Post

Man in the Middle Attack

Detailed article on MitM

Posted Updated
By Manthan R M
10 min read
Man in the Middle Attack

Man-in-the-Middle Attack (MitM) Definition

A man-in-the-middle (MitM) attack is a form of cyberattack in which criminals exploiting weak web-based protocols insert themselves between entities in a communication channel to steal data.

None of the parties sending email, texting, or chatting on a video call are aware that an attacker has inserted their presence into the conversation and that the attacker is stealing their data.

While most cyberattacks are silent and carried out without the victims’ knowledge, some MitM attacks are the opposite. They might include a bot generating believable text messages, impersonating a person’s voice on a call, or spoofing an entire communications system to scrape data the attacker thinks is important from participants’ devices.

Types Of Industries And Personas That Are Most Vulnerable To MitM Attacks

A MitM attack may target any business, organization, or person if there is a perceived chance of financial gain by cyber criminals. The larger the potential financial gain, the more likely the attack.

Sales of stolen personal financial or health information may sell for a few dollars per record on the dark web. At first glance, that may not sound like much until one realizes that millions of records may be compromised in a single data breach.

Popular industries for MitM attacks include:

  • Banks and their banking applications
  • Financial companies
  • Health care systems
  • Businesses that operate industrial networks of devices that connect using the Internet of Things (IoT).

Millions of these vulnerable devices are subject to attack in manufacturing, industrial processes, power systems, critical infrastructure, and more.

SCORE and the SBA report that small and midsize businesses face greater risks, with 43% of all cyberattacks targeting SMBs due to their lack of robust security.

Types of Man-in-the-Middle (MitM) Attacks

1. Email Hijacking

In this attack, cybercriminals take control of the email accounts of banks, financial institutions, or other trusted companies that handle sensitive data and money. Once inside, attackers monitor transactions and correspondence between the bank and its customers.

In more malicious scenarios, attackers spoof the bank’s email address to send fraudulent emails, instructing customers to resend credentials or transfer money to an account controlled by the attackers. Social engineering plays a key role in the success of this attack.

2. Wi-Fi Eavesdropping

Cybercriminals create malicious wireless networks with legitimate-sounding names, such as “Free Public Wi-Fi Network,” to lure victims. These networks may appear to belong to a trusted business or have no password required to connect.

Once connected, attackers can monitor the victim’s online activity, steal login credentials, or capture sensitive data such as credit card information.

Prevention Tips:

  • Verify the network before connecting.
  • Disable the Wi-Fi auto-connect feature on mobile devices.

3. DNS Spoofing

Also known as DNS cache poisoning, this attack involves manipulating DNS records to divert legitimate online traffic to a fake website that resembles a trusted site.

Attackers trick users into logging in to the fake site or performing actions such as paying fees or transferring money, enabling them to steal sensitive information.

4. Session Hijacking

Session hijacking occurs when attackers steal a session cookie after a victim logs into an application (e.g., banking or email). Attackers use the cookie to access the victim’s account through their own browser.

A session is a temporary data exchange identifier between a user and a website. Attackers must act quickly, as sessions typically expire within minutes.

5. Secure Sockets Layer (SSL) Hijacking

Many websites use HTTPS to indicate a secure server. SSL and its successor TLS are protocols that establish secure communication between computers.

In SSL hijacking, attackers intercept data between the user’s computer and the server. This attack exploits vulnerabilities in SSL (deprecated in 2015) and emphasizes the need for TLS.

6. ARP Cache Poisoning

The Address Resolution Protocol (ARP) maps link layer addresses (e.g., MAC) to IP addresses on local networks. In ARP cache poisoning, attackers trick the victim’s computer into recognizing their system as the network gateway.

As a result, all network traffic from the victim is diverted to the attacker, allowing them to steal personally identifiable information (PII) and other sensitive data.

