What is a Man-in-the-middle (MITM) attack?
What is a MITM?
Man-in-the-middle-attacks (MITMs) occur when an attacker intercepts a two-party transaction, inserting themselves in the middle. From there, cyber attackers can steal and manipulate data by interrupting traffic. This type of attack usually exploits security vulnerabilities in a network, such as unsecured public WiFi, to insert themselves between a visitor’s device and the network. The problem with this kind of attack is that it is very difficult to detect, as the victim thinks the information is going to a legitimate source.
Norton antivirus software says there are seven types of MITM attacks that cyber criminals can use to gain control of devices, that we should all be aware of.
1. IP spoofing
Every device capable of connecting to the internet has an internet protocol (IP) address, which is similar to the street address for your home. By spoofing an IP address, an attacker can trick you into thinking you’re interacting with a website or someone you’re not, perhaps giving the attacker access to information you’d otherwise not share.
2. DNS spoofing
Domain Name Server, or DNS, spoofing is a technique that forces a user to a fake website rather than the real one the user intends to visit. If you are a victim of DNS spoofing, you may think you’re visiting a safe, trusted website when you’re actually interacting with a fraudster. The perpetrator’s goal is to divert traffic from the real site or capture user login credentials.
3. HTTPS spoofing
When doing business on the internet, seeing “HTTPS” in the URL, rather than “HTTP” is a sign that the website is secure and can be trusted. In fact, the “S” stands for “secure.” An attacker can fool your browser into believing it’s visiting a trusted website when it’s not. By redirecting your browser to an unsecure website, the attacker can monitor your interactions with that website and possibly steal personal information you’re sharing.
4. SSL hijacking
When your device connects to an unsecure server — indicated by “HTTP” — the server can often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A connection to a secure server means standard security protocols are in place, protecting the data you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes encrypted links between your browser and the web server. In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer.
5. Email hijacking
Cybercriminals sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers. This convinces the customer to follow the attackers’ instructions rather than the bank’s. As a result, an unwitting customer may end up putting money in the attackers’ hands.
6. Wi-Fi eavesdropping
Cybercriminals can set up Wi-Fi connections with very legitimate sounding names, similar to a nearby business. Once a user connects to the fraudster’s Wi-Fi, the attacker will be able to monitor the user’s online activity and be able to intercept login credentials, payment card information, and more.
7. Stealing browser cookies
A cybercriminal can hijack browser cookies (a small piece of information websites store on your computer). Since cookies store information from your browsing session, attackers can gain access to your passwords, address, and other sensitive information.
How to detect MITM attacks?
MITM attacks can be difficult to catch. Data security and threat detection company Varonis says there are key signs to look out for.
- Unexpected and/or repeated disconnections: Attackers forcefully disconnect users so they can intercept the username and password when the user tries to reconnect. By monitoring for unexpected or repeated disconnections, you can pinpoint this potentially risky behaviour proactively.
- Strange addresses in your browser address bar: If anything in the address looks odd, even by a little, double-check it. It could be a DNS hijack. For example, you see https:\\www.go0gle.com instead of https:\\www.google.com.
- You log into a public and/or unsecured Wi-Fi: Be very careful of what networks you connect to, and avoid public Wi-Fi if possible. Attackers create fake networks with known IDs like “local free wireless” or some other common name to trick people into connecting. If you connect to the attacker’s Wi-Fi, they can easily see everything you send on the network.
Famous examples of MITM attacks
One of the oldest cases of a MITM attack was the Babington Plot, a plan in 1586 to assassinate Queen Elizabeth I, a Protestant, and put Mary, Queen of Scots, her Roman Catholic cousin, on the English throne. Babington, a young recusant, was recruited by Ballard, a Jesuit priest who hoped to rescue the Scottish Queen. Communications between Mary Stuart and her fellow conspirators was intercepted, decoded, and modified by a cryptography expert Thomas Phelippes.
Other examples include:
- During World War II, British intelligence conducted MITM attacks against Nazi forces using Aspidistra devices. Cracking of the Enigma code could also be considered a MITM attack.
- In 2013, information was leaked about the Quantum/FoxAcid MITM system employed by NSA to intercept TOR connections.
- In 2014, Lenovo installed MITM (SSL Hijacking) adware called Superfish on its Windows PCs.
- In 2015, a British couple (the Luptons) lost £340,000 in an email eavesdropping / email hijacking MITM attack.