayed:
https://paypal.com/security
Real link:
https://paypal.com.security-check.info
â Is this legitimate?
đĨ No - Phishing
đĄ Master domain = security-check.info. The real domain comes AFTER the last dot before the first slash.
MFA Authentication Logic
Special Challenge - Expert
Advanced authentication reasoning
A company replaces passwords with a 6-digit PIN + MFA application.
đ Old: Long password only | New: Short PIN + MFA app
â Does this reduce security?
đĨ No - Still Secure
đĄ The PIN becomes secondary: MFA secures the access. 2FA with weak password > password-only with strong password.
RDP Network Exposure
Special Challenge - Expert
Server security assessment
A Windows server exposes port 3389 (RDP) on the Internet.
đ Security measures: Long password, MFA enabled, Active firewall
â Is this sufficient?
đĨ No - Insufficient
đĄ Exposed RDP = massive automated attacks. Must use VPN + IP filtering. Never expose RDP directly to Internet.
SSL Certificate Trust
Special Challenge - Expert
Expert certificate analysis
Banking site in HTTPS with valid certificate.
đ Padlock OK, Valid certificate, Issuer: Let's Encrypt, No browser alert
â Is this sufficient proof the site is authentic?
đĨ No - Not Sufficient
đĄ A valid certificate = encryption, NOT identity. Anyone can get free Let's Encrypt cert for phishing sites.
Expert Phishing Detection
Special Challenge - Expert
Advanced phishing detection - analyze carefully!
From:
noreply-update@microsoft.com
Subject:
Mandatory update of terms of service
Real link:
https://account.microsoft.com.security-policy.net
â Is this legitimate or dangerous?
đĨ Dangerous
đĄ Main domain = security-policy.net, not microsoft.com. The subdomain trick makes it look legitimate.
Password Strength Expert
Special Challenge - Expert
Which password is truly the strongest?
Which is really the strongest password?
- A. &T4p9Lm!2
- B. GreenButterflyHitsAWallIn2025
- C. N!k0lA5-R00
- D. %zF3-@Lp
đĨ N/A
đĄ A long passphrase beats a short complex password. Length > complexity for security.
Social Engineering Attack
Special Challenge - Expert
Real enterprise threat scenario
A "technician" calls you: "We need to reset your MFA due to an issue. I'll send you a code, read it to me to validate."
đ The call seems internal (company number displayed)
â Is this legitimate?
đĨ No - Attack
đĄ This is reverse-MFA (very common attack). Real IT never asks you to read MFA codes over phone.
Mixed Content Security
Special Challenge - Expert
Technical web security analysis
A website uses HTTPS, but loads an external script via HTTP.
đ Main page: https:// | External script: http://
â Is this secure?
đĨ No - Insecure
đĄ Unencrypted script allows Man-in-the-Middle attacks. One HTTP resource compromises entire HTTPS page.
Evil Twin WiFi
Special Challenge - Expert
Network security threat detection
Employee connects to "Company-Secure" (WPA2, normally no captive portal).
đ Phone suddenly opens a login page like a captive portal
â Bug or security risk?
đĨ Security Risk
đĄ Probable rogue access point (Evil Twin attack). Real network doesn't use captive portal.
Modern Malware Behavior
Special Challenge - Expert
Identify advanced malware characteristics
Which behavior indicates modern stealthy malware?
- A. PC overheating
- B. Screen flickering
- C. No visible symptoms
- D. Pop-ups appearing
đĨ N/A
đĄ Serious malware shows NO symptoms. Obvious signs = amateur malware or adware.
Technical Email Phishing
Special Challenge - Expert
Very tricky phishing detection
From:
support@paypal.com
Subject:
Security verification required
Link displayed:
https://paypal.com/security
Real link:
https://paypal.com.security-check.info
â Is this legitimate?
đĨ No - Phishing
đĄ Master domain = security-check.info. The real domain comes AFTER the last dot before the first slash.
MFA Authentication Logic
Special Challenge - Expert
Advanced authentication reasoning
A company replaces passwords with a 6-digit PIN + MFA application.
đ Old: Long password only | New: Short PIN + MFA app
â Does this reduce security?
đĨ No - Still Secure
đĄ The PIN becomes secondary: MFA secures the access. 2FA with weak password > password-only with strong password.
RDP Network Exposure
Special Challenge - Expert
Server security assessment
A Windows server exposes port 3389 (RDP) on the Internet.
