A Man-in-the-middle attack is a type of cyber attack in which an attacker intercepts and monitors the conversation between two parties who believe they are communicating directly.
In simpler terms, you can think of this attack as an eavesdropping attempt by a hijacker who attempts to come in the ‘middle’ of the conversation to capture and manipulate sensitive information.
According to IBM, Man-in-the-Middle attacks are responsible for 35% of exploitation activity online. This allows hackers to access account credentials, credit card details, and other sensitive files.
In this blog, you will learn:
- How MITM attacks work
- Types of MITM attacks
- Real-world examples
- Preventive measures that help
Man-in-the-Middle Attacks: At a Glance
| Function | This happens when an attacker poses as a third party in a conversation between an application and a user. The objective is to get access to sensitive data such as passwords, credit card details, and account numbers. |
| Phases | Interception, where the attacker intercepts the victim’s network with a fake network. Decryption, in which the data gained is encrypted via SSL stripping/hijacking. |
| Types | HTTP spoofing Email hijacking Wifi eavesdropping IP spoofing DNS spoofing SSL stripping & hijacking |
| Ways to Prevent | Set up a VPNPlace Network Intrusion Detection System (NIDS) within the network, install a good anti-virus & anti-malware software package, only install add-ons via reputable sources, setup two-factor authentication for transactions |
| Man-in-the-middle vs Man-in-the-browser | MITM works at the network layer, whereas MITB exploits browser vulnerabilities and works at the application layer. |
How Do MITM Attacks Work?
Due to the internet protocols’ open nature, most data exchanged online can be accessed publicly. Thus, connecting to a LAN network exposes all your data packets to other computers.
The attacker will then join the same network as you and deploy a sniffer to read the data. Attackers will then use the MITM strategy to trick you into thinking you are directly connected with the source.
This attack takes place in three simple steps:
- Hacker accesses the location to perform an attack.
- A hacker becomes the man-in-the-middle for the data exchange.
- Stolen data is then decrypted to gain access to documents.
Potential Vulnerabilities for MITM to Attacks Happen
While the source of such an attack may vary, they often come from one of these four channels:
Computer devices
Phishing attacks and other forms of malware can easily corrupt your system if you download anything from non-reputable sources. This could host viruses that modify/intercept your internet connection or facilitate Man-in-the-browser (MITB) attacks.
Public networks
Public networks can easily compromise your security, including any open network, such as those in public places like airports and coffee shops. Avoid connecting to local area networks and public wifi networks, as MITM attack techniques work best on them.
Web server
Attackers can also gain access to the website you were trying to access if they acquire your recipient’s public key.
Router
People often forget to change their password or add additional security layers when setting up a new wifi router. Make sure you have a router with updated firmware and a secure password.
Phases of a Man-in-the-Middle Attack
For a successful MITM attack to take place, a bi-phasic process must be carried out. This includes interception and deception.
Interception
In the first phase, the attacker’s network is used to snoop on user traffic before it gets to its target.
The easiest method of accomplishing this is an indirect attack in which an attacker hacks public wifi hotspots and open networks. Unfortunately, they aren’t password secured, so when a victim joins, the attacker can monitor all of their internet activity.
Decryption
After establishing a connection between the website and the user, any bidirectional SSL traffic needs to be intercepted and decrypted without notifying the user or application. While the user’s session is still encrypted within the program, the attacker sees an unencrypted version of the data packet and thus has access to the user’s whole session.
It is also worth noting that in order to bypass the default security checks, these types of attacks often use different spoofing techniques. Let us know more.
Types of Man-in-the-middle Attacks
Below are the most common methods attackers use to place themselves between your end destination and you.
HTTPS Spoofing
HTTPS spoofing allows an attacker to trick your browser into thinking that the website you are visiting is legitimate. This is because the attacker first sends a false certificate to the victim’s browser in the guise of a legitimate one, tricking them into visiting the malicious domain.
For this, the attacker registers a domain with a name that is confusingly similar to the one you want to visit. After that, they use that URL so other scammers can utilize it.
IP Address Spoofing
IP spoofing alone is not a part of a MitM attack, but it becomes a part when coupled with TCP sequence prediction. An IP address, assigned to every Wi-Fi-enabled device or connected via a network cable, is essential to the operation of any networked computer or device.
When an attacker engages in IP spoofing, they pretend to be the victim’s computer by forging packets of Internet Protocol data. Then, when the victim clicks on a link that comes from that system, they are sent to the scammer’s website.
DNS Spoofing
In this method, the scammer first alters a DNS record, redirecting the victim’s web traffic to a fraudulent website. Unlike other spoofing methods, DNS spoofing is more complicated since it depends on a vulnerable DNS cache.
If an attacker accesses the DNS cache, they will try to steal your information by sending you to a fake website. Once you type in your original credentials, the attacker will have your data and connect to the original site. This type of DNS spoofing is known as Cache poisoning.
Email Hijacking
These attacks are often used for spearfishing but are not as common. The attacker gains access to your email and monitors all the conversations in order to gather information.
Make sure to set up two-factor authentication to minimize such attacks.
Wifi Eavesdropping
This type of attack occurs if you join a public wifi network that can be connected to without any password or encryption. When doing so, you will always get a prompt on your device saying, this network is not secure, which indicates the possibility of a potential data breach.
SSL Hijacking
If you attempt to access a website that does not use HTTPS (as indicated by the “HTTP” in the URL), you should automatically redirect to the encrypted HTTPS version of that website.
When an attacker engages in SSL hijacking, they utilize their computer and server to intercept the reroute, preventing the user’s computer from communicating with the server.
This allows them to see whatever private data the user may have entered throughout the session.
How to Prevent Man-in-the-middle Attacks
Here are some ways by which you can increase system security and avoid such attacks:
- Secure all connections and only visit websites that show HTTPS in the URL bar.
- Avoid clicking on spam emails or putting your login information on any website that these emails redirect you to.
- Use a VPN to encrypt the internet connections and online data transfers.
- If you are an organization, have anti-malware and internet security products in place across all your devices.
- Avoid public wifi networks, and filter through spam emails. When online, carefully check the website’s authenticity before making any transactions.
Frequently Asked Questions
Now that you know how to prevent MitM attacks, let us have a look at some of the commonly asked questions about this attack:
Why Do MitM Attacks Happen?
The main goal of such attacks is to obtain sensitive information, which can then be used for identity theft, unapproved fund transfers, and APT assaults.
How to Safeguard a Website Against MitM Attacks?
- Do not connect to open wifi networks.
- Set secure communication protocols, including HTTPS and TLS.
- Make sure you secure all the pages of your website instead of securing just the ones which prompt users to log in. This minimizes the chance of an attacker stealing cookies from a browsing session.
How to Detect a MitM Attack?
When visiting a website, always look for an SSL lock icon near the URL. This means that the website is secure. Additionally, avoid visiting websites that only have ‘HTTP’ in their URL and not ‘HTTPS’, as this shows that the connection is not secure.
Conclusion
A MitM attack is a cyber attack in which a third party attempts to intercept a private connection/conversation or data exchange between two parties.
This situation is quite similar to if your mailman was to open your mailbox, collect all the sensitive data in your mail, and use it for identity theft later.
That said, as devices are getting more advanced, companies are strengthening their firewalls and constantly updating mobile devices with robust security patches. To reduce the probability of such attacks, keep scanning your devices regularly, avoid connecting to public networks, and have strong firewalls.
Leave a Reply