A man-in-the-middle (MITM) attack is a type of cyberattack where attackers intercept an existing conversation or data transfer, either by eavesdropping or by pretending to be a legitimate participant. To the victim, it will appear as though a standard exchange of information is underway — but by inserting themselves into the “middle” of the conversation or data transfer, the attacker can quietly hijack information.
The goal of a MITM spoofing attack is to retrieve confidential data such as bank account details, credit card numbers, or login credentials, which may be used to carry out further crimes like identity theft or illegal fund transfers. Because MITM attacks are carried out in real time, they often go undetected until it’s too late.
The Two Phases of a Man-in-the-Middle Attack
A successful MITM attack involves two specific phases: interception and decryption.
1. Interception
Interception involves the attacker interfering with a victim’s legitimate network by intercepting it with a fake network before it can reach its intended destination. The interception phase is essentially how the attacker inserts themselves as the “man in the middle.” Attackers frequently do this by creating a fake Wi-Fi hotspot in a public space that doesn’t require a password. If a victim connects to the hotspot, the attacker gains access to any online data exchanges they perform.
Once an attacker successfully inserts themselves between the victim and the desired destination, they may employ a variety of techniques to continue the attack:
- IP Spoofing: Every Wi-Fi-connected device has an internet protocol (IP) address that is central to how networked computers and devices communicate. IP spoofing involves an attacker altering IP packets in order to impersonate the victim’s computer system. When the victim tries to access a URL connected to that system, they’re unknowingly sent to the attacker’s website instead.
- ARP Spoofing: With Address Resolution Protocol (ARP) spoofing, the attacker uses falsified ARP messages to link their MAC address with a victim’s legitimate IP address. By connecting their MAC address to an authentic IP address, the attacker gains access to any data sent to the host IP address.
- DNS Spoofing: Domain Name Server (DNS) spoofing, also known as DNS cache poisoning, involves an attacker altering a DNS server in order to redirect a victim’s web traffic to a fraudulent website that closely resembles the intended website. If the victim logs in to what they believe is their account, attackers can gain access to personal data and other information.
2. Decryption
A MITM attack doesn’t stop at interception. After the attacker gains access to the victim’s encrypted data, it must be decrypted in order for the attacker to be able to read and use it. A number of methods might be used to decrypt the victim’s data without alerting the user or application:
- HTTPS Spoofing: HTTPS spoofing is a method for tricking your browser into thinking a certain website is safe and authentic when it’s not. When a victim attempts to connect to a secure site, a false certificate is sent to their browser which leads them to the attacker’s malicious website instead. This gives the attacker access to any data the victim shares on that site.
- SSL Hijacking: Any time you connect to an unsecure website, indicated by “HTTP” in the URL, your server automatically reroutes you to the secure HTTPS version of that site. With SSL hijacking, the attacker uses their own computer and server to intercept the reroute, allowing them to interrupt any information passed between the user’s computer and server. This gives them access to any sensitive information the user uses during their session.
- SSL Stripping: SSL stripping involves the attacker interrupting the connection between a user and a website. This is done by downgrading a user’s secure HTTPS connection to an unsecure HTTP version of the website. This connects the user to the unsecure site while the attacker maintains a connection to the secure site, rendering the user’s activity visible to the attacker in an unencrypted form.
Real-World Examples of a MITM Attack
There have been a number of well-known MITM attacks over the last few decades.
- In 2015, an adware program called Superfish, which was pre-installed on Lenovo machines since 2014, was discovered to be scanning SSL traffic and installing fake certificates that allowed third-party eavesdroppers to intercept and redirect secure incoming traffic. The fake certificates also functioned to introduce ads even on encrypted pages.
- In 2017, a major vulnerability in mobile banking apps was discovered for a number of high-profile banks, exposing customers with iOS and Android to man-in-the-middle attacks. The flaw was tied to the certificate pinning technology used to prevent the use of fraudulent certificates, in which security tests failed to detect attackers due to the certificate pinning hiding a lack of proper hostname verification. This ultimately enabled MITM attacks to be performed.
How to Detect a MITM Attack
If you’re not actively searching for signs that your online communications have been intercepted or compromised, detecting a man-in-the-middle attack can be difficult. While it’s easy for them to go unnoticed, there are certain things you should pay attention to when you’re browsing the web — mainly the URL in your address bar.
The sign of a secure website is denoted by “HTTPS” in a site’s URL. If a URL is missing the “S” and reads as “HTTP,” it’s an immediate red flag that your connection is not secure. You should also look for an SSL lock icon to the left of the URL, which also denotes a secure website.
Additionally, be wary of connecting to public Wi-Fi networks. As discussed above, cybercriminals often spy on public Wi-Fi networks and use them to perform a man-in-the-middle attack. It’s best to never assume a public Wi-Fi network is legitimate and avoid connecting to unrecognized Wi-Fi networks in general.
Prevention and How to Prepare
While being aware of how to detect a potential MITM attack is important, the best way to protect against them is by preventing them in the first place. Be sure to follow these best practices:
- Avoid Wi-Fi networks that aren’t password-protected, and never use a public Wi-Fi network for sensitive transactions that require your personal information.
- Use a Virtual Private Network (VPN) — especially when connecting to the internet in a public place. VPNs encrypt your online activity and prevent an attacker from being able to read your private data, like passwords or bank account information.
- Log out of sensitive websites (like an online banking website) as soon as you’re finished to avoid session hijacking.
- Maintain proper password habits, such as never reusing passwords for different accounts, and use a password manager to ensure your passwords are as strong as possible.
- Use multi-factor authentication for all of your passwords.
- Use a firewall to ensure safe internet connections.
- Use antivirus software to protect your devices from malware.
As our digitally connected world continues to evolve, so does the complexity of cybercrime and the exploitation of security vulnerabilities. Taking care to educate yourself on cybersecurity best practices is critical to the defense of man-in-the-middle attacks and other types of cybercrime. At the very least, being equipped with a strong antivirus software goes a long way in keeping your data safe and secure.
Panda Security specializes in the development of endpoint security products and is part of the WatchGuard portfolio of IT security solutions. Initially focused on the development of antivirus software, the company has since expanded its line of business to advanced cyber-security services with technology for preventing cyber-crime.
