Understanding and Preventing Man-in-the-Middle Attacks

Man-in-the-middle attacks can be classified as a cyber attack which involves an attacker intruding on a transmission to relay, listen in or alter what is being communicated between the two or more entities.   

How is it carried out? 

Man-in-the-middle attacks are implemented in two manners, one that requires physical proximity to the target and one that can be carried out by using a malicious software to infect the target’s system (man-in-the-browser attack). 

Cyber criminals usually enact this attack method in two phases, interception and decryption.   

To implement a classic MITM attack, the cyber criminals need to first gain access to an unsecured Wi-Fi router for example, publicly available Wi-Fi free hotspots or unprotected network. The attacker can scan the router to determine specific vulnerabilities such as weak passwords.  

Once a router is deemed as vulnerable by the criminal, the criminal will then deploy various methods to intrude and read the target’s transmitted data. Afterwards, the criminals will infect the target’s transfer activity as they enter their login details and other personal information such as banking details into various websites.   

After the interception stage is successfully carried out, the decryption stage will be executed. This involves unencrypting the target’s data, which typically tend to be encrypted by the organisations they are exchange with. This enables the attacker to read and act upon the stolen data. 

Man-in-the browser attack 

Prior to executing a man-in-the-browser attack (MITB), the cyber criminals first need to infect their target’s system with a malware. One of the methods to achieve this is phishing.   

If the phishing tactics are successful in providing the cyber criminals access to their target’s system, the malware will record the data transmitted between the victim and the organisation’s website, which will then be relayed to the criminal.   

Types of MITM attacks   

1. IP spoofing  

Every device is assigned an IP address.  IP spoofing refers to the creation of IP packets which are modified to hide the identity of a sender or to impersonate another computer system. By spoofing an IP address, the target is tricked into a false sense of security as they believe that they are interacting with a legitimate business or organisation instead of the attacker.    

2. DNS spoofing 

DNS (domain name server) spoofing involves redirecting a user to a fake website rather than the legitimate one. The victim may believe that there are interacting with the legitimate website when in reality, they are interacting with a criminal. The purpose behind this method is to divert traffic from the actual website or record and relay their target’s login details. 

3. HTTPS spoofing  

Seeing HTTPS instead of HTTP signifies that the site is safe to interact with as the S represents ‘safe’. A criminal can dupe a browser into believing it is visiting a secure website and if a target is redirected by the browser to an untrustworthy website, the criminal can monitor and gather the personal data that is being shared.  

4. SSL hijacking  

If your device connects to an unreliable sever, signified by HTTP, the server can usually redirect you to the secure, reliable version of the server, indicated by HTTPS, ensuring that you are interacting with a server that is protecting your shared details. SSL (secure sockers layer) enacts encrypted links between your browser and the web server.  

In the case of SSL hijacking, the criminal uses a different computer and secure server to intercept the shared data between the server and the target.  

5. Email hijacking 

Once the email account of a target is hijacked, cyber criminals can monitor transactions between organisations and their customers/clients. The criminals can then spoof the bank’s email address and send fraudulent emails to their targets to trick them into completing the tasks. If this method is successful, the criminal will have gained their target’s financial information.  

6. Wi-Fi monitoring  

If a victim connects to a seemingly valid Wi-Fi system that has been established by a cybercriminal, this enables the criminal to monitor the victim’s online activity and of course, relay personal details of the victim to the attacker. This threat increases if an individual is using a public Wi-Fi connection. 

7. Stealing browser cookies  

The purpose of browser cookies is to store the visitor’s information that is entered on the website into the visitor’s computer. An example of this can be information about a certain product or shopping cart items stored onto a cookie by a retailer website so next time, it doesn’t have to be re-entered. If these browser cookies are stolen by a criminal, the criminal will have access to their victim’s sensitive information, including passwords. 

Tips for protecting your devices against MITM attacks    

• Be certain that the site you are about to visit includes HTTPS. 
• Never click on a link provided in an email unless you are 100% sure that the sender is legitimate. 
• If you receive an unsolicited email with the name of a valid organisation, check with the organisation before clicking on the link as it could be a criminal who has spoofed the organisation’s email. 
• Regard any email asking you to change your login details with scrutiny. Go directly to the website instead and do not click on any provided links associated with the request to change login details. 
• