Man-in-the-middle attacks

A man-in-the-middle attack is a cyberattack where a bad actor positions themselves between two parties — typically a user and an application — and steals their sensitive data. Learn more about how these attacks work and what your organization can do to detect, prevent, and protect against them.

Interested in learning more about how you can protect against man-in-the-middle attacks? Read this.

When a man-in-the-middle (MITM) attack occurs, hackers can intercept sensitive data: personally identifiable information (PII), payment details, credit card numbers, and account credentials. Once hackers have access to data, they can pivot to funds transfer fraud, identity theft, or even ransomware attacks.

Should your organization be the victim of a MITM attack, you can incur significant financial losses and have your most sensitive data and intellectual property stolen — all while damaging your reputation.

MITM attacks have two distinct phases:

1. Interception, where the hacker intercepts online activities before they reach the app or user they’re intended for, and

2. Decryption, where the hacker decrypts the intercepted data without the unsuspecting user having any idea.

In most cases, MITM attacks are launched across insecure public WiFi networks or malicious WiFi hotspots set up by the hacker. Once a network is compromised, attackers can eavesdrop on the user without them being aware.

Imagine an employee joins a malicious WiFi network. After that happens, the hacker begins spying on their online activity. None the wiser, the employee may then begin communicating with their boss over email or chat platforms without either party being aware a hacker is observing. Depending on the attacker’s goal — stealing money or data — they might send malicious links or illegitimate requests to the party on either side. Or, they can sit back and wait, seeing what the two parties are sending to each other and recording any sensitive information.

Since hackers who carry out MITM attacks control the WiFi network the compromised device is using for connectivity, they can also pose as other parties, such as e-commerce platforms and financial services providers. When that happens, threat actors deceive employees into unwittingly sharing account credentials or even transferring funds.

Though the objective of MITM attacks is the same — stealing sensitive data and/or money — threat actors use several different methods to carry them out. 1. HTTPS spoofing Hypertext Transfer Protocol Secure (HTTPS) is a version of the HTTP that enables users to securely send encrypted data between servers and web browsers. When you connect to a website and see a lock symbol in the address bar, it indicates your connection is secure. Bad actors can exploit this by creating spoofed domains that closely resemble legitimate websites but use non-ASCII characters (e.g., äpple.com). In this scenario, users think they’re interacting with legitimate websites because they see the lock, but the bad actor is sitting between them and the server and can intercept any data.

2. SSL hijacking Most websites that use HTTPS use Secure Sockets Layer (SSL) as an encryption security protocol that ensures data passing between a client and a server stays protected. When threat actors launch SSL hijacking attacks, they exploit legitimate sessions by creating fake SSL certificates that enable them to gain unauthorized access to the session between the user and the server. Since the user sees the lock in their address bar, they think their connection is secure. In reality, all information passing between the user and the application is going through the attacker’s server.

3. SSL stripping In SSL stripping attacks, hackers downgrade secure HTTPS connections to unencrypted HTTP connections, which makes it easy for them to intercept and manipulate data. Unless the user is aware of how such attacks work, chances are they won’t have any idea their connection is no longer secure.

4. IP spoofing Every device that connects to the internet — computers, smartphones, and servers — has its own internet protocol (IP) address. When threat actors carry out IP spoofing attacks, they spoof the IP headers on packets to make it appear that the traffic is coming from a different source than its actual origin and then redirect traffic to their desired location.

5. ARP spoofing ARP spoofing is a MITM attack where bad actors manipulate the address resolution protocol (ARP) within a local area network (LAN) to deceive network devices into confusing an attacker’s media access control (MAC) address with the IP address of a trusted device. After that happens, attackers can intercept, modify, and redirect network traffic intended for the targeted device.

6. DNS spoofing The Domain Name System (DNS) is a database that contains public IP addresses for computers, services, and internet-connected resources. DNS spoofing attacks occur when hackers swap a legitimate IP address in a DNS record with one of their own, sending users to fake websites they control. Once that happens, users typically use their real login credentials, thinking they’re connecting to a real website; threat actors then use those credentials to access the account and all its information.

7. WiFi eavesdropping WiFi eavesdropping attacks, or evil twin attacks, occur when threat actors set up fake WiFi hotspots to dupe unsuspecting users into connecting to a malicious network they control. For example, a hacker might head to a busy Starbucks and create a network that sounds legitimate (e.g., Starbucks 5G). When as the unsuspecting individual connects to that network, the bad actor can see everything the user does and launch several other MITM attacks from there.

MITM attacks can wreak havoc on businesses of all sizes and industries. Here are some real-world examples of how hackers have used MITM to exploit unsuspecting users to steal money and data:

• In 2015, Lenovo users found out that their devices came pre-installed with software that included a universal self-signed certificate authority. This, in turn, enabled the software to launch SSL hijacking attacks on users worldwide.

• That same year, Europol arrested a group of 49 suspected cybercriminals for launching MITM attacks against companies across Europe to gain access to employee email accounts. Once they had access, they searched for payment requests and then asked customers to send the funds to bank accounts they controlled.

• Chances are you heard of the Equifax breach, which impacted nearly every U.S. adult with a credit history in 2017. In this attack, hackers exploited a known vulnerability that wasn’t patched to gain access to Equifax’s internal servers. While users were authenticated via HTTPS, some pages on the company’s website used HTTP. Hackers found those pages and launched MITM attacks accordingly.

• In 2019, hackers made off with $1 million after they spoofed two domain names — one of an Israeli startup and the other of a Chinese venture capital firm — by adding an s to the end of each. The hackers then used those spoofed domains to send emails with the same subject line as an existing email thread to cancel in-person meetings and, ultimately, convince the VC firm to wire the money to a fraudulent bank account.

MITM attacks are so successful because cybercriminals try their hardest to avoid detection. That said, there are some telltale signs vigilant users can look out for.

Always confirm the legitimacy of websites you browse — think google.com, not g00gle.com. You should also look for the lock that indicates an HTTPS connection, particularly if you’re heading to a financial institution’s website and are preparing to log in. Bottom line? If you see a suspicious-looking URL in the address bar, exercise caution.

When traveling or on the go, look out for unfamiliar network connections. Other telltale signs of MITM attacks include intrusive popup ads that tell you to click a link right away, your browser notifying you that the website you’re visiting has missing, invalid, or expired certificates, and glaring typos and grammar errors in web copy.

What’s more, if you’re getting disconnected from your WiFi connection repeatedly and unexpectedly, it might be because a threat actor is trying to commandeer your device. Should that happen, confirm that you’re not connected to an unfamiliar public network.

To avoid MITM attacks, organizations should monitor network activity continuously, even deploying a network sniffer as a defensive mechanism.

While you can’t necessarily prevent MITM attacks from impacting your organization, you can take proactive steps to reduce the chances it happens. Use a VPN Encourage employees to use virtual private networks (VPNs) to connect to the internet — particularly when they’re using public WiFi networks. VPNs encrypt data users send and receive; even if a hacker were able to gain access to your corporate network, they wouldn’t be able to make sense of the data.

Avoid storing sensitive information on websites or in your browser Since hackers launch MITM attacks in an attempt to gain sensitive account information, set a policy that forbids employees from storing sensitive account information on websites or in their browsers. Instead, deploy a password manager that stores credentials securely. Use HTTPS websites Always look for the lock in the address bar of your browser. While hackers can still launch HTTPS spoofing attacks against you, you should avoid HTTP sites, which make MITM attacks much easier to execute. Implement multi-factor authentication (MFA) Requiring employees to use MFA to access their accounts is another way to protect your organization from MITM attacks. Even if hackers acquire an employee’s legitimate login credentials, they won’t be able to access their accounts because they won’t be able to get the one-time passcode needed to confirm the employee’s identity. Update software As the Equifax story above demonstrates, older software is a hacker’s delight. Implement a software update policy that ensures all of your software and hardware is up-to-date with the latest security patches. Use strong router credentials If bad actors are able to gain access to your router, they can change DNS servers or deploy malware there. Choose router credentials that hackers won’t be able to figure out with any sense of urgency. Schedule recurring security awareness training Hackers are always evolving their tactics, and organizations should train employees to be on the lookout for suspicious activity when connected to the internet. By prioritizing security awareness training your employees can learn to use caution when connecting to unfamiliar networks, confirm that their browsing sessions are secure, and report anything out of place. Monitor network activity regularly No matter how educated your team is, a persistent and dedicated hacker can find their way inside, but that doesn’t have to lead to a devastating cyber incident. By allocating IT resources to network monitoring, it’s much easier to identify anomalous activity and defend against bad actors.