7. IP Spoofing

Similar to DNS spoofing, IP spoofing redirects traffic intended for a legitimate website to a malicious one. Instead of modifying DNS records, attackers alter the IP address of the malicious website to resemble the legitimate site’s IP address.

8. Stealing Browser Cookies

Cookies are small data files stored by browsers to improve user experience, such as remembering login information or form data.

Attackers combine cookie theft with other MitM techniques (e.g., Wi-Fi eavesdropping or session hijacking) to gain access to sensitive data stored in cookies, such as passwords and credit card details.

How Does a Man-in-the-Middle (MitM) Attack Work?

  1. Message Interception:
    Person A sends Person B a message, and the MitM attacker intercepts it without their knowledge.
  2. Message Manipulation:
    The attacker changes the message content or removes it entirely.

How to Prevent Man-in-the-Middle Attacks?

Implementing sound cybersecurity practices is crucial for individuals and organizations to mitigate the risk of Man-in-the-Middle (MitM) attacks. Below are preventive measures to enhance security and reduce vulnerabilities:

### 1. Update and Secure Home Wi-Fi Routers

  • Regularly update router firmware to protect against vulnerabilities. Note that these updates are not automatic and need to be carried out manually.
  • Set the router’s security to the strongest level, such as WPA3, as recommended by the Wi-Fi Alliance.
  • Secure home networks, especially in work-from-home (WFH) scenarios, to protect corporate connections.

### 2. Use a Virtual Private Network (VPN)

  • VPNs encrypt traffic between devices and the VPN server, making it harder for attackers to intercept or modify data.
  • Encourage employees to use VPNs, especially on public or unsecured networks.

### 3. Use End-to-End Encryption

  • Turn on encryption for emails and other communication channels.
  • Use applications that offer built-in encryption, such as WhatsApp, and verify encryption settings where possible.
  • Educate employees on verifying encrypted communication by following steps like scanning QR codes.

### 4. Install Patches and Use Antivirus Software

  • Regularly update software with the latest patches to fix vulnerabilities.
  • Use reliable antivirus programs to detect and block malicious activities.
  • IT teams should stress the importance of patching to employees for enhanced endpoint security.

### 5. Use Strong Passwords and a Password Manager

  • Encourage employees to create strong passwords and manage them securely using password managers.
  • For company-owned devices, implement mobile device management software with password policies to enforce complexity, reuse rules, and wipe devices after multiple failed attempts.

### 6. Deploy Multi-Factor Authentication (MFA)

  • MFA adds an additional layer of security beyond passwords.
  • Encourage its use for accessing devices and online services to safeguard against unauthorized access.

### 7. Only Connect to Secure Websites

  • Check for a padlock icon in the browser’s address bar to confirm a secure HTTPS connection.
  • Avoid connecting to HTTP sites or those without a visible padlock icon.
  • Use browser plugins or web filtering protocols to enforce HTTPS connections and block non-secure sites.

### 8. Encrypt DNS Traffic

  • Employ mechanisms like DNS over TLS (DoT) and DNS over HTTPS (DoH) to secure DNS traffic.
  • Validate the authenticity of DNS resolvers with certificates to prevent impersonation and eavesdropping.

### 9. Adopt the Zero-Trust Philosophy

  • Apply the “never trust, always verify” model to ensure all devices, users, and applications are authenticated and authorized before granting access.
  • Continuously verify activities to protect assets during or after a MitM attack.

### 10. Deploy a UEBA Solution

  • User and Entity Behavior Analytics (UEBA) leverage machine learning to monitor user and device behavior.
  • Detect subtle anomalies that may indicate a MitM attack and automate responses to mitigate threats.
  • Solutions like FortiInsight offer real-time threat detection and automated responses.

MitM Issues in Mobile Apps

  • Lack of certificate pinning exposes apps to malicious proxies.
  • Data flow interception allows attackers to modify or steal user data.

How to Detect a Man-in-the-Middle (MitM) Attack?

