What is a Man-In-The-Middle Attack?
These are very common cyber-attacks and well-known as MiTM attacks. These attacks allow cyber-attackers to eavesdrop on communication between two targets (or hosts) who are trying to communicate legitimately. They allow attackers to actually 'listen' to a conversation.
For example, Michael is having a communication with Jane, but Samantha wants to stay hidden and listen to what Michael and Jane are talking about. Samantha would pretend to be Michael when she is communicating with Jane.
Similarly, Samantha could pretend to be Jane when she is communicating with Michael. When Michael would believe that he is conversing with Jane (who actually is Samantha), then he may reveal information that he would not reveal at all otherwise. Same way, when Jane would believe that she is conversing with Michael (who is actually Samantha), she also may reveal some info which should would not otherwise. Samantha would gather information from this conversation, but it does not mean that she will BLOCK the communication happening between Michael and Jane. But she is in the position (of middle) to alter the response(s) and then pass on the message to either Michael or Jane, as it fits. Whole point of this analogy is that Samantha has hijacked the actual conversation that is taking place between Michael and Jane.
MiTM attacks are not end in themselves, there are executed to achieve some purposes. Attackers might use MitM attacks to steal your login credentials or personal information, spy on their victim, or sabotage communications or corrupt your data. Their aim could be to redirect your efforts, funds, resources, or your attention.
How Does a MITM Attack Work?At the very basic level, it will happen something like this:
1. Person A sends Person B a message.
2. The MITM attacker intercepts the message without Person A's or Person B's knowledge.
3. The MITM attacker changes the message content or removes the message altogether, again, without Person A's or Person B's knowledge.
In technical terms, all MITM attacks work by exploiting vulnerabilities in your network, web, or your browser-based security protocols to divert legitimate traffic and steal information from their victims.
What are different types of Man-in-The-Middle Attacks?
MitM attacks always consist of sitting between the connection of two parties, with an intention of either observing or manipulating the traffic. This could be done through interfering with legitimate networks or creating fake networks that the attacker controls. Compromised traffic is then stripped of any encryption in order to steal, change or reroute that traffic to the attacker’s destination of choice (such as a phishing log-in site).
Because attackers may be silently observing or re-encrypting intercepted traffic to its intended source once recorded or edited, it can be a difficult attack to spot.
There are number of ways, MiTM attacks are carried out:
1. Email Hijacking
There are two versions of these attacks. In first version, attackers would first take control of email accounts of companies, e.g., banks, financial institutions, or other trusted parties who may have access to your sensitive data and money. Once inside, attackers can monitor your transactions and correspondence between you (as customer) and the bank, for example.
In another version, they may spoof or fake email ID of your bank or other institution and send you emails with some instructions, e.g., resend your credentials, or in worst case, to send/transfer some money to account controlled by attackers. This sort of attacks hugely depend upon social engineering...
2. Wi-Fi Eavesdropping
In these types of attacks, attackers wants you to connect to an 'Evil-Twin' access-point or to a nearby wireless network whose name sound very legitimate to you. But in reality, the access-points or such network are specially set up with malicious intention. Such Wi-Fi network might appear highly familiar to you. In some cases, you won't even need to enter a password to connect. Usually, they would sniff out the data-packets sent to those networks.
However, once you are connected to anything like this, then attackers may choose to passively monitor your online-activities, or they may even scrape your login-credentials, or your credit or payment card info, or any other sensitive data. However, such attacks also allow attackers to inject malicious data-packets too. But that requires much higher-level of skills with the attackers.
3. DNS Spoofing (poisoning)
In these attacks, attackers manipulate DNS records. They allow them to divert your legitimate traffic to a fake or spoofed website. Such website is built very carefully to resemble to a website you would mostly likely trust or visit frequently.
The idea is still the same. They want you to log-in unwittingly to the fake website and convince you to take some action, as I have mentioned above.
4. Session Hijacking
These attacks have an underlying principle of WAIT. Attackers would wait for you to log-in to some application, e.g., your email account or your banking app on phone or on laptop. Then they steal the 'session'-cookie from the application. Simple!
Then attackers would use the same cookie to log in to the same account owned by you but instead they would access it using their own browser or application.
However, attackers need to work quickly as sessions are temporary in nature and expire very quickly after a set amount of time (in minutes usually).
5. SSL Hijacking
Some time ago, Google literally enforced the usage of HTTPS for all websites. That's why almost all websites are using it. It basically protects all the data when shared with a secure server.
In the same way, SSL/TLS are used for establishing a secure connection between the computers in your network. When attackers execute SSL hijacking, they intercept all data that is passing between a server and your users' computers.
6. ARP Cache Poisoning
You already know that ARP is a protocol used for discovering the link-layer address (e.g., MAC address) which is associated with a given internet-layer address. ARP is important because it translates the link layer address to the Internet Protocol (IP) address on the local network.
In these types of attacks, attackers bring in their own system in the network in such a way that the victim's computer is tricked to believe or recognize attacker's system as a 'Network Gateway'. Once yours or other victim's system is connected to this (gateway), then all the traffic from your system is sent to the attacker, instead of through the 'real' network gateway.
Then attackers would utilize this diverted traffic to analyze and steal all the information they need, such as personally identifiable information (PII) stored in your browser, for example.
