Man-in-the-middle (MITM) attack

The dangers of intercepted connections

General

Man-in-the-middle: the basics

What is a man-in-the-middle attack?

Man-in-the-middle attacks take place where the perpetrator intercepts communication between two parties, often even altering the exchange of their information. The intent is to appear as though the responses are among the two participants while the messages are actually being generated by the attacker.

MITM attacks are essentially electronic eavesdropping between individuals or systems. Of course, a successful man-in-the-middle attack can only be completed if the attacker is effectively responding to both the sender and receiver such that they are convinced the information exchanged is legitimate and secure.

Even in cases where the parties eventually catch on that the responses do not appear relevant or sensible for the other party and discontinue the exchange, it could be too late if confidential information such as bank accounts or passwords were provided.

FUN FACT

MITM attacks in the wild

MITM attacks are not as common as the more prevalent phishing or ransomware attacks. Still, estimates indicate that as much as 35% of attacks in 2022 were related to attempts at exploitation through MITM attacks.

Man-in-the-middle in action

Phony access point attack

With the popularity of WiFi networks, unscrupulous MITM hackers are known to set up “rogue” access points near reputable stores or restaurants that offer public WiFi. This is also referred to as an evil twin attack.

A potential victim, Henry, is at the lobby of a busy hotel. He's in a different country and doesn't want to use his data, so he decides to connect to the free hotel Wifi. He brings up the list of WiFi connections to find the right one.

wifi-select

After he connects, he notices some oddities. He tried to log into this bank account but was redirected to a similar site. But instead of https it was http and the bank's URL was different from what he remembered. Henry quickly signs off of the WiFi network and goes to the reception desk for more information.

Man-in-the-middle under the hood

When Henry was searching for available WiFi sites, he connected to the rogue WiFi. It had a stronger signal and was at the top of the list of available WiFi networks. He didn't suspect anything, so he logged onto that network, which was actually the hacker’s access point. The hacker could now intercept all activity taking place during that session.

In this case, Henry connected to H0TEL Guest instead of HOTEL Guest. The attacker was likely in the hotel lobby and sitting close to the target. This is why the signal was stronger. After the target, now the victim, connected to the rouge WiFi, the attacker sat between the user and the Internet. This allowed them to monitor and potentially modify the data being exchanged. For example, they could inject malicious code into web pages, altering the content that users saw.

Dangers of MITM attacks

Through intercepting an exchange between a computer session and server, the man-in-the-middle attack can observe and steal account and password information easily, using those values to penetrate business applications or logins to financial institutions.

Transactions that are susceptible to MITM attacks include:

  • Private person-to-person communications that individuals assume are secure
  • Login and authentication to financial institutions
  • Gaining access to login activity to other profitable websites such as e-commerce stores

Man-in-the-middle attackers utilize a variety of approaches in connecting to victims for their unscrupulous efforts:

  • IP spoofing to fool users into thinking they’re interacting with a different person or website
  • HTTPS spoofing makes users think they’re on a secure site – but they’re really connected to an imposter site
  • SSL hijacking is where the thief intercepts activity to the secure server and reroutes it to their computer
  • Stealing browser cookies to capture secure information stored there

While there are additional methods, creative hackers constantly seek new ways to exploit websites and computer vulnerabilities.

Scan your code & stay secure with Snyk - for FREE!

Did you know you can use Snyk for free to verify that your code
doesn't include this or other vulnerabilities?

Scan your code

Man-in-the-middle mitigation

How to prevent man-in-the-middle attacks?

MITM attacks can be prevented by utilizing software tools and taking the proper precautions.

  • Never utilize public WiFi for website use that is intended to be secure
  • Use a secure VPN to eliminate MITM exposure to ensure that all information is encrypted and cannot be viewed
  • For home WiFi, never retain the default login/password values provided by the vendor as hackers know all the defaults for leading router manufacturers, and will try those values first when attempting to hack your home network
  • Never click links or open attachments in unexpected or suspicious emails.
  • Scrutinize emails that appear to be from financial institutions you already do business with
  • For businesses, implement multi-factor authentication to make MITM attacks extremely difficult and success unlikely

How to detect man-in-the-middle attacks?

In many cases, MITM attacks can be detected through awareness:

  • Secure sites will always include the HTTPS designation (an exception would be if the MITM attacker has spoofed that address).
  • When connecting via WiFi, pay close attention to the network name and ensure it makes sense for your location
  • Click on the address bar lock symbol to identify the security certificate that’s in use and that the name and network make sense

Congratulations

Congrats! You know all about man-in-the-middle attacks and how to prevent them. Be careful when you are connecting to public WiFi spots and always look for https!