What are Man In the Middle Attacks (MITM) and How They Work
Updated: November 13, 2020Cybercrimes can take various forms, one of the most common and risky being man-in-the-middle attacks. But what is MITM and how does it work?
From the beginning of communication, people have been finding ways to eavesdrop, intercept messages, and alter the communication between two parties.
The internet has made it easier than ever for criminals to insert themselves into private communication so they can steal people's personal information and use it for fraudulent activities.
This type of cybercrimes is known as man-in-the-middle attacks (MITM).
We'll go over what a man-in-the-middle attack is and how it works so you can protect yourself or your business online.
What is a Man-in-the-middle attack?
A man-in-the-middle-attack (MITM) is when an attacker interferes, and possibly alters, the communication between two parties. The attacker either eavesdrops or impersonates one of the parties involved in the communication, making it seem the connection is private when, in reality, the conversation is controlled by the cybercriminal.
Man-in-the-middle attacks can either require the attacker to be physically close to the victim to gain network access or to use some kind of malicious software or malware.
The first method is a traditional man-in-the-middle attack. In this case, the attacker must hack into a network, usually by exploiting the vulnerabilities of a poorly secured WiFi router. These are found in public places (such as coffee shops, hotels, airports) and even in private homes if the network is not properly secured. After gaining access to the network, the attacker can intercept and read all the data the victim sends over the network. The attacker can also deploy his tools between the victim's device and the websites being visited to gather personal information such as banking information or login credentials.
The other type of man-in-the-middle attack is when the attack is deployed using malicious software or malware and it's known as a man-in-the-browser attack.
What is a man-in-the-browser attack?
A man-in-the-browser attack is when malicious software or malware is inserted into the victim's device.
The most common ways for a hacker to inject malware in the victim's computer or mobile device is through phishing.
Phishing is a social engineering technique that represents the attacker sending an email to the victim, impersonating a well-trusted company (such as a bank). The victim is persuaded into clicking on a link or downloading an attachment. Doing so will result in the victim's computer getting infected with malware without his/her knowledge. This malware is then able to log all the user's internet data.
One of the most common such malicious emails you can receive are the ones that look as coming from your bank. Say you receive an email asking you to log in to your bank account so you validate your contact information. You click on the link that takes you to the bank's website and provide the requested information.
In this case, the man-in-the-middle steals your private information by taking two steps. The first step is phishing, sending you the fake email that looks like coming from your bank. The second step is setting up a fake website that mimics your bank's website so you'll trust entering your login credentials. But, by providing your login information, you're not logging into your real bank account, you're giving the MITM attacker your credentials.
Goals of a MITM attack
No wonder that hackers are often targeting the places where the money is such as:
- online banking sites
- financial sites
- online shopping sites
- sites where you are required to log in to your account to access credit card details or other sensitive information
Example of MITM attack
The easiest way to understand man-in-the-middle attacks is to think back to the traditional way of communication - mailing.
Say you send a letter to your best friend to let them know you'll come visit the following month. The snoopy mailman opens the letter, reads it, and decides to rewrite the letter making your friend think you never want to see her again. This will result in an angry friend and no one waiting for you at the airport when you go for the visit. In this scenario, you and your best friend are the two parties communicating, and the mailman is the man-in-the-middle attacker who intercepted your communication and altered it.
Now let's take a look over a real-life example of a man-in-the-middle attack to understand what impact it can have o a business.
In 2015, Europol managed to wipe out a cybecriminal group that was activating in several countries around Europe. The group deployed man-in-the-middle-attacks through malware and social engineering, targeting medium and large European companies. Once they got access to corporate email accounts, the attackers were able to monitor the communications to detect payment requests. They would then be able to interfere with customers' payments to the bank and cash the money themselves through various means. This attack has resulted in an international fraud totaling 6 million Euros.
Types of man-in-the-middle attacks
When deploying a man-in-the-middle attack, there are two steps that must be taken: intercepting the traffic and decrypting it. And there are more ways in which attackers can do both of them. Here are the most common.
Interception
IP spoofing - Every device that connects to the internet has an assigned IP address. The IP address is for the device similar to how your street address is for your home. By IP spoofing, attackers mask the real address of the source and disguise it as a trusted source. Your computer or mobile device will be basically interacting with an impostor thinking the source is legit and trustworthy.
