Man-in-the-Middle Attacks: When Three's a CrowdReading time: 12 minutes
When you're browsing the web, you would expect that your communications and the information exchanged are kept private, having not been tampered with in transit. Whether it's merely login credentials, personally identifiable information or even bank account details, we exchange a lot of information on the Internet every day—and while we expect the utmost security, that certainly isn't the rule.
If that information falls into the wrong hands, malicious actors can gain access to your account, change login credentials, impersonate you and perform fraudulent fund transfers (which is common). And more often than not you don't even notice that a third party is secretly eavesdropping on your expressly private communication.
This is one type of cyber attack scenario we'll be discussing in this blog post. We're re-examining basic network threats and types of cyber attacks, having first talked about brute force attacks a few weeks ago, and today we'll address man-in-the-middle (MitM) attacks—the very epitome of "three's a crowd".
- What is a man-in-the-middle attack?
- Man-in-the-middle attack techniques
- How to detect man-in-the-middle attacks
- Man-in-the-middle attack prevention
What is a man-in-the-middle attack?
As one of the oldest and most common types of cyber attacks, dating all the way back to a fascinating hack from 1903, attackers have been using man-in-the-middle attacks to eavesdrop and tamper with communications even more widely since the '80s and '90s. This has led to the invention of elaborate systems of encryption —TLS and SSL—to combat them.
The "three" parties in man-in-the-middle attacks are: the victim; then the party they're trying to communicate with; and finally the man in the middle, who sits between them during their communication, observing and/or manipulating the traffic.
The attacker—the man in the middle—can merely be a passive listener, secretly and silently listening in on the communication, or an active one who tampers with the traffic and impersonates the second entity, with whom the victim is trying to communicate. This can take place through any form of online communication, including email, social media, simply browsing the net, using online services, and the like. In an everyday scenario, imagine sending a letter to someone, and a malcontent mailman opens your letters, reads their private content and alters them before sending them on their way.
For a world-class example we need look no further than an international operation that took place in 2015 and led to the dismantling of a group of cybercriminals suspected of financial fraud via email account instructions. The method they used was a man-in-the-middle attack that first used malware and social engineering to gain access to companies' corporate email accounts, and from there, monitored communication to detect payment requests. Companies' customers were then asked to send their payments to bank accounts in possession of the cybercriminals.
Man-in-the-middle attacks are used by attackers to harvest login credentials, personally identifiable information (PII) or other sensitive information and are, just like brute force attacks, used at the start of the cyber attack lifecycle—during the reconnaissance and exploitation stages.
Online banking, financial institutions and services and e-commerce websites are the most frequent targets of MitM attacks due to the financial data and information that is shared over them—financial gain is one of the main motivators for attacks. Other goals for attackers can range from cyber espionage to simply being disruptive and reputationally damaging.
Man-in-the-middle attack techniques
Man-in-the-middle attacks, while old and fundamentally simple to execute (even more so with their ease of automation), prove quite useful to attackers. In fact, they've come up with many different techniques for achieving them. Let's explore some of the most common methods attackers use to get themselves "in the middle".
DNS spoofing, also known as DNS cache poisoning, plays with the DNS system that translates the domain names we know into IP addresses. Here, an attacker tries to change the DNS records that are returned to the victim into a response of the attacker's choosing. This means that when the victim tries to access a desired website they're actually diverted to a fake website, in order to catch their credentials and other submitted data.
Computer networks communicate through the exchange of network data packets that contain headers used for routing and ensuring transmission continuity. One of those headers is the "source IP address", which refers to the IP address of the packet's sender. In IP spoofing, attackers create IP packets with falsified content of the source IP address—to either mask the sender's identity or to impersonate another system, or both. The result is the same as with DNS spoofing—the victim attempting to access a known website will be sent to the attacker's website instead.
HTTPS means you're on a secure website, right? Not necessarily. HTTPS spoofing involves an attacker registering a domain name that looks similar to the domain a victim wants to connect to. The fake domain is distributed, for example, via phishing emails.
