True to its name, a Man-in-the-Middle (MITM) attack is an attacker literally positioning themself in the middle of a conversation between you — a user — and the entity you are trying to communicate with. Picture a stranger at the next table eavesdropping on your private conversation while pretending to mind his own business.
How Do MITM Attacks Work?
There are many real world examples of man-in-the-middle attacks. Typically, these attacks are delivered using one of these strategies:
Often, attackers need to be physically close to the targets in order to accurately spoof them. A popular example would be poorly secured Wi-Fi routers. Whether it is from your home, or free public Wi-Fi hotspots, perpetrators can intercept a wireless router to gain access to your transmitted data and insert their own tools to capture your personal credentials and information.
In July 2019, a security flaw allowing attackers to bypass the payment limits on Visa contactless cards was discovered. In this particular case, by planting a device to intercept communication between the card and the payment terminal, attackers were able to successfully bypass the additional Visa authentications. The device acts as a proxy and tells the card that verification is not necessary.
Another way that MITM perpetrators attack is to disguise themselves as a trustworthy entity to get your credentials, a practice known as phishing. They send you legitimate-looking emails from trusted organizations. When you click on it, they trick you into entering your credentials to log in when the website you are on is only a lookalike. Other times, by clicking on a link or opening an attachment, you unknowingly load malware onto your device, allowing the perpetrators to record your data and follow your digital footprint.
Types of MITM Attacks
A MITM attack is usually executed in 2 phases – first interception then decryption.
Interception is when the perpetrator intercepts user’s traffic through their network before it reaches its intended destination. Some examples of this include:
A common way would be making free, malicious Wi-Fi hotspots available to the public. These free WiFi hotspots you so adore are usually disguised with legitimate-sounding name similar to nearby businesses. Once you connect to it, you give the attacker full visibility and access to monitor your online data.
Email Address Spoofing
If you happen to be from a large organization, email hijacking is something that could very well happen to you. First, hackers gain access to your compromised corporate email account and monitor conversations and transactions happening. When the time is right, they step in, spoof the company’s email address, mimic the original layout and contents of the email, editing parts of it with their own requests (e.g a change in the company’s bank account number to their personal accounts). This very same thing happened to Paul Lupton in London, 2015, robbing him of £340,000.
IP Spoofing and DNS Spoofing
Other interception measures involve Internet Protocol (IP) spoofing and Domain Name Server (DNS) spoofing. For the former, a perpetrator attempts to trick you into thinking you are interacting with a website or communicating with someone you are not. For the latter, a user is forced to a fake website rather than the real one and may unknowingly provide login credentials and information to the perpetrator.
After intercepting comes decryption. Perpetrators look to two primary methods to decrypt any 2-way SSL traffic:
In HTTPS spoofing, perpetrators create sites with domains that look similar to the original one but are actually made of different characters. This fools the user into believing they are relaying their own sensitive information on the original site, when they are in fact on the perpetrator’s site.
In SSL stripping, your browser first connects to an insecure site (HTTP) before being redirected to the secure site (HTTPS). The perpetrator forces an HTTP connection, leaving your session unencrypted and giving the perpetrator full access to your entire session. Today, many websites use HTTP Strict Transport Security (HSTS) which prevents the server from providing content when on an insecure connection.
Preventing A MITM Attack
By having a better understanding of MITM attacks, organizations can implement proper security measures to defend themselves against such attacks.
The Visa case study above highlighted the importance of all vendors having stringent security protocols when it comes to verification. Being compliant to the Payment Card Industry (PCI) standard is a good starting point for organizations that deal with payments.
Employees, who are often the weakest link in the security chain, also need security awareness training to be educated on how to be cyber-vigilant. Here are some best practices:
- Constantly patch your system with anti-malware software from trusted sources and install add-ons that help you detect SSL hijacking such as CheckMyHTTPS.
- Skip the free WiFi hotspot when conducting any sensitive activities.
- Check for the lock symbol next to the address bar and click on it to get more certification information to ensure its authenticity.
- Don’t forget to check your browser address bar and make sure your connection is secure.
- If your gut is telling you that this email or website is suspicious, it probably is — don’t trust it with any of your sensitive information.
- Whenever you can, set up two-factor authentication.
The cost of cyber attacks far exceed the security investments that organizations make. Before you take the first steps to protect your employees and digital assets, learn about the common cyber threats today and the top cyber risks that your organization faces. This way, you can put together a unique strategy that suits your needs.