Main types of attacks

Updated June 15, 2025

Social engineering

Social engineering is a manipulation technique used by attackers to trick people into revealing sensitive information, granting access, or performing actions that compromise security. Unlike technical hacking, social engineering targets human psychology—using tactics like urgency, fear, curiosity, or authority to lower defenses. Common examples include phishing emails, fake tech support calls, and impersonation attempts.

These attacks often appear legitimate, making them hard to detect. An attacker might pose as a coworker, vendor, or IT staff to request login credentials, access to systems, or confidential data. Even a small mistake—like clicking a malicious link or sharing internal details—can lead to a larger breach.

Awareness is the best defense. Always verify unexpected requests, especially those asking for sensitive information or urgent action. If something feels off, report it to your IT or security team immediately—better safe than sorry.

Examples

• Text messages claiming your account has been disabled and asking you to enter your password—often through a fake login page.
• Phone calls requesting personal information or threatening legal action, arrest, or account closure if you don’t comply.
• Abuse of the “Forgot Password” feature on breached websites to gain unauthorized access.
• Social media posts or quizzes designed to collect personal details like your pet’s name, favorite car, or childhood street—often used to guess security questions.

Intelligence gathering (Open-Source Intelligence [OSINT] )

Not a form of attack but rather a set of information-gathering techniques that can support various types of attacks—especially social engineering. The more personal details an attacker collects on their potential victims, the more convincing and targeted their attacks can become.

It is the process of collecting publicly available information from sources like social media, websites, and public records. Attackers use OSINT to gather personal details—such as maiden names, pet names, or birthdays—that help them bypass security questions or craft targeted attacks. Because this information is often shared openly, it highlights the importance of careful privacy settings and cautious online sharing.

Examples

1. Password Guessing from Public Info

What happenedOSINT usedAttackOutcome

An attacker targeted a small business owner by collecting their personal details online.

• Date of birth from birthday wishes on Facebook.
• Pet names from Instagram posts.
• Favorite sports team from Twitter.

Used personal info to guess security questions and passwords.

Gained access to email, which allowed for password resets on banking and e-commerce platforms.

2. Pretexting for Voice Phishing (Vishing)

What happenedOSINT usedAttackOutcome

Attackers called customer service pretending to be a bank customer.

Full name, address, phone number, and partial credit card info—all scraped from breached databases and social media.

Used confident pretexting (e.g., “I just moved, can you help me reset my online banking access?”).

Tricked support staff into resetting the real account’s login, locking out the real customer.

3. Targeting Developers via GitHub

What happenedOSINT usedAttackOutcome

Attackers browsed public GitHub repositories to find credentials accidentally left in code (API keys, passwords).

GitHub search, email addresses, usernames matching LinkedIn profiles.

Used these credentials to access cloud environments or databases.

In one case, a company’s internal customer data was stolen and sold on the dark web.

4. Spear Phishing via LinkedIn Information

What happenedOSINT usedAttackOutcome

Attackers identified employees of a financial firm via LinkedIn, noting who worked in finance and IT.

Job roles, email patterns, office locations, manager names.

Crafted emails impersonating senior leadership with fake invoice requests or requests for password resets.

Multiple employees clicked malicious links, leading to credential theft and unauthorized access to internal systems.

5. Possible intelligence gathering examples on social media

An example of intelligence gatering, a pet's name when you were young is a common security question. 8.9 million people replied.

Gathering active accounts for future targeting. They have live, active accounts who tag relationships. 4 million people commented on this one post.

Asking people to tag or just name relationships, friends or family, who are most likely to give a gift.

Phishing / whaling

Phishing is a cyberattack where attackers send fraudulent emails or messages (via Messenger, Instagram, Whatsapp, etc.) designed to trick people into revealing sensitive information—like passwords or credit card numbers—or clicking malicious links. These messages often appear to come from trusted sources, making them deceptive and effective at stealing data or installing malware.

Whaling is a targeted form of phishing aimed specifically at high-profile individuals such as executives or senior managers. Because these “big fish” have access to valuable information and critical systems, whaling attacks are often more sophisticated and personalized, using detailed research to increase their chances of success.

Examples

What might they be trying to acquire with these methods?

• Steal sensitive data like credit card and login information.
• Install malware on a victim’s machine.
• Request money or plane tickets.

New methods of spoofing

• You might receive a calendar invite from a spam accounts that contains dangerous links. You might have received or downloaded them from suspicious links or ads.
• You may receive these kind of messages from hacked accounts: “Hey! How have you been doing?”, “I can’t believe you are in this video!”, “is this you?” accompanied almost every time by a link as they are trying to use shame or fear to make you click on it by impersonating someone you know to gain your trust.

A post on social media attempting to trick people into clicking on the link by triggering an emotional response. The account has very likely been hacked and are posting this on this account's friends pages.

