Man-in-the-middle attacks are a type of cyberattack where threat actors secretly intercept communications between two parties. The threat actor can read, modify, or withhold information traveling between the two, and use the information they learn for malicious purposes.
Cybercriminals use man-in-the-middle attacks to obtain sensitive data and to abuse the authority of the services they impersonate. When a threat actor inserts themselves between a user and a website or application, they can learn login credentials, access user accounts, and interact with web applications in the user’s name.
How do man-in-the-middle attacks work?
All man-in-the-middle attacks share the same fundamental premise. For threat actors to compromise secure communications between a user and a website or application, they must first intercept the traffic. After that, they must decrypt the traffic to make it vulnerable to attack.
Interception is the process of inserting a hacker-controlled asset between a client and a server. This can be done manually or automatically, since many popular hardware and software solutions have MiTM vulnerabilities.
Once the attacker is in position, the decryption phase begins. This usually requires an additional attack on the infrastructure responsible for encrypting traffic. If the attacker can’t decrypt the data they are intercepting, it will remain unusable.
Tools used for man-in-the-middle attacks:
- Ettercap: This open-source tool analyzes network protocols. Hackers can use it to intercept network traffic data and capture login credentials.
- Cain and Abel: This tool was first conceived as a password recovery tool, but it eventually become a packet sniffing and network evaluation solution capable of spoofing websites, brute force attacks, and more.
- dSniff: This is a collection of network analysis and security tools. Threat actors can use dSniff to intercept network traffic data and conduct HTTPS hijacking attacks.
Types of man-in-the-middle attacks
There are many different ways users and assets interact over the internet. Almost every type of interaction is susceptible to a variation of the man-in-the-middle attack. Some of the most popular examples include:
- IP Spoofing. This happens when a threat actor modifies the IP address of a website or application and impersonates it. Users believe they are interacting with a trusted brand, but they are in fact sending information directly to a hacker.
- HTTPS Spoofing. In this attack, hackers secretly direct secure HTTPS traffic to a non-secure HTTP website and track users’ activity on it. This can give them valuable information, including user logins and website interaction data.
- DNS Spoofing. Hackers who create fake websites and attach them to a fake DNS entry can trick users into logging in and sharing sensitive data. Attackers need to compromise a DNS server and force it to serve a modified IP address to users who request it.
- Wi-Fi Spoofing. Attackers can eavesdrop on public Wi-Fi networks. If the local Wi-Fi is unsecured, hackers can place themselves between your device and the internet, observing every packet of data that travels between the two.
- Email Hijacking. This is when threat actors secretly gain access to your email account and monitor your correspondence. This allows them to intercept your mail, send messages from your address, and learn one-time passwords used for multi-factor authentication.
- Session Hijacking. In this case, attackers steal web browser cookies from your device as you log into a web application. Since cookies are responsible for keeping you logged into websites, attackers can use them to impersonate you online.
- SSL Hijacking. In this technical attack, hackers take control of the protocol that encrypts HTTPS traffic, intercepting user data traveling to SSL-secured websites.
Notable examples of man-in-the-middle attacks
The premise of the man-in-the-middle attack is much older than modern computing. Several historical examples predate computing entirely, while more recent attacks show how prevalent and dangerous this attack type can be.
- The Babington Plot. One of the first recorded man-in-the-middle attacks in history predates computers by nearly half a millennium. A spy working for Queen Elizabeth I intercepted secret correspondence describing a conspiracy to overthrow her. The spy used cryptanalysis to decode the messages and replace them with his own, causing the conspiracy to unravel.
- The Blanc Semaphore Network Hack. Another version of this attack took place in the 1800s, when France set up a network of communication towers using movable wooden poles. Two brothers intercepted the messages to secretly relay stock market data.
- 2013 NSA Spying Leak. One of the documents leaked by Edward Snowden described the National Security Administration’s method for intercepting Google traffic to obtain the search records of Google users. The NSA spoofed SSL encryption certifications to obtain data that should only have gone to Google.
- The 2017 Equifax Breach. Cybercriminals used MiTM attack methods to expose more than 100 million customers’ financial data over many months. In this case, attackers exploited a known vulnerability in an open source development framework called Apache Struts.
How to prevent man-in-the-middle attacks
Preventing man-in-the-middle attacks requires proactively securing communications infrastructure between clients and servers in your network. You can take the following actions to keep attackers from compromising these assets:
- Don’t use unsecured HTTP connections. All business operations and internet-connected IT assets should use HTTPS connections. You can also implement DNS over HTTPS to extend protection to DNS requests.
- Integrate app-based multi-factor authentication (MFA). App-based MFA is much more secure than sending one-time passwords through email or SMS. You may also consider using a hardware token to verify new authentication requests.
- Use an encrypted email provider. Consider integrating secure/multipurpose internet mail extension (S/MIME) into your email workflow. This will encrypt email content and certify authenticated email senders.
- Manage SSL certificates automatically. Manually managing network SSL certificates is slow and error-prone. Use an efficient, centralized system to keep your SSL certificates up-to-date and resistant to hacking.
How to detect man-in-the-middle attacks
Detecting MiTM attacks requires leveraging visibility and control over network assets and the way they communicate. Deploy the appropriate technologies to identify network traffic and user behaviors that suggest a man-in-the-middle attack may be taking place.
Equipping your SIEM with User Entity and Behavioral Analytics (UEBA) can provide insight into MiTM attacks by triggering alerts when users and IT assets deviate from their routine activities. Unexpected disconnections and strange requests can indicate a man-in-the-middle attack is underway.
Network Detection and Response (NDR) can also provide visibility into MiTM attacks by showing when network assets connect to one another in new and unusual configurations. You might see evidence of a connection to an internal asset being replaced by an external one designed to look exactly the same. This could be a spoofed website or server designed to execute MiTM attack techniques.