Any MITM attack is always going to be going forward, not in reverse, at least to capture authentication sessions (and then you can root around in someone's account).
3. Malware running a local proxy (Malware can try to inject it's own cert into the store too but that cert would be compromised by CT/AV/etc. A proxy with a valid gov cert would be much harder to detect.)
4. Compromised cell sites (stingray type devices)
5. Mistyped urls, often in combo with spear phishing.
1. Compromised WiFi networks ("McDonald's Free Wifi")
2. BGP Hijacks (these tend to get noticed)
3. Malware running a local proxy (Malware can try to inject it's own cert into the store too but that cert would be compromised by CT/AV/etc. A proxy with a valid gov cert would be much harder to detect.)
4. Compromised cell sites (stingray type devices)
5. Mistyped urls, often in combo with spear phishing.