What is a Man in the Middle Attack?

A man in the middle attack (often abbreviated as MitM or MiM) is a type of session hijacking cyberattack. Hackers intercept information shared digitally, typically either as an eavesdropper or to impersonate someone else. This type of attack is extremely dangerous, as it can lead to several risks, such as stolen information or fake communications, that are often hard to detect because the situation appears completely normal to legitimate users.

This article will cover everything you need to know about man in the middle attacks, including:

• What is a man in the middle attack?
• How does a man in the middle attack work?
• What are different types of a man in the middle attack?
• What are the potential risks of a man in the middle attack?
• How are man in the middle attacks evolving?
• What are real life examples of a man in the middle attack?
• How can you protect against a man in the middle attack?

A man in the middle attack occurs when a third party intercepts a digital conversation without any knowledge of that interception from the legitimate participants. This conversation can occur between two human users, a human user and a computer system or two computer systems.

In any of these cases, the attacker might simply eavesdrop on the conversation to obtain information (think login credentials, private account information, etc.) or they might impersonate the other user to manipulate the conversation. In the latter instance, the attacker might send false information or share malicious links that can crash systems or open the door for additional cyberattacks. Typically the legitimate users are unaware they are actually communicating with an illegitimate third party until well after the fact when damage has already been done. 

A man in the middle attack is an example of session hijacking. Other types of session hijacking attacks include cross-site scripting, session side-jacking, session fixation and brute force attacks.

Executing a man in the middle attack requires a hacker to gain access to a user’s connection. One of the most common ways to do this is by creating a public wifi hotspot that anyone nearby can join, no password required. Once users join this network, the hacker can access all of their digital communications and even log keystrokes to act as a man in the middle.

The public wifi example is the most common and simplest way to launch a man in the middle attack, but it’s not the only way to do so. Other common approaches include:

• Sending users to a fake website: Hackers can send users to a fake website instead of their intended destination by engaging in IP spoofing or DNS spoofing. IP spoofing occurs when the hacker alters packet headers in an IP address, while DNS spoofing occurs when the hacker gains access to a DNS server and changes the website’s DNS record. In either case, the user ends up on a fake website owned by the hacker (where they can then capture all information) despite it appearing completely real.
• Rerouting data transfers: Hackers can reroute the destination of communications by engaging in ARP spoofing. This occurs when the hacker connects their MAC address to the IP address belonging to one of the legitimate users involved in the communications. Once they make that connection, the hacker can receive any data intended for the legitimate user’s IP address.

In some cases, communications may be openly exposed, but in cases where the data is encrypted, man in the middle attacks involve yet another step to make that information readable to hackers. Hackers can attempt to decrypt any encrypted information through approaches like:

• SSL hijacking: Hackers fake authentication keys to establish what seems like a legitimate, secure session. However, since the hacker owns these keys, they can actually control the entire conversation.

• SSL BEAST: Hackers target a vulnerability in SSL to install malware on a user’s device that can intercept encrypted cookies intended to keep digital communications private and secure.
• SSL stripping: Hackers can turn a more secure HTTPS connection into a less secure HTTP connection, which removes encryption from web sessions and exposes all of the communications during those sessions.

There are a variety of types of man in the middle attacks, each of which has potentially different consequences for the victims. Common types of man in the middle attacks include:

A hacker can snoop conversations for any period of time to capture information they will use at a later date. They don’t necessarily need to alter the communication in any way, but if they can gain access to details shared, they can learn confidential information or obtain login credentials to use at any time.

A hacker can use a technique like SSL hijacking to alter communications by pretending to be another user. For example, suppose Alice and Bob think they’re communicating with one another. In that case, the hacker might sit in the middle of this conversation and alter the messages each sends to one another. This approach can be used to send false information, share malicious links or even intercept important details, such as a user sending their bank account and routing number for a deposit.

A hacker can send users to a fake website (a common example of this is through a phishing attempt) that appears exactly like their intended destination. This setup allows them to capture any information like login credentials or account details that users would submit for the legitimate website. In turn, the hacker can use this information to pose as the user on the actual website to access financial information, alter details, or even send phony messages.

A man in the middle attack can lead to a variety of negative consequences. In fact, man in the middle attacks are often a stepping stone for hackers to launch even bigger, more impactful attacks. With that in mind, some of the biggest potential risks of a man in the middle attack include:

A man in the middle attack can lead to fraudulent transactions, either by eavesdropping to collect login and account information or by rerouting transfers. Most often, this applies to financial transactions, either directly from a bank or through credit card payments.

Capturing a user’s login credentials, sending them to a fake website or even just eavesdropping on emails can lead to stolen confidential information. This consequence can be particularly worrisome for large-scale organizations that have protected intellectual property or collect sensitive data like customers’ health records or social security numbers. It’s also a concern as more and more privacy legislation emerges that requires all kinds of businesses to protect the information they process about their customers.

