Definition of a Man-in-the-Middle (MitM) attack
If an attacker intercepts data sent between two entities (user, company, server), this is called a Man-in-the-Middle attack (MitM attack for short). The attacker has complete control over the data traffic and can read, intercept and even manipulate the information sent to use it for malicious purposes. In doing so, the attacker pretends to be the respective communication partner and thus obtains passwords, access data, account data, TANs, etc.
How does a Man-in-the-Middle attack work?
In a MitM attack, an attacker infiltrates the connection between a used (Internet/network) resource and the user’s system, usually by exploiting known vulnerabilities in web-based communication. The attacker acts as an intermediary between the systems. For example, if system A tries to establish a communication with system B, the attacker intercepts it and redirects the communication to himself. Once this connection is set up, the attacker, as an intermediary, forwards the data flow to the actual system B without the original parties being aware of it.
Attackers use security vulnerabilities in outdated software or hardware (like Internet browsers or routers) to manipulate them, for example. In the process, malware is introduced to read the communication. Alternatively, public and thus freely accessible but insufficiently protected WLAN networks are used for an attack. Another option is to manipulate DNS servers that ensure routing to the correct IP address for a website.
The Dynamic Host Configuration Protocol (DHCP) is also easy to manipulate. It assigns and manages local IP addresses, while the Address Resolution Protocol (ARP) is responsible for the MAC addresses of hardware in a network.
Examples of Man-in-the-Middle (MitM) attacks over the last two decades
According to various cybersecurity reports, it is estimated that hundreds of millions of credentials are stolen each year through MitM tactics alone. Hereby, the number of middle attack cases has especially surged with the rise of mobile devices and public Wi-Fi networks over the last two decades and is estimated to hit tens of thousands of cases annually. The implications can be devastating and threatening, leading to data breaches, financial losses for businesses and individuals alike, and compromised personal information. Some important examples are:
- 2011 & MitM on Internet Service Providers: A misuse occurred when hackers exploited a weakness in SSL encryption used by several major companies, including Google and Yahoo. This breach exposed sensitive user data and illustrated just how vulnerable our online communications can be.
- The 2013 Edward Snowden leakage: ‘Snowden’s revelations shook the foundations of privacy and security in the digital age. The National Security Agency (NSA) was not just monitoring communications but actively impersonating major tech companies like Google. By intercepting all traffic and spoofing SSL encryption certificates, the NSA executed a Man-in-the-Middle attack that allowed them to access sensitive information without users ever knowing.
- 2014 attack on Google’s servers: Cybercriminals were able to intercept traffic between users and Google services by compromising a certificate authority. This breach affected millions of users and raised serious concerns about trust in digital communications.
- 2014 U.S. government’s Office of Personnel Management incident: Attackers intercepted data during transmission, compromising personal information of millions of federal employees with the.
- The famous 2017 Equifax case: Financial data of nearly 150 million Americans were breached over a duration of several months. Hereby, the Equifax website relied on a shared SSL certificate for hosting which was also used by thousands of other websites. This led to DNS and SSL spoofing, redirecting users to fake websites or intercepting data from the site.
- 2023 phishing at social media platform Reddit: The attacker cleverly designed a fraudulent copy of Reddit’s intranet portal, which was convincing enough to deceive employees into entering their login credentials and unknowingly providing hackers hundreds of sensitive login credentials. Luckily enough, no bigger harm was generated.
- Keep in mind: This was only a tiny example list of thousands of recorded Man-in-the-Middle incidents over the last years.
What are the different kinds of Man-in-the-Middle (MitM) attacks?
There are many different MiTM techniques, and the most important ones are described below.
Interrupting & interception of data
Rogue Access Point (a kind of Wi-Fi Eavesdropping)
If a device has activated its auto-connect function, the device automatically connects with the access point sending out the strongest signal and is within near proximity, often a free Wi-Fi. However, a Rogue Access Point can also have a pleasant-sounding or trusting name, e.g. name of a known company, free Wi-Fi hotspot, etc. and is situated in a place where many people need Internet connectivity. This seemingly innocent act could expose you to an attacker’s carefully disguised network - an accent point designed to intercept your data. Once connected, attackers can monitor your online activities, capture sensitive information, and even manipulate your device.