7. IP Spoofing
Very much like DNS Spoofing, attackers in this attack, divert your internet traffic which is headed to a legitimate website, to fraudulent website. Attackers don't spoof the website's DNS record, instead they modify the malicious website's IP address, so that it would appear as it is the IP address of the right website...
8. Stealing Browser Cookies
First let's be very clear that we are not talking about 'Session'-cookie here. We are talking about normal HTTP-cookies of your browsed-based applications. These HTTP-cookies are data collected by a web-browser and store locally on your computer. These cookies are helpful to websites as they remember your information & some behaviour patterns, and used for enhancing your browsing experience.
For example, with cookies enabled, a user does not have to keep filling out the same items on a form, such as first name and last name. With access to browser cookies, attackers can gain access to your passwords, credit card numbers, and other sensitive information that you may have stored in your browsers. These cookies are not harmful in or by themselves, but when used along with other techniques, e.g., Wi-Fi eavesdropping or session hijacking, they can help an attacker to roll out full-blown MiTM attacks.
9. SSL Stripping
Rapid7 has mentioned that SSL stripping is also possible with MiTM attacks. Attackers can use SSL stripping to intercept data-packets and alter their HTTPS-based address requests to go to their HTTP equivalent endpoint. It would force the host to make requests to the server which is unencrypted. As a result, your sensitive information can be leaked in 'plain text.'
10. mDNS Spoofing
Multicast DNS operates in your LAN using some broadcast, e.g., ARP.
The local name resolution system is supposed to make the configuration of your network devices extremely simple. Your users don’t have to know exactly which addresses their devices should be communicating with; they let the system resolve it for them. Right?
Devices such as TVs, printers, and entertainment systems make use of this protocol since they are typically on trusted networks.
When an app needs to know the address of a certain device, such as tv.local, an attacker can easily respond to that request with fake data, instructing it to resolve to an address it has control over. Since devices keep a local cache of addresses, the victim will now see the attacker’s device as trusted for a certain duration of time.
How Can You Prevent Man-in-the-Middle Attacks?
You can do many things to start with:
-
If you are oddly signed out of any application and you are then expected to key-in your credentials again...then you should be very watchful, because it may be a MiTM attack.
-
Every single time, when any application, or website asks you to enter your credentials, then you MUST carefully glance over the URL of that website. If you observe anything strange with those URL, do not enter your credentials.
-
Never ever connect to any free, public Wi-Fi network.
-
With mobile phones, you should shut off the Wi-Fi auto-connect feature when moving around locally to prevent your devices from automatically being connected to a malicious network.
-
As you connect from your home Wi-Fi router, always update its firmware manually, and set the security to WPA2/WPA3.
-
You should use a VPN when you are connecting to the internet.
-
You should never forget that strong passwords and MFA are your friends.
However, as a security professional, you need to manage things with a lot of care. For example,
-
You should replace SSL 3.0 with latest version of TLS 1.3, as it is more secure. TLS provides the strongest security protocol between networked computers.
-
You should use end-to-end encryption. Wherever possible, you instruct your employees to turn on encryption for emails and other communication channels. For added security, only use communications software that offers encryption right out of the box.
-
Some applications automatically turn on encryption in the background, e.g., WhatsApp Messenger. However, if employees wish to verify that their messages are indeed encrypted, they will need to carry out a special process, such as scanning and comparing QR codes available in the WhatsApp application on each person's phone. In fact, you have the option of choosing end-to-end encryption for each chat, and you set up this yourself and the other person you intend to participate in that chat.
-
Patch- Management and updation of OS and softwares is still a necessity. Always advise your remote workers to do the same. Everybody need to have a good antivirus on their systems, no exception.
-
If you have been reading my recent posts carefully, then you would know that adopting the ZERO TRUST is the best policy; and UEBA can help you a great deal in preventing all sorts of cyber-attacks, including MiTM attacks.
Last Advice:
IoT devices tend to be more vulnerable to attack because they don't implement a lot of the standard mitigations against MitM attacks. A lot of IoT devices do not yet implement TLS or implemented older versions of it that are not as robust as the latest version. With the mobile applications and IoT devices, there's nobody around and that's a problem; some of these applications, they will ignore these errors and still connect and that defeats the purpose of TLS. Beware!
-
Kindly write 
your comment on the posts or topics, because when you do that you help me greatly in 
designing new quality article/post on cybersecurity.
your comment on the posts or topics, because when you do that you help me greatly in designing new quality article/post on cybersecurity.You can also share with all of us if the information shared here helps you in some manner.
Life is small and make the most of it!
Also take care of yourself and your beloved ones…
With thanks,
Meena R.
______
This Article Was Written & published by Meena R, Senior Manager - IT, at Luminis Consulting Services Pvt. Ltd, India.
Over the past 16 years, Meena has built a following of IT professionals, particularly in Cybersecurity, Cisco Technologies, and Networking...
She is so obsessed with Cybersecurity domain that she is going out of her way and sharing hugely valuable posts and writings about Cybersecurity on website, and social media platforms.
34,000+ professionals are following her on Facebook and mesmerized by the quality of content of her posts on Facebook.
If you haven't yet been touched by her enthusiastic work of sharing quality info about Cybersecurity, then you can follow her on Facebook:
Click Here to follow her: Cybersecurity PRISM