What Is MITM Attack And How To Prevent It?

Haseeb Awan
calender icon
September 23, 2022
Modified On
April 5, 2023

In This Article


SIM Swap Protection

Protect Your SIM Now

Protect Your Calls and Data. Get Efani Now!

Protect Your SIM Now
Modified On
April 5, 2023

You sit down at your favorite coffee shop, log on to the free WiFi hotspot with your laptop, and begin browsing the internet. But there's someone else there with you - an invisible entity that stands between you and safe internet use. This unseen gatekeeper sees everything you do and is waiting for its opportunity to strike.

The Hiscox Cyber Readiness Report 2021 pulls no punches — According to it, one in six companies attacked by hackers in the previous year faced a survival crisis. Furthermore, businesses' current spending on cyber security is 21% of their IT budget (63 per cent more than in 2020). Man-in-the-middle assaults are one of the most difficult kinds of cyberattacks to detect and can produce a lot of damage, so let's see what you can do to protect yourself and your organization.

After the 9/11 terrorist attacks, the United States government passed the Patriot Act. This act allowed for US citizens' surveillance without a government warrant. In response to this invasion of privacy, many people have fought against these proceedings. Whistleblowers like Edward Snowden have shown everyone how much data is being collected by agencies like NSA without permission.

When the NSA listens in on our conversations, many of us don't appreciate it - even though they are the "good guys." Just imagine if the bad guys were doing this instead. It's a pretty scary prospect. When someone hijacks data and communications as they're being transferred so that they can exploit it for nefarious purposes, we call this a man-in-the-middle attack. That's why it is critical to understand how to prevent a man-in-the-middle attack and what countermeasures are most effective.

What is an MITM Attack?

In a man-in-the-middle (MITM) attack, the cyber attacker secretly pretends to be one of the parties involved in communication to eavesdrop on the conversation. This way, the attacker can control and manipulate the entire conversation without being detected.

It's important to note that while most malicious traffic on your network likely originates from a weak security posture, a small percentage (about five per cent) of this traffic will be coming from an attacker attempting to launch a MitM attack. These attacks are far more dangerous than traditional phishing or spear-phishing scams because they give the attacker real-time access to sensitive personal information such as account numbers, login credentials, and credit card details.

A man-in-the-middle is a term used to describe an attacker who sits in the middle of two or more computers and uses their resources to exploit one victim while hiding their presence from the other(s). Traditional network attacks, referred to as Man in the Middle (MITM), are sometimes known as machine-in-the-middle, monster-in-the-middle, monkey-in-the-middle, and man-in-the-browser. The most prevalent type of MiTM attack is the Man in the browser attack, where the attackers focus on browser infection by inserting malicious proxy malware onto users' devices. Phishing emails are frequently used to distribute malware. The primary goal behind these activities is to steal financial information by monitoring a user's traffic as it passes through a banking or financial website.

The Science Behind Man-in-the-Middle Attacks

All MITM attacks have two stages: interception and decryption.

The first stage: Interception

In the interception stage, the hackers take advantage of open or unsecured WiFi routers and DNS servers to gain access to a network. They can easily get into the system by targeting router vulnerabilities and entry points. This is usually done with a weak password, but more sophisticated methods such as cache poisoning or IP spoofing may also be used.

The attacker will use data capture tools to get and collect the victim's transmitted data after locating their target. This might include redirecting traffic or altering the user's online experience, for example.

The Second Stage: Decryption

The second stage is decryption when the stolen data becomes legible to the criminals. This now accessible information can be used for criminal activity, like identity theft or fraudulent bank behavior. Sometimes these attacks disrupt a company's operations and cause havoc for the victim.

Examples Of Man-In-The-Middle Attacks In The Real World

Although MITM attacks are common, they usually don't happen on a large scale. Some experts have stated that about 35% of all cyberattacks can be linked to MITM tactics. For example, hackers could take advantage of an unsuspecting person using public WiFi at a cafe or airport. However, there have been some notable cases in the past ten years.

In December 2019, a group of hackers completed what cybersecurity researchers have called the "ultimate" MITM score. After several unsuccessful attempts, the hackers acquired $1 million in funds by fooling a Chinese venture capital that was to be sent to an Israeli startup. The attackers used fake email domains and communications, hijacked each party's account to redirect the transaction, and cancelled an in-person meeting to complete the wire transfer fraud.

In 2019, CrowdStrike found that two of the biggest cybercrime groups, Lunar Spider and Wizard Spider, were joining forces to scam people with MITM attacks. Together they used BokBot (LunarSpider) and TrickBot (Wizard Spider) to create many fraudulent bank transactions. TrickBot's purpose is to infect web hosts and provide false SSL certificates to lower security measures. BokBot, on the other hand, redirects traffic and injects code into legitimate sites with malicious intent.