DNS Spoofing (DNS Cache Poisoning)
DNS spoofing (or DNS cache poisoning), is a malicious technique allowing attackers to manipulate the domain name system (DNS) and redirect victims to fraudulent websites without their knowledge. By exploiting vulnerabilities in the DNS infrastructure, attackers can associate a legitimate domain name with an incorrect IP address, effectively hijacking the user’s connection.
Imagine typing in your bank’s website only to find yourself on a lookalike site designed to harvest your personal information. This is precisely what DNS spoofing can do. Attackers target unsuspecting victims by misleading them into providing sensitive data such as passwords or credit card numbers.
This attack is mostly used in offices, shops, train stations, … but not that often in homes or the public Internet. In the public Internet usually the active involvement of governments is required.
IP Spoofing
IP spoofing is a similar technique than DNS Spoofing but rather manipulates the IP address instead of the DNS; often both methods can be combined. By manipulating the IP address, attackers can impersonate legitimate sources, making it appear as though they are accessing or sending information from a trusted entity. This form of deception can lead unsuspecting users to fraudulent websites that mimic legitimate web pages.
When DNS addresses are compromised through spoofing, users may find themselves redirected to malicious sites without their knowledge. These illegitimate webpages often look strikingly similar to the real ones, tricking individuals into entering sensitive information like passwords or credit card details.
You can find these attacks mostly in the same environments as DNS spoofing.
ARP Spoofing (Cache Poisoning)
Like the way DNS resolves domains names to IP addresses in a browser, ARP spoofing is a method that exploits the Address Resolution Protocol (ARP) within a Local Area Network (LAN) and resolves IP addresses into MAC addresses. This technique allows an attacker to send falsified ARP messages over the network, effectively linking a malicious MAC address with the IP address of another host. In environments where devices rely on ARP to resolve unknown IP addresses into MAC addresses, this manipulation can lead to unauthorized access and data breaches. The implications of ARP spoofing are serious; attackers can eavesdrop on sensitive information or even launch further attacks against other devices on the network.
Decryption of data
Secure Sockets Layer (SSL) Hijacking (Stripping)
In a SSL hijacking attack, malicious actors exploit vulnerabilities in the SSL protocol or its successor (TLS) to intercept and manipulate the communication between a victim’s computer and a server. A secure HTTPS-based address request is altered and redirected to an unencrypted HTTP equivalent. Consequently, the hacker gets a chance to see sensitive information in plain text.
This usually only happens if a service has not sufficiently protected its private keys, and they have been stolen, or hackers have received active support from a government.
E-Mail Hijacking
Attackers are becoming increasingly sophisticated in their methods, often employing Social Engineering tactics to manipulate victims into trusting them. They may craft counterfeit emails that appear to come from legitimate sources, tricking unsuspecting users into revealing their login credentials.
Imagine receiving an e-mail that seems to be from your bank or a trusted colleague, urging you to click on a link or provide sensitive information. This is the essence of email hijacking - an artful deception designed to exploit your trust for malicious purposes. Once attackers gain access to your email account, they can wreak havoc by stealing personal information, sending phishing messages to your contacts, or even initiating financial fraud.
Session Hijacking
In this malicious attack, an attacker gains unauthorized access to a user’s session by stealing or predicting their session token. This can happen in various ways, including packet sniffing on unsecured networks, where sensitive data such as passwords and personal information can be easily intercepted. An attacker could exploit this access to steal sensitive data, manipulate transactions, or even impersonate you online. The consequences can be devastating, leading to financial loss and identity theft.
Theft of browser cookies
Theft of browser cookies generally happens together with another MitM attack. While other MitM methods, e,g, Rogue Access Point or Session Hijacking allow the hacker to access the device, theft of browser cookies yields access to saved information within cookies, e.g. passwords, credit card information as well as other sensitive information.
What are the goals of Man-in-the-Middle (MitM) attacks?
With MitM attacks, criminals are interested in all kinds of data, as long as they can derive some benefit from it. However, the decisive factor here is who the attackers are.
Individual hackers often act for the sake of easy money, while state-sponsored actors, companies or other states want to cause as much damage as possible.
A worthwhile target, for example, is the activities of online banking users. This allows the account number of the transfer destination to be changed, but also the amount to be adjusted. If business data, future plans, e-mails, chat messages or even telephone calls are intercepted by companies, they can be sold on the darknet or used for ransom attempts. But competitors could also gain a market advantage from this.
Can MitM attacks be detected?