Stealing users’ login credentials through a man in the middle attack can also give hackers access to any number of additional systems. This means that even if only one system is susceptible to attack, it might make other, more secure systems more vulnerable as a result. Overall, this situation requires organizations’ security teams to ensure there is no weak link, no matter how trivial any given connection point might seem.

Hackers can use a man in the middle attack to share malware with users. In turn, this malware can lead to a widespread attack, such as one that takes down an entire system or that provides ongoing access to information or systems to execute a long-term assault.

Two trends have led to an evolution in man in the middle attacks and created an increased risk for organizations as a result.

First is the rise of mobile and distributed working environments, which ultimately means more people are connecting via public wifi networks (for both personal and business use). The more common this becomes, the more opportunities it creates for hackers to gain access via these unsecured connections. 

Second, and most concerning for organizations going forward, is the increase in Internet of Things (IoT) devices and machine identities. Not only do IoT devices require a different type of security, but they also create more connection points and identities that require authentication. If not properly secured, these machines create a variety of access points for hackers, many of which are seemingly innocent (i.e. HVAC units). No matter how mundane they may seem, all of these machines require strong security, for example through encryption and regular updates to make sure they adhere to the latest security protocols, to avoid making them vulnerable to man in the middle attacks.

Unfortunately, man in the middle attacks are quite common. Some of the most notable recent examples of this type of attack include:

In 2015, European authorities arrested 49 suspects for a series of bank account thefts executed throughout Europe using man in the middle techniques. The group stole approximately €6 million from European companies by gaining access to corporate email accounts, monitoring communications to watch for payment requests and then routing those transactions to their own accounts. This attack involved phishing attempts as well as standing up fake websites intended to look real.

In 2017, researchers discovered a flaw in the certificate pinning technology used in mobile apps from major banks, including HSBC, NatWest, Co-op, Santander and Allied Irish Bank. The flaw meant that a hacker on the same network as a legitimate user could access login credentials like usernames, passwords and pins without detection by not properly verifying the application’s hostname.

With this type of access, hackers could perform a man in the middle attack to view and collect information, act on behalf of legitimate users or even launch in-app phishing attacks. Interestingly, the weak point that provided access in this case stemmed from improperly managed processes for handling certificates, which are actually intended to improve security.

In 2017, Equifax, one of the biggest credit reporting agencies in the US, fell victim to a man in the middle attack via unsecured domain connections that led to the theft of personally identifiable credit information on over 100 million consumers. The attack started with Equifax’s failure to patch a vulnerability in a development framework it used, which allowed hackers to embed malicious code into HTTP requests. From there, the hackers were able to gain access to internal systems and eavesdrop on user activities to collect a variety of information for months.

Man in the middle attacks remain far too common and pose a serious threat to user and organizational security as a result. Despite the high threat of these attacks, there are several steps your organization’s security team and your users alike can take to protect against these risks. The best protection measures include:

One of the most common ways hackers gain access to execute a man in the middle attack is through unsecured connection points, such as public wifi. As a result, it’s important for users to be extremely careful with connection points. This means avoiding public wifi (and certainly not logging in to any systems if they are connected to a public network) and using a VPN to encrypt network connections.

Phishing attempts are another common entry point for man in the middle attacks, and the best ones can be very convincing. Educating users about these attacks and how they’re evolving can go a long way toward helping them spot attempts and avoid falling victim to them.

Navigating to a website by typing the URL rather than clicking a link is one best practice to help prevent successful phishing and other common tactics that initiate man in the middle attacks by sending users to a fake website or embedding malware. Doing so avoids cases where hackers send a slightly modified link that can open the door for an attack.

As users type in the URL address for a website, they should also include HTTPS and ensure that any website they visit has this level of security. Checking for HTTPS protocol might seem simple, but it can go a long way toward verifying site legitimacy and security before ever sharing sensitive information.

Several recent man in the middle attacks have asked users to go through steps to log in to a website that are not actually part of the normal login process, even though they seemed completely legitimate. Educating users on what normal login processes do and do not entail can help them more easily identify situations that are out of the ordinary.

On the security team side, getting to know users’ normal login habits can help more easily flag any unusual patterns. For example, if the majority of users tend to log in on weekdays but all of a sudden there’s a spike in activity on the weekends, that might be concerning and require further investigation.

Requiring users to log in with multi-factor authentication can provide another layer of protection against man in the middle attacks, this way even if hackers manage to obtain a username/password combination, they can’t get into accounts without another form of verification (e.g. a code sent by text message).

While this two-layer approach is not airtight, as some recent man in the middle attacks have gotten through both layers, it does provide significantly more protection.

Forcing users to log out of secured sessions once they’re complete is an important practice, since closing the session ends any access to it from both legitimate and illegitimate sources. In other words, the longer a session is open, the greater the risk becomes that a hacker can gain access to it in any number of ways.

Finally, a strong PKI program is critical to authenticating connections between users (both humans and machines) and encrypting their communications. A best practice approach to PKI requires a highly agile system that can keep up with the rapidly growing number of identities, apply security standards consistently across the board and regularly update encryption keys to avoid risks like key sprawl.