Keeper’s Guide to Man-in-the-Middle (MITM) Attacks
Cyberattacks are on the Rise
Cyberattacks have risen significantly within the last decade, with some of the worst attacks in history occurring within just the last few years. As powerful and beneficial as the internet is, it’s also home to some of the most dangerous threats businesses face in modern society.
The web has brought us all closer together, but in doing so, we’ve sacrificed our own data. Cybercriminals everywhere look for new and sophisticated ways to access that data to steal, copy or sell it. One of these methods is called a man-in-the-middle, or MITM attack.
In this guide, you’ll learn more about how to protect a business from a kind of cyberattack that can cost millions in potential damages. Many businesses and individuals don’t have millions of dollars to steal, but that doesn’t mean they aren’t at risk.
Man-in-the-middle attacks are especially problematic because they can occur in such a small time frame. An attack can take as little as 10-15 minutes, but the damage it can cause can be both long-term and fatal to a business. With cyber crime estimated to cost the globe somewhere around $10 trillion by 2025, it’s time we all took our cybersecurity a bit more seriously.
The more you know about MITM attacks, the more you can protect your business.
What is a Man-in-the-Middle Attack (MITM)?
A man-in-the-middle attack, or MITM, is a cyberattack where a cybercriminal intercepts data sent between two businesses or people. The purpose of the interception is to either steal, eavesdrop, or modify the data for some malicious purpose, such as extorting money.
How Does a Man-in-the-Middle Attack Work?
MITM attacks depend on the manipulation of networks or creating malicious networks the cybercriminal controls. The cybercriminal intercepts traffic and either lets it pass through, collecting information as it goes, or reroutes it to somewhere else.
Cybercriminals essentially act as “middlemen” between the person sending information and the one receiving it, hence the name “man-in-the-middle attack”. These attacks are surprisingly common, especially on public WiFi. Since public WiFi is often unsecured, you can’t know who is monitoring or intercepting web traffic, since anyone can sign on.
Types of MITM Attacks
There are several kinds of MITM attacks, making them some of the most versatile cyberthreats around today. These include:
Rogue Access Point
A rogue access point is a wireless access point that’s been installed on a legitimate network. This allows the cybercriminal to intercept or monitor incoming traffic, often rerouting it to a different network entirely to encourage malware downloads or extort the user.
This method involves modifying an IP address to reroute traffic to an attacker’s website. The attacker “spoofs” the address by altering packet headers to disguise themselves as a legitimate application or website.
This attack links the attacker’s MAC address with the victim’s IP address on a local area network using fake ARP messages. Any data sent to the local area network by the victim is instead rerouted to the cybercriminal’s MAC address, allowing the cybercriminal to intercept and manipulate the data at will.
The cybercriminal enters a website’s DNS server and modifies a website’s web address record. The altered DNS record reroutes incoming traffic to the cybercriminal’s website instead.
When a user connects to a secure site with the https:// prefix, the cybercriminal sends a fake security certificate to the browser. This “spoofs” the browser into thinking the connection is secure, when in fact, the cybercriminal is intercepting and possibly rerouting data.
Cybercriminals use session hijacking to take control of a web or application session. Hijacking expels the legitimate user from the session, effectively locking the cybercriminal into the app or website account until they’ve gained the information they want.
The cybercriminal creates packets that seem normal and injects them into an established network to access and monitor traffic or initiate DDoS attacks.
The cybercriminal intercepts the TLS signal from an application or a website, and modifies it so the site loads on an unsecured connection as HTTP instead of HTTPS. This makes the user’s session viewable by the cybercriminal and exposes sensitive information.
This method involves “spoofing” a secure site address so the victim navigates there. Cybercriminals hijack communication between the victim and the web server of the site they want to access, disguising a malicious site as the legitimate site’s URL.
One of the most common MITM attack methods is over public WiFi. Public WiFi is often unsecured, so cybercriminals can see web traffic from any of the network’s connected devices and lift information as needed.
SSL Stealing Browser Cookies
Cookies are useful bits of website information that the sites you visit store on your devices. These are useful for remembering web activity and logins, but cybercriminals can steal them to gain that information and use them for malicious purposes.
Sniffing attacks monitor traffic to steal information. Sniffing is performed with an application or hardware and exposes the victim’s web traffic to the cybercriminal.
How to Detect Man-in-the-Middle Attacks
Detecting a MITM attack can help a business or individual mitigate the potential damage a cybercriminal can cause. Here are some methods of detection:
Analyze strange web addresses
- Have your team monitor their web browsers for strange web addresses in the search bar or URL bar. A DNS hijack can create spoofs of common addresses, typically with barely noticeable changes. For example, an attacker might replace “www.facebook.com” with “www.faceb00k.com”. This spoofing method works surprisingly well, and most of us miss simple changes without looking closer.
Unexpected disconnections and network delays
- Certain forms of MITM attacks will cause sudden, unexpected network delays or complete disconnections. These can happen sporadically and usually aren’t accompanied by network distress or other obvious symptoms.
- If your team is experiencing frequent disconnections or delays on your network, it might be a good idea to look closer to make sure it’s not just a network issue.
Monitor public WiFi
- Attackers will often intercept information sent over public networks, or even create fake networks in public places. These networks allow the cybercriminal to see all of your team’s web activity without you knowing you’re under attack. Avoid public WiFi where possible and have your team use a VPN if they do connect. Encourage your team to also avoid connecting to strange networks with suspicious names.
How to Prevent Man-in-the-Middle Attacks
Preventing man in the middle attacks can save businesses thousands in damages and keep their web and public identities intact. Here are some essential tools to help prevent MITM attacks:
Enterprise Password Management (EPM) Platform
- Using a Password Management Platform with proper network security features ensures that all business login credentials are securely stored. One important anti-MITM feature is end-to-end encryption. Keeper has integrated end-to-end encryption with vault-to-vault sharing which uses PKI (Public Key Infrastructure). This means that cybercriminals cannot intercept passwords or other shared records in transit. Keeper also offers shared team folders as well as role-based control features which allow admins to restrict and divvy up access among the team.
- A virtual private network, or VPN, reroutes all internet traffic across several different servers, effectively hiding the user’s IP address and making the browsing session more private and secure. VPNs also include inherent encryption which helps to secure messages and other data.
Examples of Man-in-the-Middle Attacks in the News
In 2017, Equifax came under attack from cybercriminals, who were able to exploit an HTTP error to intercept traffic to the Equifax servers. This vulnerability was swiftly addressed by the company, but shows the severity of a MITM attack. Thousands, if not millions of personal records could have been exposed or stolen.
Venture capital money stolen
A Chinese venture capital firm and an Israeli startup were the victims of a serious MITM attack where around $1MM in startup funds were stolen. The cybercriminals intercepted email communications between the two firms and rerouted seed money for the startup to their own accounts.