What is a Man-in-the-middle (MITM) attack?

Share
Cybercrime takes many forms and MITM attacks are the oldest and possibly some of the most dangerous attacks there are. Cyber magazine investigates.

What is a MITM?

Man-in-the-middle-attacks (MITMs) occur when an attacker intercepts a two-party transaction, inserting themselves in the middle. From there, cyber attackers can steal and manipulate data by interrupting traffic. This type of attack usually exploits security vulnerabilities in a network, such as unsecured public WiFi, to insert themselves between a visitor’s device and the network. The problem with this kind of attack is that it is very difficult to detect, as the victim thinks the information is going to a legitimate source. 

Norton antivirus software says there are seven types of MITM attacks that cyber criminals can use to gain control of devices, that we should all be aware of.

1. IP spoofing

Every device capable of connecting to the internet has an internet protocol (IP) address, which is similar to the street address for your home. By spoofing an IP address, an attacker can trick you into thinking you’re interacting with a website or someone you’re not, perhaps giving the attacker access to information you’d otherwise not share.

2. DNS spoofing

Domain Name Server, or DNS, spoofing is a technique that forces a user to a fake website rather than the real one the user intends to visit. If you are a victim of DNS spoofing, you may think you’re visiting a safe, trusted website when you’re actually interacting with a fraudster. The perpetrator’s goal is to divert traffic from the real site or capture user login credentials.

3. HTTPS spoofing

When doing business on the internet, seeing “HTTPS” in the URL, rather than “HTTP” is a sign that the website is secure and can be trusted. In fact, the “S” stands for “secure.” An attacker can fool your browser into believing it’s visiting a trusted website when it’s not. By redirecting your browser to an unsecure website, the attacker can monitor your interactions with that website and possibly steal personal information you’re sharing.

4. SSL hijacking

When your device connects to an unsecure server — indicated by “HTTP” — the server can often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A connection to a secure server means standard security protocols are in place, protecting the data you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes encrypted links between your browser and the web server. In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer.

5. Email hijacking

Cybercriminals sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers. This convinces the customer to follow the attackers’ instructions rather than the bank’s. As a result, an unwitting customer may end up putting money in the attackers’ hands.

6. Wi-Fi eavesdropping

Cybercriminals can set up Wi-Fi connections with very legitimate sounding names, similar to a nearby business. Once a user connects to the fraudster’s Wi-Fi, the attacker will be able to monitor the user’s online activity and be able to intercept login credentials, payment card information, and more. 

7. Stealing browser cookies

A cybercriminal can hijack browser cookies (a small piece of information websites store on your computer). Since cookies store information from your browsing session, attackers can gain access to your passwords, address, and other sensitive information.

How to detect MITM attacks?

MITM attacks can be difficult to catch. Data security and threat detection company Varonis says there are key signs to look out for. 

  • Unexpected and/or repeated disconnections: Attackers forcefully disconnect users so they can intercept the username and password when the user tries to reconnect. By monitoring for unexpected or repeated disconnections, you can pinpoint this potentially risky behaviour proactively.
  • Strange addresses in your browser address bar: If anything in the address looks odd, even by a little, double-check it. It could be a DNS hijack. For example, you see https:\\www.go0gle.com instead of https:\\www.google.com.
  • You log into a public and/or unsecured Wi-Fi: Be very careful of what networks you connect to, and avoid public Wi-Fi if possible. Attackers create fake networks with known IDs like “local free wireless” or some other common name to trick people into connecting. If you connect to the attacker’s Wi-Fi, they can easily see everything you send on the network.

Famous examples of MITM attacks 

One of the oldest cases of a MITM attack was the Babington Plota plan in 1586 to assassinate Queen Elizabeth I, a Protestant, and put Mary, Queen of Scots, her Roman Catholic cousin, on the English throne. Babington, a young recusant, was recruited by Ballard, a Jesuit priest who hoped to rescue the Scottish Queen. Communications between Mary Stuart and her fellow conspirators was intercepted, decoded, and modified by a cryptography expert Thomas Phelippes.

Other examples include:

Share

Featured Articles

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

AI cybersecurity firm Darktrace reveals increase in brand impersonation attacks targeting retailers, with holiday-themed phishing attacks rising 327%

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security

SAVE THE DATE – Cyber LIVE London 2025

Cyber Security