The credit score behemoth Equifax had to withdraw its applications from Google Play and Apple Store after a data breach in 2017. Cybersecurity experts later discovered that Equifax had not been using the HTTPS protocol correctly, allowing hackers to easily view sensitive personal and financial information when customers logged into their accounts.

In 2015, a married couple from South London was scammed out of £340,000 when hackers hacked their email. The email contained the couples' bank account information and sort code for a property they were selling. Posing as the real estate brokers, the hackers had the couple send money to fraudulent accounts.

Europol detained 49 members of a group that specialized in man-in-the-middle fraud in 2015. This type of fraud involves intercepting communications and posing as a bank to get victims to send money to fraudulent accounts. The arrests were made in Italy, Spain, Poland, Belgium, the UK, and Georgia.

Types of Man-in-the-Middle Attacks

Because the ways that MITM attacks are carried out can differ, it's tough to know what signs to look for and how to defend against them. Here are some of the most common methods.

IP Spoofing or Faking your IP address.

An attacker may use a MITM attack to impersonate a device or application on the network. The hacker changes the information in network packets to make it appear that they are coming from a genuine device or program. An attacker can install the Mirai malware on a home PC and use it to join restricted networks and assets. The aggressor may also impersonate the user's IP address and that of the server to eavesdrop on and snoop on all communications between them. They may also imitate user and server IP addresses to eavesdrop on and monitor all communications between them. 

Session Hijacking

A session token can authenticate you when you log in to an account. The session token verifies your identity until you log out or the time limit runs out. An attacker can impersonate a genuine user and go through all authentication phases if they get hold of or steal the token. 

There are two types of session hijacking:

  • Passive Session Hijacking: In this attack, the attacker eavesdrops on the communication between a user and the server. They can figure out when a session token is being used and steal it by monitoring the traffic.
  • Active Session Hijacking: This attack is much more disruptive as the attacker takes a more active role. The attacker will send a forged message to the server, tricking it into thinking the user has been logged out. The attacker can log in with their credentials and take over the session.
  1. Rogue Access Points

A rogue access point is a wireless connection set up by an attacker without the network owner's permission. A network access point close to a device can be established by exploiting devices programmed to connect to the best available open signal. The attacker can now control all traffic between the user and the internet. The AP looks like a legitimate WiFi network and can be used to trick users into connecting. Once the user connects, the attacker can intercept all their traffic. Rogue access points are often used in public places such as airports and coffee shops.

ARP Spoofing

ARP Spoofing is a cyber attack in which an attacker broadcasts false ARP (Address Resolution Protocol) messages over the network. This results in the victim's machine mapping the attacker's MAC address to its IP address and sending all further traffic intended for that IP address to the attacker instead. When a hacker sends out a bogus ARP message, they can respond to any ensuing requests with their own MAC address. This way, the attacker can then intercept important information like session cookies. However, this attack (ARP Spoofing) is only possible on older 32-bit IP addresses (IPv4). The newer IPv6 standard that much of the internet has now switched to makes this hack impossible.

SSL Hijacking

It is a type of Man-in-the-Middle attack where the attacker tricks the victim into thinking they are connecting to a legitimate HTTPS website when in reality, they are connecting to a site controlled by the attacker. One of the most common ways hackers use SSL hijacking is by setting up a WiFi network with a similar name to a legitimate one. By connecting to the attacker's network instead of a legitimate one, users subject themselves to interception and reading of all their communications with the server.

Public WiFi Eavesdropping

A fake "public" network is a type of man-in-the-middle attack which functions similarly to rogue access points. By setting up a seemingly legitimate WiFi network in hotels, restaurants or offices, attackers can trick users into connecting to it and compromising their security. Once connected, the attacker can eavesdrop on traffic or escalate the attacks further by implementing SSL stripping, for example. This type of attack is similar to SSL Hijacking. However, it does not require the attacker to be on the same network as the victim. The attacker can trick victims into connecting by setting up a fake WiFi network with a similar name to a legitimate one. The attacker can then intercept and snoop on all communications.

SSL Stripping

An attacker that has already infiltrated a router or controls the WiFi network can force traffic towards HTTP sites instead of HTTPS. By doing this, the hacker becomes the party communicating directly with the site. They then connect the user to an HTTP version of that site without their knowledge.

Man-in-the-middle attacks are the form of attacks in which an attacker can easily overcome security barriers, by viewings all of the user's communications in plain text, including login credentials.