A phishing attempt via SMS.

Another phishing attempt via SMS.

Spoofing

Email Spoofing involves forging the sender’s email address to make a message appear as if it came from a trusted source. Attackers manipulate email headers—specifically the “From” field—so the recipient is more likely to open the message or act on its contents. While the email may look legitimate, the actual sending server or reply address often reveals it’s fraudulent.

Website Spoofing is when attackers create fake websites that closely mimic legitimate ones, such as login pages for banks or services. The goal is to trick users into entering their credentials, which are then captured and used maliciously. These spoofed sites often have nearly identical designs and use misleading URLs to deceive victims.

Domain Spoofing refers to the use of lookalike domain names, such as replacing letters with similar characters (e.g., g00gle.com instead of google.com), to impersonate legitimate organizations. This technique is commonly used in phishing campaigns and malicious ads to lure users into thinking they’re visiting a trusted site when they’re not.

Examples

1. Email spoofing

• Fake CEO Request

  From: [email protected]
  To: [email protected]
  Subject: “Urgent Wire Transfer”
  Body: “Please wire $25,000 to the vendor account below by end of day.”
  

  The email looks like it’s from the CEO, but the actual sending server isn’t authorized by your company.

• Spoofed IT Helpdesk

  From: [email protected]
  Subject: “Password Reset Required”
  Body: “We detected unusual activity. Click here to reset your password.”
  

  The link leads to a fake login page designed to steal credentials.

• Internal Phishing Attempt

  From: [email protected]
  Subject: “Updated Benefits Form”
  Body: “Please download and review the attached form.”
  

  The attachment contains malware, and the header was forged to look internal.

2. Domain/website spoofing

• Domain names can include non-roman characters, like www.りんご.com (means ringo, or apple in Japanese).
• That means that www.apple.còm (see the ò character instead of a o) is a possible domain for a website.
• Similarly, www.аpple.com (where the a is a Cyrillic character, not the assumed Roman letter) looks nearly identical to the real site. This kind of domain spoofing is highly deceptive, making it almost impossible for users to realize they’ve landed on a fake website.

Screenshots of real spoofing attempts

1. Attempt at impersonating Eric

This email was sent from a fake acount trying to generate a response in order to probably ask for gift cards or wiring money to an account. This most likely required some intelligence gathering.

2. Paypal scam

This email was sent trying to initiate an emotional response by clicking on the link to scam the user out of their Paypal account.

We see that every links in this email does not mention Paypal. Often they all use the same URL to optimize their chance that you click on the link.

The spamers went as far as trying to fool the user into teaching them how to spot a fake email, which of course excludes theirs.

Supply Chain Attack

A supply chain attack targets less secure elements in an organization’s supply or service network—such as third-party vendors, software providers, or hardware manufacturers—in order to compromise the end target. Instead of attacking a company directly, attackers breach a trusted partner or product and use that access as a backdoor.

These attacks are dangerous because they exploit trust. Once a compromised component is integrated, it can silently spread malware or provide access deep into systems that would otherwise be well protected.

Always vet vendors, monitor updates, and validate the integrity of third-party software and services.

Examples

• XcodeGhost (2015): A modified version of Apple’s Xcode development tool was distributed on unofficial sites in China. Developers unknowingly used this tainted Xcode to build apps, which were then uploaded to the App Store. The apps contained hidden malware capable of collecting user data and sending it to remote servers.
• Homebrew GitHub Token Leak (2020): Homebrew, the popular macOS package manager, had a security incident where an attacker gained access to its GitHub repositories via a compromised developer credential. Although no malicious code was inserted, the incident highlighted the risk of tampering with widely trusted developer tools.
• Targeted Attacks via Pirated Software: Attackers have bundled malware into pirated versions of macOS software (like Adobe or productivity tools). These cracked apps are distributed outside the App Store, often via torrent sites, and can contain backdoors, crypto miners, or spyware.
• PyPi/NPM Packages Used in macOS Development: macOS developers relying on third-party libraries from PyPi or NPM have been exposed to typosquatting attacks—where malicious packages with names similar to popular ones are installed and executed during build or runtime, potentially compromising the system.
• SolarWinds (2020): Attackers inserted malicious code into a trusted software update, affecting thousands of organizations, including U.S. government agencies. macOS users of SolarWinds products were also affected, specifically those using the Orion platform and potentially other products where the compromised updates were distributed.
• CCleaner (2017): Hackers compromised the popular PC optimization tool to install backdoors on millions of systems via a legitimate software update.

Reminder

Always use official sources for developer tools, avoid pirated software, and verify the integrity of any third-party package or dependency.

