I have no evidence for this, but my feeling was always that the highest-volume exploits were just having a bot run yesterday's Day-0 on every IP listening on a port. You can't get that kind of volume by calling people and asking for their password.

If you leave an unsecured mail server accessible to the internet, it'll start sending spam emails within 30 minutes.

On the other hand, phishing emails are also automated, and that's essentially asking for the password.

It's probably safe to say that phishing is the most common method among APTs like state intelligence agencies. It's cheap, it's easy, it works. No reason to burn zero-days unless simpler methods with less exposure don't work, and they usually do.

But we can broadly categorize security incidents into two bins: first are opportunistic attackers which broadly attempt a method that sometimes works. Two common examples are minimally-targeted phishing emails (think Best Buy invoice) and automated scanning for old versions of WordPress with known vulnerabilities. Second are targeted attacks, where the attacker chooses a target and then attempts different methods to reach success. Overall targeted attacks are far less common than opporunitistic ones, but because they involve a higher level of effort they're only attempted when there's a high level of motivation. Targeted attacks tend to result in greater financial losses than opportunistic attacks, for example, because compromising machines to add them to a botnet usually isn't worth the effort of a targeted attack, but getting banking credentials or crypto wallets usually is.

All of information security is fairly bimodal in this way. It often seems like even technical professionals like software engineers struggle to understand basic security practices, but I think this is one of the biggest causes: most people tend to think about one case and ignore the other. Unfortunately one of the things that makes security very difficult is that both cases are real and the two require fairly different practices to deter, prevent, and detect.

Social methods are far more common with targeted attacks because "true" social engineering involves a higher level of effort, like time on the phone. That said, phishing falls into an in-between where some consider it to be a social method but it is amenable to widespread automation. There's also a wide spectrum of effort in phishing. Many are tempted to try to categorize phishing activity into a binary of "phishing" and "spear-phishing" (I hate these terms), but that doesn't really reflect reality very well. In a large corporation you can usually find examples of phishing that are targeted to varying degrees of specificity: at anyone, at corporate employees broadly, at people in the industry, at employees of a company, a department in that company, and even carefully tailored to a specific employee. The frequency of course tails off as you get more specific, but then it's not that unusual for some organized crime group to run a sustained campaign of fairly closely-targeted phishing as happened recently with Twilio.

Opportunistic attacks are certainly greater in volume to the extent that some call them "internet background noise," but most think that targeted attacks probably produce greater total financial damage. Security is very faddish though, not only on the defense side but also on the offense side, so it probably varies from year to year. For example, the emergence of ransomware was a major trend that required a strategic shift in defense in many organizations since ransomware attacks were fairly low effort but also very high damage in many cases.

No one worth hacking runs mail servers it’s 2023 lol

Mostly startups use GSuite, big traditional companies and banks still run their own. But that wasn't really my point. My point is that there are a lot of bots looking for low-hanging fruit.

In 2011 I spent hours writing a script to brute force a wifi password at a hotel because I didn't want to pay $5 a day for wifi. It worked. I was pleased with myself.

When I checked out they gave me a receipt and I went to throw it away and saw a handful of wifi passwords in the trash bin.

Lesson learned.

Those hotel wifi passwords are usually only valid during your stay so if someone throws them out they've likely expired or will do so soon.

You still did well writing the brute force. How did you know the composition though?