Unfortunately, it takes a very close inspection to recognize a MitM attack. The greatest possible efforts should be made to prevent MitM attacks from occurring in the first place (see next section). Sadly, not all MitM attacks can be prevented in advance. For this reason, your own networks should be continuously monitored, otherwise MitM attacks can go unnoticed for a long time and cause extensive damage. Examples of how to recognize potential MitM attacks include:
- Sporadic prolonged loading times for websites, including disconnections, should be a warning sign.
- If these occur frequently, you should make sure that no hacker is reading them to rule out network problems.
- Sudden display of unencrypted http addresses, which were previously encrypted HTTPS addresses, requires a quick security check to be able to fend off attackers as quickly as possible.
- Regular checking of proper page authentication and implementation of some kind of tamper detection with some necessary retrospective forensic analysis.
If you discover that you have been the victim of a MitM attack, you need to take similar measures to those for many other cyberattacks. The first step is to disconnect the affected computer from the internet. The next step is to immediately notify the IT department and manually log out of all applications in use. This includes cloud applications and collaboration tools such as Teams or Slack.
However, a Man-in-the-Middle attack can also result in a data protection incident, as it is legally considered a data breach. It can therefore be helpful to seek legal advice at an early stage in order to discuss a suitable course of action and to clarify information obligations with the persons concerned.
Depending on the severity of the data breach, it may also be necessary to report it to the relevant data protection authority.
How can you protect yourself from Man-in-the-Middle (MitM) attacks?
The better your own IT security is, the more difficult it is for an attacker to carry out MitM attacks. If the following examples are all taken to heart, the probability of a MitM attack can be significantly reduced:
- Software updates: As a rule of thumb, the older the systems and programs, the more likely they are to have serious security vulnerabilities. Consequently, software updates are the best protection against Man-in-the-Middle attacks. Reliable protection can only be guaranteed if the systems and programs used are kept up to date with patches, updates or completely new versions.
- Personalize your router access. Default router access settings are a welcome target for hackers. Personalizing your access makes it much more difficult to misuse your own router.
- Do not trust a network, no matter if it is a private, company, public (the Internet) one as all can potentially be violated. However, as long as your location as well as the website to be visited is in a GDPR conform country (e.g. EU, Switzerland, Norway, Japan, New Zealand) just pay attention that you use an encrypted connection. If the web domain starts with https:// and the browser does not warn you about an insecure connection, you can assume that valid certificates are used, and you are on the safe side. If you are outside a GDPR conform country or want to access a webpage outside a GDPR conform country make sure that your connection between your computer and the webserver you want to access is secured by encryption (e.g. VPN connection). If you are outside the above secure framework, ensure
- A strong WPA2/3 encryption of the access point (router): Strong encryption makes it more difficult for attackers to access a network.
- To deactivate the auto-connect Wi-Fi function and only logging into known networks
- That a Virtual Private Network was pre-configured within a GDPR conform country including set-up of valid certificates so that these certificates cannot be manipulated only while loading in a third-party country.
- That a Virtual Private Networks (VPN) is used and avoid using public Wi-Fi networks (such as those at train stations, airports or hotels) without a VPN to ensure secure access.
- Password Manager: Use of a password manager to store passwords and access data securely. In addition, the use of two-factor authentication further improves the level of security.
- Website operators: Communication between the website and users can be secured by exchanging a private/public key pair. This procedure prevents an attacker from converting data into http form, intercepting it and using it. Users themselves can use browser plugins to ensure the continued use of HTTPS codex.
As we look towards securing our digital environments, it’s crucial for individuals and organizations alike to understand these examples of middle attacks. Awareness can lead to better protective measures against potential vulnerabilities in our communications systems, ensuring that privacy and security are upheld in an increasingly interconnected world.
By obeying standard above protection rules, users can nowadays prevent most MitM attacks from individual hackers. However, outside the GDPR conform countries (e.g. EU, Canada, Switzerland, Norway, Japan) state-sponsored attackers or governmental organization can still interrupt. intercept and decrypt the Internet communication between countries by manipulating the Border Gateway Protocol on a country level. Doing this, is extremely complex. But hiding such a MitM system on a country level is even harder so that the standard user should not be too worried about this happening to his data as his data is mostly not in national interest of governments. If a user outside these GDPR conform countries must make sure that no MitM attack is underway, they must use an above stated VPN with locally installed security certificates to be sure not to be affected by a potential DNS/IP-Spoofing attack of a governmental organization.