Viruses & Malwares

Viruses and malwares are malicious programs designed to damage, disrupt, or gain unauthorized access to systems and data. They can spread through email attachments, downloads, infected websites, or USB devices. Once inside a system, malware can steal information, encrypt files (ransomware), or allow attackers remote access. Staying cautious online and keeping software up to date are key defenses.

Macs and iPhones are not safe from these attacks

Contrary to popular belief, Mac and iPhones are—despite being very secure platforms—regularly targeted by people with bad intentions.

A prime example is Pegasus, a highly sophisticated spyware developed by NSO Group. In August 2016, Pegasus exploited three previously unknown vulnerabilities (two on iPhones and one on Macs) allowing attackers full access to calls, messages, camera, mic, and more, without any user interaction.

Apple was alerted immediately and released patches 10 days later, which is remarkably fast—but it still meant users were vulnerable during that window . Similarly, in September 2021, Pegasus leveraged a “zero-click” BlindPass exploit in iMessage and Mac CoreGraphics. Apple patched it in just one week, but again emphasized that even the most secure devices can be compromised before a fix is released.

Examples

1. Email Attachments: Opening malicious files disguised as invoices, resumes, or reports.
2. Phishing Links: Clicking fake links in emails or messages that lead to infected websites.
3. Infected Downloads: Installing software or files from untrusted sources (e.g., pirated apps or cracked tools).
4. USB Drives: Plugging in compromised USBs, which can auto-run malware.
5. Malicious Ads (Malvertising): Clicking on ads on compromised or fake websites.
6. Fake App Updates: Downloading what appears to be a system or software update from a non-official source.
7. Mobile Apps: Installing apps from outside the official app stores, especially on jailbroken/rooted devices.
8. Drive-by Downloads: Simply visiting a compromised website can trigger an automatic, invisible download.

Ransomware

Important

Paying the attackers is not a recommended solution. It encourages further attacks—often sooner and with higher demands—since they now see you as an easy target who likely hasn’t yet fixed the original vulnerabilities that allowed them to ransom you the first time.

See Security > Ransomware attack on what to do if it happens to you.

Ransomware is a type of malicious software that encrypts files or locks access to a system until a ransom is paid—often in cryptocurrency. Victims are usually given a deadline and threatened with permanent data loss or public exposure. Ransomware attacks can target individuals, businesses, hospitals, and even governments, causing severe disruption and financial loss.

Attacks of this type have vastly increased since COVID due to the easy deployment (thanks to kits you can buy on the dark web) and high-reward. The attackers can also resell information like credit cards, social security numbers etc, especially when packaging multiple victims' information to be sold in bulk, becoming even more valuable.

Examples

1. Phishing Emails: Opening attachments or clicking links in fake emails (e.g., “invoice” or “package delivery”).
2. Malicious Downloads: Installing cracked software, games, or tools from untrusted websites.
3. Infected Websites: Visiting compromised websites that trigger drive-by downloads.
4. Remote Desktop Protocol (RDP) Attacks: Hackers gain access through weak or exposed remote desktop credentials and passwords.
5. USB Devices: Using infected external drives or devices with autorun malware.
6. Software Vulnerabilities: Exploiting outdated or unpatched systems to silently install ransomware.

The Ransomware Economy

How Ransomware Syndicates Operate

graph TD
    classDef white fill:#ffffff,stroke:#000000,stroke-width:1px;
    classDef dark fill:#3859FA,stroke:#000000,stroke-width:0px;
    classDef light fill:#96A1FF,stroke:#000000,stroke-width:0px;
    classDef joint fill:#FFFFFF,stroke:#3859FA,stroke-width:2px;

    1("<span style='color: white;'>Developers</span>") --- X((" "));
    2("<span style='color: white;'>Packer Developers</span>") --- X;
    X --- Y;
    Y --> A;
    3("<span style='color: white;'>Analysts</span>") ---- Y((" "));
    4("<span style='color: white;'>Access Sellers</span>") ---- Y;
    5("<span style='color: white;'>Botmasters</span>") ---- Y;

    A("<span style='color: white;'>_**Threat actors**_
    —
    Operators
    ↓
    Sell RaaS
    ↓
    Affiliates</span>") --> B("<span style='color: white;'>Laudering services</span>") --> C("<span style='color: white;'>Cryptocurrency Exchanges</span>");
    A -.-> D("<span style='color: white;'>Negotiating Agents</span>");