One type of HTTPS spoofing is the homograph attack, in which a vulnerability exploits the international domain name (IDN) feature that allows domain names to be written in different characters and alphabets. Attackers take a legitimate website and use non-ASCII characters written to appear as the legitimate one. With the attacker registering the domain, your browser wouldn't even notify you of an unsecure connection.
This is one of the oldest techniques for intercepting traffic, predating MitM attacks as we know them. ARP spoofing is a technique used in man-in-the-middle attacks where an attacker sends falsified Address Resolution Protocol (ARP) messages over a local network resulting in the linking of an attacker's MAC address to the IP address of a legitimate device on that network. Data sent by the user to the host IP is then transmitted to the attacker without arousing the victim's suspicion.
When you connect to an online account, the web application returns a session cookie—basically a piece of data that identifies you to the server, which will in turn grant you access to your account. Session hijacking, also known as cookie-side jacking, is a type of a man-in-the-middle attack where the attacker steals the user's session token and uses it to access their account. This can be done by installing malware into the victim's device that steals the session data, using cross-site scripting attacks where a script is uploaded to a page the victim frequents and captures the session cookie.
In email hijacking, an attacker gains access to a user's email account and monitors transactions between the account and other entities. This method allows attackers to gather information from the conversations and use them in further social engineering attacks, where they can impersonate the owner of the account. For example, hijacking an email account from a bank can result in sending emails to customers requesting payments from them, or even allow attackers to log into customers' bank accounts with the ability to access funds.
SSL stripping is another type of man-in-the-middle attack, where an attacker downgrades the communications between the client and server to an unencrypted format in order to intercept and eavesdrop their communication. When a victim tries to connect to a server, the attacker would then intercept the request and send a legitimate connection to the server through HTTPS protocol, and when they receive the server's response they will send it to the victim in an encrypted format and continue monitoring their communication.
One of the most commonly seen, old-school methods of man-in-the-middle attacks is Wi-Fi eavesdropping. You often read and hear about the dangers of public Wi-Fi, and even your own device alerts you when connecting to a public, unsecure network. This is because public, meaning insecure and unencrypted, Wi-Fi connections are extremely easy to eavesdrop.
However, danger isn’t reserved for only public free hotspots. In evil twin attacks, attackers set up their own hotspot that looks so identical to a legitimate one (think of coffee shop or airport hotspots) that it can even mimic the SSID, network IP and password, letting attackers pry on unsuspecting victims. From there, attackers can monitor victims' online activity, their login credentials, bank account information, and more.
How to detect man-in-the-middle attacks
Detection of man-in-the-middle attacks can prove challenging as they often measure their success by the fact that the victim doesn't know the attack is taking place. Attackers are, after all, good at hiding their identity and presence through various methods. While more technical individuals and teams find that the simplicity of MitM attacks makes them easy to spot, a little awareness can go a long way for those not so technically inclined:
- HTTP websites: Although we mentioned that attackers' HTTPS spoofing and SSL stripping will trick you into thinking you're accessing a legitimate, secure website, you should always check that the website you're connecting to uses the HTTPS protocol. Unsecure websites have a high chance of being used in MitM attacks.
- Disconnections from a service: If you are repeatedly and inexplicably disconnected from a service and prompted to sign up again, that could indicate an attempted MitM attack. This happens as attackers will forcefully disconnect you from a service for more chances at harvesting your login credentials. Watching out for such activity can help you detect an MitM attack.
- Unusual URLs: We mentioned homograph attacks where attackers register a domain that looks almost identical to a legitimate one. Always check the website address bar to notice any unusual looking URLs, especially when it comes to online transactions, logins, input of sensitive information, and the like.
- Public Wi-Fi: There's no need to repeat the dangers of public Wi-Fi and the unsecure nature of not offering encrypted traffic and allowing almost anyone to eavesdrop it. And as we mentioned regarding evil twin attacks, attackers can set up fake hotspots that look eerily similar to well known, frequently-used ones. This is why it's crucial to remain aware while connecting to public hotspots, even those that you've connected to in the past, or to merely avoid connecting to them at all, if possible.