đ Security measures: Long password, MFA enabled, Active firewall
â Is this sufficient?
đĨ No - Insufficient
đĄ Exposed RDP = massive automated attacks. Must use VPN + IP filtering. Never expose RDP directly to Internet.
SSL Certificate Trust
Special Challenge - Expert
Expert certificate analysis
Banking site in HTTPS with valid certificate.
đ Padlock OK, Valid certificate, Issuer: Let's Encrypt, No browser alert
â Is this sufficient proof the site is authentic?
đĨ No - Not Sufficient
đĄ A valid certificate = encryption, NOT identity. Anyone can get free Let's Encrypt cert for phishing sites.
Expert Phishing Detection
Special Challenge - Expert
Advanced phishing detection - analyze carefully!
From:
noreply-update@microsoft.com
Subject:
Mandatory update of terms of service
Real link:
https://account.microsoft.com.security-policy.net
â Is this legitimate or dangerous?
đĨ Dangerous
đĄ Main domain = security-policy.net, not microsoft.com. The subdomain trick makes it look legitimate.
Password Strength Expert
Special Challenge - Expert
Which password is truly the strongest?
Which is really the strongest password?
- A. &T4p9Lm!2
- B. GreenButterflyHitsAWallIn2025
- C. N!k0lA5-R00
- D. %zF3-@Lp
đĨ N/A
đĄ A long passphrase beats a short complex password. Length > complexity for security.
Social Engineering Attack
Special Challenge - Expert
Real enterprise threat scenario
A "technician" calls you: "We need to reset your MFA due to an issue. I'll send you a code, read it to me to validate."
đ The call seems internal (company number displayed)
â Is this legitimate?
đĨ No - Attack
đĄ This is reverse-MFA (very common attack). Real IT never asks you to read MFA codes over phone.
Mixed Content Security
Special Challenge - Expert
Technical web security analysis
A website uses HTTPS, but loads an external script via HTTP.
đ Main page: https:// | External script: http://
â Is this secure?
đĨ No - Insecure
đĄ Unencrypted script allows Man-in-the-Middle attacks. One HTTP resource compromises entire HTTPS page.
Evil Twin WiFi
Special Challenge - Expert
Network security threat detection
Employee connects to "Company-Secure" (WPA2, normally no captive portal).
đ Phone suddenly opens a login page like a captive portal
â Bug or security risk?
đĨ Security Risk
đĄ Probable rogue access point (Evil Twin attack). Real network doesn't use captive portal.
Modern Malware Behavior
Special Challenge - Expert
Identify advanced malware characteristics
Which behavior indicates modern stealthy malware?
- A. PC overheating
- B. Screen flickering
- C. No visible symptoms
- D. Pop-ups appearing
đĨ N/A
đĄ Serious malware shows NO symptoms. Obvious signs = amateur malware or adware.
Technical Email Phishing
Special Challenge - Expert
Very tricky phishing detection
From:
support@paypal.com
Subject:
Security verification required
Link displayed:
https://paypal.com/security
Real link:
https://paypal.com.security-check.info
â Is this legitimate?
đĨ No - Phishing
đĄ Master domain = security-check.info. The real domain comes AFTER the last dot before the first slash.
MFA Authentication Logic
Special Challenge - Expert
Advanced authentication reasoning
A company replaces passwords with a 6-digit PIN + MFA application.
đ Old: Long password only | New: Short PIN + MFA app
â Does this reduce security?
đĨ No - Still Secure
đĄ The PIN becomes secondary: MFA secures the access. 2FA with weak password > password-only with strong password.
RDP Network Exposure
Special Challenge - Expert
Server security assessment
A Windows server exposes port 3389 (RDP) on the Internet.
đ Security measures: Long password, MFA enabled, Active firewall
â Is this sufficient?
đĨ No - Insufficient
đĄ Exposed RDP = massive automated attacks. Must use VPN + IP filtering. Never expose RDP directly to Internet.
SSL Certificate Trust
Special Challenge - Expert
Expert certificate analysis
Banking site in HTTPS with valid certificate.
đ Padlock OK, Valid certificate, Issuer: Let's Encrypt, No browser alert
â Is this sufficient proof the site is authentic?
đĨ No - Not Sufficient
đĄ A valid certificate = encryption, NOT identity. Anyone can get free Let's Encrypt cert for phishing sites.