    A --- Z((" ")) --> R1{{Ransomware Brokers}};
    A --> R2{{Victims}};
    R2 --> R3{{Legal Counsel}} --> R1;
    R3 --> R4{{Insurance Providers}};
    R2 --> R5{{Incident Response Firms}};
    D -.- |Negotiation & Payment|Z;

    class 1,2,3,4,5,A,B,C,D dark
    class R1,R2,R3,R4,R5 light
    class X,Y,Z joint

    linkStyle 0 stroke:#3859FA,stroke-width:2px
    linkStyle 1 stroke:#3859FA,stroke-width:2px
    linkStyle 2 stroke:#3859FA,stroke-width:2px
    linkStyle 3 stroke:#3859FA,stroke-width:2px
    linkStyle 4 stroke:#3859FA,stroke-width:2px
    linkStyle 5 stroke:#3859FA,stroke-width:2px
    linkStyle 6 stroke:#3859FA,stroke-width:2px
    linkStyle 7 stroke:#3859FA,stroke-width:2px
    linkStyle 8 stroke:#3859FA,stroke-width:2px
    linkStyle 9 stroke:#3859FA,stroke-width:2px
    linkStyle 10 stroke:#3859FA,stroke-width:2px
    linkStyle 11 stroke:#96A1FF,stroke-width:2px
    linkStyle 12 stroke:#3859FA,stroke-width:2px
    linkStyle 13 stroke:#96A1FF,stroke-width:2px
    linkStyle 14 stroke:#96A1FF,stroke-width:2px
    linkStyle 15 stroke:#96A1FF,stroke-width:2px
    linkStyle 16 stroke:#96A1FF,stroke-width:2px
    linkStyle 17 stroke:#3859FA,stroke-width:2px

---

flowchart LR
    classDef white fill:#ffffff,stroke:#000000,stroke-width:0px;
    classDef dark fill:#3859FA,stroke:#000000,stroke-width:0px;
    classDef light fill:#96A1FF,stroke:#000000,stroke-width:0px;
    classDef joint fill:#FFFFFF,stroke:#3859FA,stroke-width:2px;

    A(LEGEND:) ~~~  T
    T("<span style='color: white;'>Dark Web Service Providers</span>") ~~~  X
    X{{"Victim-side Service Providers"}}

    class A white
    class T dark
    class X light

Dark Web Service Providers

Developers

Write the ransomware software and sell it to threat actors for a cut of the ransom.

Analysts

Evaluate the victim's financial health to advise on ransom amounts that they're most likely to pay.

Access Sellers

Take advantage of publicly disclosed vulnerabilities to infect servers before the vulnerabilities are remedied, then advertise and sell that access to threat actors.

Botmasters

Create networks of infected computers and sell access to those compromised devices to threat actors.

Negotiating Agents

Handle interactions with victims.

Laundering Services

Exchange cryptocurrency for fiat currency on exchanges or otherwise transform ransom payments into usable assets.

Operators

The entity that actually carries out the attack with access purchased from botmasters or access sellers and software purchased from developers or developed in-house. May employ a full staff, including customer service, IT support, marketing, etc. depending on how sophisticated the syndicate is.

Affiliates

Purchase ransomware as a service from operators & developers who get a cut of the ransom.

RaaS

Ransomware-as-a-Service.

---

Victim-side Service Providers

Ransomware Brokers

Brought in to negotiate and handle payment on behalf of the victim and act as intermediaries between the victim and operators.

Legal Counsel

Often manage the relationship between the broker, insurance provider, and victim, and advise on ransom payment decision-making.

Incident Response Firms

Consultants who assist victims in response and recovery

Insurance Providers

Cover victim's damages in the event of an attack.

---

^{_{From: Introducing the Ransomware Economy}}

Man-in-the-middle attack

A Man-in-the-Middle (MitM) attack occurs when a malicious actor secretly intercepts and possibly alters communication between two parties—often without either side knowing. The attacker positions themselves between the user and a legitimate service (like a website or app), allowing them to steal data, insert malicious content, or impersonate one of the parties.

Always use secure, password-protected Wi-Fi, check for HTTPS in website URLs, and avoid accessing sensitive accounts on public networks.

Examples

1. Public Wi-Fi Eavesdropping: On unsecured Wi-Fi networks (like in cafés or airports), attackers can intercept login credentials, messages, or banking details. Using a VPN adds an extra layer of security that protects you from such attacks.
2. Fake Wi-Fi Hotspots: Hackers set up a network with a name like “Free_Coffee_Shop_WiFi” to lure users and capture their data. Again, use a VPN when accessing a Wifi network that you are not familiar with.
3. DNS(2) Spoofing: Redirecting users from a legitimate website to a fake one that looks the same, tricking them into entering sensitive information.
4. HTTPS Stripping: Downgrading secure connections to unencrypted ones, allowing attackers to read or modify traffic.
5. Session Hijacking: Stealing a user’s session token(1) to impersonate them without needing credentials.

1. A user’s session token is a unique, temporary identifier that a server assigns to a user after they log in. It keeps the user authenticated as they navigate a website or app without needing to log in again on every page.

   See Glossary > Session token or user's session token.

2. The Internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.

   See Glossary > DNS — Domain Name System.