Attackers today have found a number of ways to exploit insecure applications. As our digitally connected world keeps evolving, so too will cybercrimes and the exploitation of every detectable security vulnerability. These cybercrimes are getting more and more complex so taking care, staying educated and following best practices is critical for the defense against all cyber-attacks—including man-in-the-middle attacks.
Man-In-The-Middle (MITM) Attack Overview
Man-in-the-middle (MITM) is a type of cyber-attack where attackers intercept an existing communication or data transfer. Once they have inserted themselves in the “middle” of this transfer, attackers will pretend to be both legitimate participants, going between them to gather sensitive information from each party before it reaches the other or to deliver malicious links. As the legitimate participants believe themselves to be involved in a private, secured communication they may not realize the information has been stolen or altered, or detect the malicious link, until it is too late.
A man-in-the-middle cyber-attack involves three players. There is the victim, the entity the victim is attempting to communicate with, and the aforementioned “man in the middle” who has secretly managed to intercept the victim’s communication. Unaware victims of these MITM attacks will perceive the communications as a standard exchange of information, all the while attackers are quietly hijacking this information for their own gain.
Due to the length of time it can take for organizations to discover they have been the victim on a MITM attack it can be difficult to estimate how often these attacks occur. But some estimates suggest that roughly 35% of criminal activity could fall under the category of a MITM attack.
How Does A Man-In-The-Middle Attack Work?
In a MITM attack, an attacker secretly places their device in between a communication path. When devices use this communication path to exchange information, the information passes through the attacker’s device without the other party realizing it. Since all information goes through the attacker’s own device, they can modify the information in such a way that the target device is convinced it has received legitimate, uncompromised communication and is none the wiser of the unseen observer who is recording, decrypting and possibly altering the victim’s transmitted data as it moves to its intended destination.
To gain this level of access hackers need to be highly knowledgeable about encryption, software vulnerabilities, network exploits, and internet protocols. For the attacker to successfully get in the “middle” of the communication, they must first intercept the users web traffic. Often, they will do this by exploiting Wi-Fi networks that are unsecured or by spoofing trusted Wi-Fi networks.
Most often a man-in-the-middle attack will take place after an attacker has gained control over a Wi-Fi network or created their own free unencrypted Wi-Fi connection. This gives the attacker access to the data exchanged between two parties, and allows them to engage in what is essentially a digital form of eavesdropping.
Once the attacker has successfully intercepted the victim’s computer web traffic and has managed to avoid detection, they can carry out their plans. These plans might include simply lurking out of sight while users continue accessing the internet uninterrupted, allowing them to spy on the victim’s usage and collect the victim’s encrypted data. Or the attacker might choose to start alternating the communications between the user and the internet—an example of this being directing the user’s bank to wire funds to another account, while the bank believed the user is the one making this request.
Types Of Man-In-The-Middle Attacks
A man-in-the-middle attack can take many different forms, but the following are the most common MITM techniques:
By spoofing an IP address hackers are able to convince you that the website or entity you are interacting with is reliable, meaning you will carry on as normal without extra caution and they can gain access to important information—credentials, personal data, bank logins, and more—that you would guard more carefully if you knew the site was not credible.
HTTPS spoofing is when an attacker uses a domain that is designed to appear similar to that of the target—credible—website. The characters in the target domain are replaced with other non-ASCII characters with a similar appearance. The difference can be difficult to spot for users who are lulled into a false sense of security by the browser’s secure connection indication. Users believe they are interacting with a legitimate and safely encrypted site, so they easily fall victim to the MITM attack and end up handing over their information to malicious actors unknowingly.
DNS spoofing refers to the action of ‘spoofing’ or altering maliciously a particular DNS servers records in order to redirect network traffic towards a fake website instead of the real site the users wished to visit. By redirecting this traffic, attackers can spread malicious software and collect confidential data from users who believe they are visiting a safe, trusted website.
Address Resolution Protocol (ARP) is a protocol that allows network communications to reach a specific device on the network. In a local-area network (LAN), this protocol links a dynamic Internet Protocol (IP) address to a fixed physical machine address (MAC address). In ARP spoofing, attackers will intercept communications between network devices, which then allows them to continue routing the information as it is while collecting and stealing data, perform session hijacking, make alterations to the communications, or even carry out a DDoS attack.
This trick involves an attacker setting up Wi-Fi connections with very legitimate-sounding names. Say, for instance, you are sitting in a Starbucks and see “Starbuck FREE WIFI”, which you click on and connect your device; once you have connected to the fraudster’s Wi-Fi, they will be able to oversee all your online activity with the power to intercept things like payments and card information, login credentials, and any other private data users enter while on the network.