Man-in-the-middle attack prevention
However important it is to look for telltale signs of a man-in-the-middle attack, it is equally important, if not more so, to take precautionary and proactive measures of protection.
Prevention is the key when it comes to any cyber threat, and MitM attacks are no different. Here are some of the steps, technical and strategic, for individual users and organizations to take to keep your traffic secure from MitM attacks:
Connect only to trusted Wi-Fi networks
For those using Wi-Fi, only connect to networks you trust and know that are secure. If the situation requires you to use a public, unsecure network, don't perform any transactions which involve inputting sensitive information.
Use a VPN
In the event that sensitive transactions need to be carried out over public hotspots, using a VPN will allow you to encrypt your internet connection and protect the data transmitted while using that network. But this isn't the only reason to use a VPN: encrypted traffic is harder for attackers to eavesdrop. A VPN should be used for both end users and for enterprise networks.
Use end-to-end encryption
Use end-to-end encryption for all communication channels including email, chat messengers, video platforms, and the like. This can be achieved by using applications and communication software that offer encryption as a default, something that has gained popularity in recent years for end users as well as for organizations.
Secure your router
Now that more organizations are adopting remote work, employees connect to the company network using their home routers. Keeping your router secure by updating the firmware when updates are available, having strong router security settings and making sure router credentials are complex and routinely changed can help prevent attackers from obtaining access to the router and rerouting DNS servers to malicious ones, or infecting the router with malware which can be spread to the network.
Only connect to HTTPS connections
We've discussed HTTPS protocol and what it represents when a website uses HTTPS for connection, so this is just a quick reminder: connect only to HTTPS websites and pay attention to your browser when it shows you red alerts in your address bar indicating an unsecure website. That "S" at the end could be the difference between safely browsing the web and being the victim of an MitM attack.
Public key authentication
Public key authentication is an alternative method of identifying the user to a login server, rather than using a password. You would generate a key pair consisting of a public key that is copied to the server under a certain name and a private key which is used to generate a signature. When the server needs to verify who you are, it can generate a signature using your private key, then verify you with its public key and allow the login to happen. This is a much more secure method of authentication than with passwords and is also more complex, often being reserved for more tech-savvy users.
Employ DNS over HTTPS
Even when you visit a site using HTTPS, your DNS requests are sent over an unencrypted connection that is easy for a man-in-the-middle attack to intercept, changing the DNS asners and routing you to a phishing or malware-infected website. DNS over HTTPS is a security protocol that encrypts DNS traffic between the user's device and the external DNS resolver, so users are able to browse with encrypted queries, providing secure transfers. DNS over HTTPS does have its own security concerns so we highly recommend you dive deeper into this topic in our blog post dedicated to DNS over HTTPS.
Follow zero trust principles
"Never trust, always verify" is at the core of zero trust. In a nutshell, zero trust refers to the practice not trusting any traffic from inside or outside of the network perimeter. Anything that tries to connect to their systems needs to be verified before access is granted. We have a full blog post dedicated to zero trust with lots of valuable information on implementing this strategy to your organization's overall cybersecurity strategy.
To thwart attackers from successfully eavesdropping and obtaining your login credentials, having multi-factor authentication enabled across all of your accounts will create a barrier. Attackers trying to log in to your account will be met with an additional factor of authentication beyond the password.
Even after being on the threat landscape for decades, there's a reason why man-in-the-middle attacks persist. With their simplicity to execute, ease of automation and the numerous techniques available that rely on unaware end users, MitM attacks still continue to be one of the most common cyber attacks affecting organizations and individuals.
However, as one of the more simple threats out there, MitM attacks can be largely prevented, or at least detected, with simple awareness and an understanding of signs and consequences. Continually, we are confronted with advanced and sophisticated threats, but why focus on them if we haven't covered the basics?