MitM attacks often incorporate elements of other cyberattacks, such as phishing or spoofing, which users might already be trained to recognize. While these attacks may seem easy to detect at first, the increasing sophistication of cybercriminals necessitates a combination of human vigilance and technical protocols for detection.

As with all cyber threats, prevention remains the most effective strategy. Below are signs that indicate a potential MitM attack:

### 1. Unusual Disconnections

Repeated or unexpected disconnections from a service—where users are frequently logged out and required to sign in again—can signal a MitM attempt.

Why It Happens:

  • Attackers force users to re-enter usernames and passwords repeatedly, creating multiple opportunities to intercept login credentials.

What to Do:

  • Monitor and report frequent, unexplained disconnections to the IT or cybersecurity team.

### 2. Strange URLs

MitM attackers often create spoofed websites that closely resemble trusted ones to trick users into entering credentials.

Signs to Look For:

  • The URL displayed in the browser does not match the recognizable address of the trusted site or application.
  • Users interacting with these spoofed sites might experience DNS hijacking, where malicious code intercepts communications and collects data.

What to Do:

  • Double-check the URL of any website, especially when performing financial transactions or entering sensitive information.
  • If something seems off, avoid proceeding and report it immediately.

### 3. Public, Unsecured Wi-Fi

Public Wi-Fi from unknown establishments can be a breeding ground for MitM attacks. Even if sensitive activities such as banking are avoided, attackers can use the connection to inject malicious code and eavesdrop on the device.

Red Flags:

  • Wi-Fi networks with generic or innocent-sounding names like “Local Free Wireless.”
  • No password requirement to connect to the network.

What to Do:

  • Avoid connecting to unfamiliar public Wi-Fi networks.
  • Use a VPN for secure browsing if connecting to public Wi-Fi is unavoidable.

Examples of Man-in-the-Middle (MitM) Attacks

Man-in-the-Middle attacks have been utilized in various high-profile incidents to intercept, manipulate, and steal data. Below are notable examples that illustrate the impact and techniques of MitM attacks:

1. NSA and Google (2013)

  • Edward Snowden’s leaked documents revealed that the NSA intercepted traffic by pretending to be Google.
  • The NSA used spoofed SSL encryption certificates to access Google users’ search records illegally, amounting to domestic spying on U.S. citizens.

2. Comcast’s Ad Substitution

  • Comcast used JavaScript to inject and replace third-party advertisements with its own ads.
  • This “code injection” MitM attack exploited web traffic passing through the Comcast network, inserting ads even into otherwise ad-free content.

3. Equifax Data Breach (2017)

  • Equifax, a major credit reporting company, suffered a MitM breach that exposed sensitive financial data of over 100 million customers.
  • The breach lasted several months, demonstrating the potential for prolonged exploitation in MitM scenarios.

4. Banking App Vulnerability

  • A flaw in banking apps used by HSBC, NatWest, Co-op, Santander, and Allied Irish Bank enabled attackers to steal personal information.
  • Credentials such as passwords and PIN codes were compromised, highlighting MitM vulnerabilities in financial applications.

5. 2021 Data Breaches

MitM attacks were a contributing factor to several massive data breaches in 2021:

  • Cognyte: Five billion records exposed.
  • Twitch: Five billion records exposed.
  • LinkedIn: 700 million records exposed.
  • Facebook: 553 million records exposed.

6. MitM Issues in Mobile Devices

Mobile platforms are particularly vulnerable to MitM attacks due to:

  • Unsecured Wi-Fi connections: Public networks can be exploited to intercept mobile data.
  • Malicious apps: Applications with insufficient security can enable attackers to intercept sensitive information.
  • Outdated software: Lack of updates on mobile devices increases susceptibility to MitM attacks.

Hope you enjoyed reading this…

Next Blog coming soon!!

GUIDE, CYBERSECURITY
Cybersecurity techniques
This post is licensed under CC BY 4.0 by the author.