Man-in-the-Middle (MITM) Attacks

Learn to Understand, Detect and Protect Against Software Supply Chain Attacks

What is a Man-in-the-Middle Attack?

Man-in-the-Middle (MITM) attack is a cyber attack where a cybercriminal intercepts data sent between two businesses or people. The purpose of the interception is to either steal, eavesdrop or modify the data for some malicious purpose, such as extorting money.

How Does a Man-in-the-Middle Attack Work?

MITM attacks depend on the manipulation of existing networks or the creation of malicious networks the cybercriminal controls. The cybercriminal intercepts traffic and either lets it pass through, collecting information as it goes or reroutes it somewhere else.

Cybercriminals essentially act as “middlemen” between the person sending information and the one receiving it, hence the name "man-in-the-middle attack." These attacks are surprisingly common, especially on public WiFi. Public WiFi is often unsecured, so you can't know who is monitoring or intercepting web traffic since anyone can sign on.

Types of MITM Attacks

There are several kinds of MITM attacks, making them one of the most versatile cyber threats around today.

Public Wi-Fi

One of the most common MITM attack methods is over public WiFi. Public WiFi is often unsecured, so cybercriminals can see web traffic from any of the network’s connected devices and lift information as needed.

Rogue Access Point

A rogue access point is a wireless access point that’s been installed on a legitimate network. This allows the cybercriminal to intercept or monitor incoming traffic, often rerouting it to a different network entirely to encourage malware downloads or extort the user. Malware is a type of malicious software installed onto a victim’s device that is used to spy and steal data.

IP Spoofing

IP spoofing involves modifying an IP address to reroute traffic to an attacker’s website. The attacker “spoofs” the address by altering packet headers to disguise themselves as a legitimate application or website.

ARP Spoofing

This attack links the attacker’s MAC address with the victim’s IP address on a local area network using fake ARP messages. Any data sent to the local area network by the victim is instead rerouted to the cybercriminal’s MAC address, allowing the cybercriminal to intercept and manipulate the data at will.

DNS Spoofing

The cybercriminal enters a website’s DNS server and modifies a website’s web address record. The altered DNS record reroutes incoming traffic to the cybercriminal’s website instead.

HTTPS Spoofing

When a user connects to a secure site with the https:// prefix, the cybercriminal sends a fake security certificate to the browser. This “spoofs” the browser into thinking the connection is secure, when in fact, the cybercriminal is intercepting and possibly rerouting data.

Session Hijacking

Cybercriminals use session hijacking to take control of a web or application session. Hijacking expels the legitimate user from the session, effectively locking the cybercriminal into the app or website account until they’ve gained the information they want.

Packet Injection

The cybercriminal creates packets that seem normal and injects them into an established network to access and monitor traffic or initiate DDoS attacks. A Distributed Denial-of-Service (DDoS) attack is an attempt to disrupt the normal traffic of a server by overwhelming it with a flood of internet traffic.

SSL Stripping

The cybercriminal intercepts the TLS signal from an application or a website and modifies it so the site loads on an unsecured connection as HTTP instead of HTTPS. This makes the user’s session viewable by the cybercriminal and exposes sensitive information.

SSL Spoofing

This method involves “spoofing” a secure site address so the victim navigates there. Cybercriminals hijack communication between the victim and the web server of the site they want to access, disguising a malicious site as the legitimate site’s URL.

SSL BEAST

The cybercriminal infects a user’s computer with malicious JavaScript. The malware then intercepts website cookies and authentication tokens for decryption, exposing the victim’s entire session to the cybercriminal.

SSL Stealing Browser Cookies

Cookies are useful bits of website information that the sites you visit store on your devices. These are useful for remembering web activity and logins, but cybercriminals can steal them to gain that information and use them for malicious purposes.

Sniffing

Sniffing attacks monitor traffic to steal information. Sniffing is performed with an application or hardware and exposes the victim’s web traffic to the cybercriminal.

How to Detect Man-in-the-Middle Attacks

Detecting a MITM attack can help a business or individual mitigate the potential damage a cybercriminal can cause. Here are some methods of detection:

Analyze strange web addresses

Monitor your web browsers for strange web addresses in the search bar or URL bar. A DNS hijack can create spoofs of common addresses, typically with barely noticeable changes. For example, an attacker might replace “www.facebook.com” with “www.faceb00k.com.” This spoofing method works surprisingly well, and most of us miss simple changes without looking closer.

Unexpected disconnections and network delays

Certain forms of MITM attacks will cause sudden, unexpected network delays or complete disconnections. These can happen over time and usually aren’t accompanied by network distress or other obvious symptoms.
If you experience frequent disconnections or delays on your network, it might be a good idea to look closer to make sure it’s not just a network issue.

Monitor public WiFi

Attackers will often intercept information sent over public networks, or even create fake networks in public places. These networks allow the cybercriminal to see all of your web activity without you knowing you're under attack. Avoid public WiFi where possible and use a VPN if you do need to connect. You should also avoid connecting to strange networks with suspicious names.

How to Prevent Man-in-the-Middle Attacks

Preventing man-in-the-middle attacks can save individuals and businesses thousands in damages and keep their web and public identities intact. Here are some essential tools to help prevent MITM attacks:

Password Manager

Using a password manager with proper network security features ensures that all login credentials are securely stored. One important anti-MITM feature is end-to-end encryption. Keeper has integrated end-to-end encryption with vault-to-vault sharing which uses Public Key Infrastructure (PKI). This means that cybercriminals cannot intercept passwords or other shared records in transit. For businesses, Keeper also offers shared team folders as well as role-based control features which allow admins to restrict and divvy up access among the team.

Virtual Private Network

A virtual private network, or VPN, reroutes all internet traffic across several different servers, effectively hiding the user’s IP address and making the browsing session more private and secure. VPNs also include inherent encryption which helps to secure messages and other data.