Man-in-the-middle attacks, also known as MITM, are a problem that affect the majority of internet users. During 2016, approximately 95% of HTTPS servers were at risk of MitM attacks. In 2022, Microsoft warned its users about a large-scale MITM attack that affected more than 10,000 organisations.
With both individuals and huge organisations being affected by MITM attacks, this guide aims to explain how MITM works, what they are used for, and how users can take steps to avoid them.
Compare VPNs With TechRound
| Name | Price | Offer | Claim Deal |
|---|---|---|---|
| Surfshark | £1.79 per month | 30-day money-back guarantee + 2 months free | Get Deal >> |
| CyberGhost | £1.99 per month | 45-day money-back guarantee | Get Deal >> |
| Private Internet Access | £2.19 per month | 30-day money-back guarantee | Get Deal >> |
| Want Your Company To Appear Here? | ...and get in front of thousands of potential customers... | Contact Us Today | Get Deal >> |
What Is a Man-In-the-Middle Attack?
A man in the middle (MITM) attack is when a hacker positions themselves between a user and an application, intercepting the messages. They either spy silently, or they impersonate one of the parties.
The goal of these attacks is usually to steal personal information. This information usually includes login information, account details, credit card numbers, and pincodes.
Who Is At Risk of Man-In-the-Middle Attacks?
Hackers perpetrating MITM attacks usually target financial applications, SaaS (software as a service) businesses, e-commerce websites, or other sites in which login details are required. Apps involving a transaction of money tend to be more at risk.
What Do Hackers Do With Your Information?
The information gained during MITM attacks is usually used for identity theft, unapproved fun transfers, or the illegal changing of your passwords to gain extended access to your account.
These attackers can also use your information during the infiltration stage of an APT (advanced persistent threat) assault.
What Happens During a Man-In-the-Middle Attack?
MITM attacks tend to happen in two phases: the inception phase and the decryption phase.
Interception
This is the first step of a MITM attack. This step intercepts a user’s traffic, diverting it through the attacker’s network before it reaches the intended destination.
A very common way of doing this is via public WiFi. An attacker will create a free WiFi hotspot in a public location, typically named in a way that relates to the location itself such as being named after a specific building.
These WiFi hotspots are not password protected, so people can connect to them. As soon as a user connects, the attacker can see the entirety of their online data exchanges.
Interception can also be done by IP spoofing, in which an attacker disguises as an app by altering packet headings in an IP address, so any users trying to access a specific URL are instead connected to the attacker’s website.
Decryption
After interception is complete, the attacker must decrypt any two-way SSL traffic without alerting the user or the application. This can be done in a variety of ways.
A very common method for decryption is HTTPS spoofing, in which a fake certificate is sent to the victim’s browser holding a digital thumbprint belonging to the compromised application. The browser will then verify this as a trusted website, and the attacker will be able to see any information that their victim passes to the compromised application.
Compare VPNs With TechRound
| Name | Price | Offer | Claim Deal |
|---|---|---|---|
| Surfshark | £1.79 per month | 30-day money-back guarantee + 2 months free | Get Deal >> |
| CyberGhost | £1.99 per month | 45-day money-back guarantee | Get Deal >> |
| Private Internet Access | £2.19 per month | 30-day money-back guarantee | Get Deal >> |
| Want Your Company To Appear Here? | ...and get in front of thousands of potential customers... | Contact Us Today | Get Deal >> |
What Are the Types of Man-In-the-Middle Attacks?
Internet Protocol Spoofing
IP spoofing is when hackers alter the source IP address in order to mask it, duping users into believing that they are interacting with a secure source. These users will comfortably share personal information with the website, such as bank details, allowing hackers to intercept this information.
Domain Name System Spoofing
Hackers will alter domain names and redirect traffic to fake websites. Users will attempt to reach a secure website and input their login details to a website operated by hackers. The main aim of this type of attack is to steal login credentials.
HTTP Spoofing
If you see ‘https’ instead of ‘http’ before the URL of a website, this implies that you are on a safe website. However, during an HTTPS spoofing attack, the browser session redirects to an insecure HTTP website instead, without the user agreeing or knowing. This enables hackers to monitor the user’s interactions with the website, and steal their information.
SSL Hijacking
SSL (secure sockets layer) hijacking is when a hacker uses another computer and secure server to intercept the information being sent between the server and the user’s own computer.
Email Hijacking
Hackers are able to gain control of the email addresses of banks and other financial institutions. These email accounts are used to track any transactions that the user makes.
Sometimes hackers are even able to make a fake email account that spoofs the email address of the bank. This is then used to send users fake instructions that lead them to send money or personal information to the hackers, thinking that they are required to do this by the bank.
Session Hijacking
This is when hackers steal personal data and passwords that are stored inside the cookies of a user’s browsing session. This can be used to steal money from people’s bank accounts, or to commit identity theft.
This technique is also known as stealing browser cookies.
How Can I Prevent Man-In-the-Middle Attacks?
People can greatly decrease their chances of being part of a MITM attack by simply paying attention to browser notifications reporting that a website is not secure. Apps should also be logged out of when not in use.
People should also take care when using public WiFi. This means avoiding WiFi connections which are not password protected, as well as avoiding using public networks (e.g. in coffee shops and hotels) when sharing sensitive information with websites and applications.
