Man-in-the-Middle Attacks Explained: How to Stay Safe Online

A man in the middle attack is more like eavesdropping, where the conversation is controlled by an attacker. The attacker builds an independent connection with each of the targeted victims while manipulating messages between them. They impersonate the targets, making messages look like they are directly talking over a private connection.

This attack succeeds only when an attacker is capable enough of satisfying the expectations of both parties while impersonating. This involves HTTPS connections, SSL/TLS connections, Wi-Fi connections, etc. The intruder might use the attack to either steal login data or personal information with malicious intent.

What is a Man in the Middle (MitM) Attack?

Man in the middle attacks are a method of eavesdropping or impersonating one of the individuals in communication. These attackers place themselves between a user and the server. The threat actor lays out this attack to steal private and confidential information such as account details, login credentials, and credit card details.

The execution of a man-in-the-middle attack gives a window for threat actors to carry out multiple kinds of unethical activities such as data theft, identity theft, unauthorized fund transfers, illegal password changes, etc. This attack is extremely useful for cybercriminals during the infiltration stage of an advanced persistent threat (APT) assault.

Statistics on Man in the Middle Attacks

• According to an article by ‘the SSL Store’, during 2016, around 95% of HTTPS servers were at risk of MitM attacks.
• According to IBM, 35% of the exploits led to MitM attacks.
• MitM attacks can be prevented by HTTP Strict Transport Security (HSTS), which is implemented by only 10% of the companies.
• According to a report, 43% of the organizations found cutting corners in their mobile security that contributed to MitM attacks.

How Does a Man in the Middle Attack Work?

In 2013, the Xpress browser of Nokia was found decrypting proxy servers of Nokia that gave the company access to the customer’s encrypted browser.

The above news is an example of a MitM attack. A man-in-the-middle attack requires a threat actor to be virtually present between the connection of two parties to observe them or manipulate the exchange of information. This attack takes place by interfering with authentic networks or creating a fake network that can be controlled by attackers. Man-in-the-middle attacks are carried out through interception and decryption.

Interception

The hacker first intercepts the user’s network before reaching the targeted destination. To execute this step, the attacker performs a passive attack by installing a packet sniffer, which analyses the network traffic to identify any insecure communication. 

When the victim accesses a site after connecting to a compromised hotspot, the attacker gets access to any kind of online data exchange. Additionally, the attacker directs the user to a fake website that records user information. The attacker then uses that information to retrieve information from the real website.

For a more active approach to interception, attackers may use the following alternative attacks:

• IP Spoofing: IP address spoofing is the creation of Internet Protocol packets with a fake source IP address to impersonate some other computing system.
• ARP Spoofing: An attacker’s MAC address is linked with the IP addresses of genuine users over a local network with the help of fake ARP messages.
• DNS Spoofing: The DNS cache is infected, involving infiltration of the DNS server and tampering with the website’s address record.

Decryption 

After the interception process, any two-way SSL traffic is decrypted without alerting the user or application. The following methods are required to carry out the process:

• SSL Stripping: This tool lucidly hijacks HTTP traffic over a network, observes HTTP links, and redirects them before drawing those links into duplicate HTTP links.
• SSL Beast: This attack infects the victim’s computer with malicious JavaScript, which intercepts encoded cookies sent by the web app.

SSL Hijacking: This attack occurs when the attacker carries forward forged authentication keys to both victims and applications at the time of the TCP handshake. Although this setup appears to be secure, the attacker is controlling the entire session.

The Effects of a MitM Attack on Information Security

A man-in-the-middle attack can be carried out for financial gain and espionage, which is extremely disruptive and dangerous for any individual or organization. A MitM attack can provide cybercriminals with a variety of confidential information and private data about people. This attack can incur huge financial damage to an individual or organization. There are multiple ways in which a man-in-the-middle attack can be carried out. 

Types of Man in the Middle Attacks

According to SSL Store, MitM attacks accounted for 35% of all exploitations prior to 2018. 

Following are the major types of man in the middle attacks seen these days.

IP Spoofing Attacks

In this type of attack, threat actors create a fake IP address to impersonate a computing system and infiltrate a network. This will allow threat actors to infiltrate the network and monitor targeted user activities. 

An IP spoofing attack enables attackers to make the victim believe that they are using a legitimate website. Cybercriminals leverage IP spoofing attacks to carry out Denial of Service (DoS) attacks.

Man in the Browser

In this type of MitM attack, cybercriminals exploit the vulnerabilities in web-based applications or web browsers to deploy malicious software such as trojans, malicious code, malware, etc. These malicious scripts are used to record and steal real-time information that might be private and confidential.

For example, if an individual accesses a public wi-fi to make financial transactions. And if they use the exploited web browser on a compromised network, then the malicious scripts embedded in the browser will capture the login credentials and confidential information of the user. This will be used by threat actors to make fraudulent transactions and even modify receipts to hide the details of the transfer.

Email Hijacking

In this type of MitM attack, cybercriminals compromise the victim’s email and eavesdrop on their communication. Threat actors leverage phishing and malicious emails to lure victims through social engineering tactics. This allows them to inject malware through impersonation. 

DNS Spoofing

This type of attack is also known as DNS poisoning or DNS cache poisoning. In this attack, a DNS server is corrupted by a threat actor to change the actual IP address to a fake one. This fake IP address replaces the actual one in the server cache memory. Cybercriminals use this method to redirect web traffic to a fake or compromised website controlled by attackers. 

Session Hijacking

Session hijacking is also known as ‘cookie hijacking’. In this type of attack, an online session is exploited illegally, allowing the threat actors to get access to web-based applications, websites, or any device. The primary target of session hijacking is the sessions of targeted web browsers or web applications.

Wi-Fi Eavesdropping

Most public Wi-Fi networks are not secure and can be easily exploited. Threat actors carry out this type of attack by creating a Wi-Fi hotspot, which is called ‘Evil Twin’. The evil twin is a fraudulent Wi-Fi access point that is represented as legitimate and is actively used for spying on wireless networks.

In simpler terms, cybercriminals usually find a spot around public locations to provide free wi-fi. When a user connects themselves to such a network, the threat actors can infiltrate the targeted individual’s network and eavesdrop on their activities.

How to Prevent a Man in the Middle Attack?

It is quite tough to detect and prevent a man-in-the-middle attack. The reason is that most of the time, it goes unnoticed. So, there are some set procedures that are meant to secure the communication between two people or devices on the network. These procedures can be differently defined for users and website operators. 

Precautionary measures are the most plausible approach. That’s why the most effective method to prevent man-in-the-middle attacks is by being vigilant about any kind of suspicious element. These elements can be page authentication or implementing tools for tamper detection. 

Best Practices to Prevent Man in the Middle Attacks

There are some practices that can be followed by employees or people, in general, to identify and prevent man-in-the-middle attacks. They are listed below.

• Make sure to avoid using banking or e-commerce websites through unsecured connections or public Wi-Fi.
• One must ensure that they have logged out of the web-based application or browser after completing their session. 
• One must be vigilant about checking the notifications of the browser to identify unsecured websites. 
• The network protocols like HTTPS and TLS should be encrypted and followed through authentic procedures. 
• One must verify the authenticity of the browser or website before visiting or using it. 

Encrypt Your Network to Secure Communication

The organization should use encrypted web traffic by employing a virtual private network. An encrypted VPN prevents the attacker from infiltrating and modifying web traffic. Along with that, organizations can have incident response plans to prevent data loss. Organizations must employ intrusion detection systems to enhance network security and use encryption to secure communications. Apart from technical standards, employee awareness is important to prevent MitM attacks.

Cybersecurity awareness training is a one-stop comprehensive solution that is used to prevent most of the cyber attacks in the world. This training is meant to educate employees about the best security practices to enhance the organization’s cybersecurity. The training should also simulate various types of attacks to make employees aware of how to identify attacks and be vigilant enough to avoid them.