DNS spoofing - DNS stands for Domain Name System and represents the system which transforms numerical IP addresses into human-friendly addresses (https://drsoft.com). Internet browsers save these addresses in the cache to speed up your online experience. Through DNS spoofing (or DNS cache poisoning), the attackers alter the data in the cache and you'll be automatically redirected to a fake website instead of accessing the real one.
ARP spoofing - ARP spoofing is a type of MITM attack in which the attacker sends a fake ARP (Address Resolution Protocol) over a local area network (LAN). By doing so, the attacker's MAC address (Media Access Control) will be connected to your IP address. This means that all the internet data will be sent to the attackers' address. This kind of MITM attack can only be deployed on local area networks that use ARP.
Decryption
HTTPS spoofing - HTTPS websites are secured due to the level of encryption they provide. Still, an attacker can alter the security certificate and make your browser think it is legit. By doing so, you'll access the website, your browser will think it is secure, and you'll be logging into your account. And if the security certificate has been spoofed, the attacker has now access to the deciphering key, which means he can decrypt all the data you send out, encrypt it again, and send it to the destination. Neither you or the website will know the communication has been intercepted.
SSL hijacking - SSL stands for the Secure Sockets Layer protocol (it is the secure in HTTPS) and it encrypts the data sent between your browser and the website's server. When you access a website, you're first connection to its HTTP version and the server automatically redirects you to the HTTPS. SSL hijacking happens before your browser gets to access the HTTPS. The attackers reroute the connection to their computer so they can intercept all the data being sent, including emails, login credentials, and payment details.
SSL stripping - With SSL stripping, the attackers downgrade a website from HTTPS to HTTP with the aid of proxy servers or ARP spoofing methods. The attackers get between you and a secure website and provide you with the unsecured version of the website. This way, they are able to read all your passwords, credit card credentials, and so on because the data is transmitted in plain text.
Email hijacking - Email hijacking is a type of man-in-the-middle attack in which the attacker gets access to one's email account and then monitors the communication. This access can be used by the attacker to send, for example, an email to the bank requiring them to transfer money in the attacker's bank account. Or, the attacker can spoof the bank's email and convince the victim to provide all banking account information.
WiFi eavesdropping - One of the ways hackers exploit public WiFi networks for fraudulent activities is by setting up fake WiFi spots. They go near a know public place, such as a coffee shop, and set up a connection with the coffee shop's name. The clients that come in for a coffee might not notice that the network is not legitimate. Once they connect to the WiFi, the attacker is able to intercept all the customers' data provided during their online session. This data includes sensitive information such as payment card information, login credentials, banking information.
Hijacking browser cookies - Browser cookies are small files stored on your computer that contain information about your online activity. For example, online stores use cookies so the browser can remember the items you added to your cart even after you refresh the page. Attackers can steal these cookies and gain access to the sensitive information they store.
How to protect yourself against MITM attacks
Only visit HTTPS websites - When you're browsing online, make sure the websites you visit are secured by looking for HTTPS and the padlock in the URL bar.
Be wary about phishing emails - The best way to protect yourself against phishing scams is to use common sense. Look for any suspicious clue before you click on a link in the email or download an attachment. Also, if the email copy requires you to provide certain sensitive information, ask yourself if it makes sense for the sender to request that information. If you want to access your bank's website, do it by typing the URL in the address bar instead of clicking on the link in the email.
Beware public WiFi networks - Public WiFi spots are the places where cybercriminals can get their job done the easiest. The networks are poorly secured and an attacker can easily interfere with the communications and steal users' private information. It's best to never use a public WiFi network without a VPN (Virtual Private Network) that encrypts all the data transmitted between your device and the internet. By using a VPN, even if the attacker manages to intercept your connection, he won't be able to read its content because it is encrypted.
Moreover, no matter how great your firewall and antivirus are, resourceful hackers can find ways to go around them. For example, by creating new malware that the antivirus has not yet have in the database. Besides, when browsing online, you leave behind a lot of personal information available for websites and companies. Probably way more than you'd want to.
Security software - Most man-in-the-middle attackers use one type of malware to deploy the attack. By installing security software, such as antivirus software, your computer will be protected against most types of malware. The antivirus detects and removes malware before it gets the chance to infect your device. Make sure to always keep your antivirus up to date.
Secure WiFi network - Hackers can easily gain access to your computer if your WiFi router is poorly secured. To strengthen the security of your network, it is important to use a secure type of encryption and a strong password. If you're not sure on how to change the setting of your router, we put together a guide that goes through the necessary steps.