DNS Spoofing

DNS hijacking or spoofing is when a cybercriminal directs you to their fraudulent website using the domain name system rather than the site you want to visit. For example, if you try to log into your online bank account but are redirected to a fake version of the bank's login page. Your details would then be visible and accessible to the attacker. The user may not notice anything different, as the fake website will often have the same branding and design.

How to prevent DNS spoofing:

  • Use a reputable DNS service such as Google Public DNS or OpenDNS
  • Keep your DNS server software up to date
  • Configure your firewall to block DNS spoofing attacks

MITM Detection: Signs and Symptoms

A MITM attack is nearly impossible to detect because the criminal intends to go unseen. Hiring security experts to execute threat hunting occasionally can help alleviate this issue.

But how can you tell if you're the victim of a MITM attack? Fortunately, there are some Warning signs to look out for. These will help indicate that a cybercriminal is present and working against you.

Popups That Are Intrusive

This type of situation happens when you go to a website and are unexpectedly met with a popup that has an urgent message. The message might say a virus has infected your device or your computer needs a critical update. More often than not, these messages will include links for you to click so that you can download the supposed fix immediately.

If you click on a popup link from an email, it may take you to what looks like a legitimate website. However, the site is a front for malware that will download as soon as you click anything on the page.

Fake Websites

A MITM attack occurs when somebody hacked into your device and reroutes you to a fake website. They can't see what is on your computer, so they have to use deception to get information from you, like your account login details.

A MITM attack occurs when somebody hacked into your device and reroutes you to a fake website. They can't see what is on your computer, so they have to use deception to get information from you, like your account login details.

To protect yourself, look for "HTTPS" at the beginning of every website you visit. If you don't see the "HTTPS" protocol on a well-known site like your bank, it's a cybercriminal attempting to deceive you. That's a big red warning that your traffic has been redirected to a fake website if you attempt to go to google.com but are greeted with a different URL, such as go0gle.com.

Certificates That Seem Suspicious

All credible websites have a certificate from a certification authority that verifies the website owner's identity. Your browser will check for this certificate and warn you if it is missing, invalid, or expired.

It's a warning that you're about to visit a website installed by a criminal as part of a MITM attack if your browser displays a certificate caution. It would be best if you did not continue to the site. Avoid sites without updated certificates to prevent any possible scams.

MITM Protection Methods

Since MITM attacks are silent and undetectable to users, it is paramount that preventative steps are taken. Also, application developers need to confirm that their software cannot be infiltrated through a man-in-the-middle attack; however, there will always be cases where the user themselves would not be able to stop such an attack.

MITM attacks are difficult for an individual to detect and avoid. Here are some precautions that might prevent you from becoming a victim:

  • On email accounts, use two-factor authentication. Should an attacker get access to your account's email credentials, he won't be able to authenticate successfully since he doesn't have access to the 2FA password.
  • Use network traffic analysis tools. These tools aid in the detection of suspicious traffic and provide insights into ports and protocol usage across users and devices.
  • On mobile applications, certificate pinning is a useful security measure. Certificate pinning bans any attacker-supplied certificates from being utilized with the app. The application developer is responsible for certificate pinning.
  • Utilizing a VPN service on public WiFi networks can help protect against data breaches as the VPN uses its own encryption algorithm.
  • Education is critical when it comes to safeguarding your business from phishing attacks. Teach employees to identify phishing emails and protect themselves from malware or data breaches.
  • Deal with phishing threats. Email filters will identify most phishing emails or messages with harmful attachments and forward them to secure quarantine storage for administrator review.
  • Connecting to an unknown WiFi hotspot is dangerous since attackers often use corruptible hotspots with names similar to seemingly safe sources. Before connecting to any public WiFi, you should always verify that it truly belongs to the official provider.
Want Guaranteed Protection Against SIM Swap? Reach Out to Us.

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

SIM Swap Protection

Get our SAFE plan for guaranteed SIM swap protection.

Protect Your Phone Now

Haseeb Awan
CEO, Efani Secure Mobile

I founded Efani after being Sim Swapped 4 times. I am an experienced CEO with a demonstrated history of working in the crypto and cybersecurity industry. I provide Secure Mobile Service for influential people to protect them against SIM Swaps, eavesdropping, location tracking, and other mobile security threats. I've been covered in New York Times, The Wall Street Journal, Mashable, Hulu, Nasdaq, Netflix, Techcrunch, Coindesk, etc. Contact me at 855-55-EFANI or haseebawan@efani.com for a confidential assessment to see if we're the right fit!

Related Articles

SIM SWAP Protection

Get our SAFE plan for guaranteed SIM swap protection.