Email hijacking is a type of phishing attack where hackers target the email accounts of banks and other financial institutions. After gaining access to these account hackers can monitor the transactions carried out between the institution and their customers, before spoofing the banks trusted emails address and using it to instruct customers to hand over the data and money. Customers do this willingly as they are under the impression they are communicating with their own bank.
Session Hijacking And Stealing Browser Cookies
There are a few ways attackers will try to access your sessions (which refers to the period of time you spend logged into a website—like your bank, for instance) to steal your valuable information, one common method being the theft of your browser session cookies. Cookies enable sites to streamline the user experience by remembering things like login details, making them an attractive target for hackers who then insert themselves between you and the website so they can collect those cookies, then decrypt them to figure out your credentials, logins, passwords, and even stored credit card information.
5 Ways To Protect Against Man-In-The-Middle Attacks
Any internet user could potentially become the target of a MITM attack, and while preventing this outcome can be tricky there are measures you can take to better guard yourself against hackers.
The success of a man-in-the-middle attack relies on the attacker’s ability to impersonate each endpoint sufficiently, so the two most crucial points in preventing and defending against these attacks are authentication and encryption. On top of the standard security measures that all organizations should meet—avoiding using a weak password, using a password manager, using multi-factor authentication, not trusting an unsecure website, not allowing untrusted individuals to gain physical proximity to any physical assets—organizations should consider the following:
1) Be Wary Of Wi-Fi Networks
Your home network and public Wi-Fi networks can both end up the target of hackers looking to carry out a MITM attack. It is important to secure home Wi-Fi network by ensuring they are password protected, and that those passwords are appropriately strong, unique, and cannot be easily guessed. For public Wi-Fi networks, it is best to proceed with caution. Open networks, especially those with no password protection, should be avoided. If you absolutely must use a public network, do not log into any of your accounts and never use then to access anything financial like online banking.
2) Try A VPN
Using a VPN is a great step towards improving data security. A VPN works by extending a private network across a public network, enabling users to send and receive data across shared or public networks as if they were directly connected to a private network, benefiting from the security, functionality and management policies of the private network. If you use a VPN, a MITM attacker will not be able to intercept you even if the network is compromised, thus keeping any financial data, login credentials, and personal information you may have accessed while connected safely out of their reach. Check out our top picks for business VPNs in our buyer’s guide: The Top 10 Enterprise VPN Solutions.
3) Invest In Antivirus Software
Antivirus software can be very useful in preventing MITM attacks and can also be counted on to limit the damage if a MITM attack has been initiated. If you are operating on a compromised network the attacker will be able to inject malware into your browser or device which, besides allowing them to access and oversee information like your credentials and other sensitive data, can in some cases allow the attacker to breach networks and connections. Other malicious programs—such as adware, ransomware, and spyware—can cause significant damage to devices and networks. Implementing a good antivirus program can go a long way in preventing the kind of lasting damage these situations can bring as a good piece of antivirus software is continually evolving to keep updated on the latest threats. In addition to removing malware that could be used to set up a MITM attack, a lot of antivirus software on the market comes with network monitors, web shields, secure browsers, firewalls, identity theft protections and dark web monitoring, making it a highly useful line of defense. Discover the top 10 antivirus software solutions in our buyer’s guide: The Top 10 Antivirus Software For Small Businesses.
4) Install Software Updates Right Away
As we said before, hackers are highly innovative and are constantly working to keep ahead of the safety measures organizations put in place to protect their data and devising new ways to launch cyber-strikes such as MITM attacks. Developers work to combat this by continually updating programs and systems, but it is up to the users to be diligent about installing these updates to keep systems and programs safe. Updates for your browser, your OS, your devices firmware, or your apps all contain important patches to remove harmful vulnerabilities. If left unchecked, the attacker can deploy botnets that crawl the internet for users who are using out-of-date software, allowing the attacker to target those specific users with network-based attacks, which include MITM attacks. Installing updates promptly ensures you are up-to-date on the latest security patches, keeping attackers out.
5) Practice Responsible Browsing
When accessing websites, try to ensure you are accessing HTTPS instead of HTTP sites, and keep an eye out for a padlock icon in your browser (the closed lock icon indicates you are accessing a secure site). Innovations in server and encryption technology mean most secure websites online will provide an encrypted HTTPS connection as a defense against cyberattacks, which involve a more complicated and costly setup but are ultimately worth the extra time and money for companies. Make sure the sites you visit have HTTPS in the URLs and the padlock icon in the left side of the address bar.
Man-in-the-middle attacks are a common cyber security attack that enables attackers to eavesdrop on the communications between targets, potentially giving them access to sensitive transactions, valuable data, and any existing conversation which they could use in a phishing attack.
Getting familiar with the types of attacks you might expect to face, including MITM attacks, is essential to keeping on top of security and protecting your data and accounts. MITM attacks are not as frequently discussed as other cyber threats like phishing and ransomware, but they are still a threat that should be avoided as much as possible.