What are Man-in-the-Middle (MITM) Attacks?

What are Man-in-the-Middle (MITM) Attacks?

Cylera Team
By Cylera Team

Someone may be intercepting your online traffic to steal your information.

Man-in-the-middle attacks (MITM) are a common type of cybersecurity attack where an attacker intercepts communications to observe or modify traffic traveling between two parties. MITM attacks are used to steal login credentials or personal information, spy on the victim, or sabotage communications or corrupt data. The targets are usually customers of financial applications, SaaS businesses, e-commerce sites, and other websites where login is needed.

This could be done through interfering with legitimate networks or creating fake networks that the attacker controls. Compromised traffic is then stripped of encryption to steal, change, or reroute that traffic to the attacker’s destination of choice. Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.

For example, an attacker could see that a user is making a transfer to their bank and change the destination account number or amount being sent. Threat actors could use man-in-the-middle attacks to harvest personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. Mobile devices are particularly susceptible to this scenario because they often fail to encrypt traffic.

Types of MITM Attacks

Wi-Fi eavesdropping

Cyber attackers can set up Wi-Fi connections with very authentic names, just like nearby businesses. Once a user connects to the fraudster’s Wi-Fi network, the attacker will be able to monitor all user’s online activities and be able to stop login information, payment card information, and other sensitive information. 

Email hijacking

Attackers can forge/spoof someone’s email address and send their instructions to users. This persuades victims to follow the attacker’s malicious instructions. These emails can often impersonate banking institutions or other companies to trick victims into giving up money or confidential information.  

Stealing browser cookies

Since many websites nowadays rely on cookies for information and certain functions, this type of MITM attack capitalizes on this and targets browser cookies that store information from your browsing session. Attackers can then access your username and password, address, and other information. 

IP Spoofing

Each device capable of connecting to the Internet has an Internet Protocol (IP) address, similar to your home street address. By spoofing an IP address, the attacker may force you to think that you are interacting with a website and someone you are not, possibly giving the attacker access to the information you would otherwise have not shared.

DNS spoofing

DNS stands for Domain Name Server, DNS Spoofing is a technique that forces the user to go to a fake website instead of the real website that the user wants to visit. If you are a victim of DNS spoofing, you may think that you are visiting a secure and reliable website when you are communicating with the fraudster. The main purpose of the perpetrators is to divert traffic from the original site or obtain user login information.

mDNS Spoofing

Multicast DNS is similar to DNS, but it’s done on a local area network (LAN). Users don’t have to know exactly which addresses their devices should be communicating with; they let the system resolve it for them. Devices such as TVs, printers, and entertainment systems make use of this protocol since they are typically on trusted networks. When an app needs to know the address of a certain device, such as tv.local, an attacker can easily respond to that request with fake data, instructing it to resolve to an address it has control over. 

HTTPS spoofing

 “HTTPS” in a URL instead of “HTTP” indicates that the website is secure and can be trusted. Once a secure site requests an initial contact, the attacker sends a fake certificate to the victim’s browser. This contains a digital thumbprint attached to the compromised application, which the browser checks according to the original list of trusted sites. While the browser checks, The attacker is then able to access any data entered by the victim before the request can be approved.

SSL hijacking

SSL hijacking occurs when the attacker passes fake authentication keys to both the user and the application during the TCP handshake. While it appears as a secure connection, in reality the man in the middle controls the whole session and blocks all data transferring between the server and the user's computer.

How to Prevent MIMT Attacks

Here are a few ways to prevent MIMT attacks. It is important to take preventative measures as MIMT attacks can be difficult to detect until after the fact. 

Have Strong WEP/WAP Encryption on Access Points

Having a strong encryption mechanism on wireless access points prevents unwanted users from joining your network just by being nearby. A weak encryption mechanism can allow an attacker to brute-force his way into a network and begin man-in-the-middle attacking. The stronger the encryption implementation, the safer.

Keep Strong Router Login Credentials

It’s essential to change your default router login, not just your Wi-Fi password. If an attacker finds your router login credentials, they can change your DNS servers to their malicious servers. Or even worse, infect your router with malicious software.

Use Virtual Private Networks - Especially on Public Wi-Fi

VPNs can be used to create a secure environment for sensitive information within a local area network. They use key-based encryption to create a subnet for secure communication. This way, even if an attacker happens to get on a network that is shared, he will not be able to decipher the traffic in the VPN. In addition, do not use Wi-Fi connections that are not password protected for sensitive information transferring. 

Force HTTPS

HTTPS can be used to securely communicate over HTTP using public-private key exchange. This prevents an attacker from having any use of the data he may be sniffing. Websites should only use HTTPS and not provide HTTP alternatives. You can install browser plugins to enforce always using HTTPS on requests to prevent this type of attack.

 

Read more on types of cyberattacks: Combating Ransomware is a National Priority: CISA Director Testifies

 

Get Updates

Sign up to receive the
latest news from Cylera.

window.lintrk('track', { conversion_id: 14567298 });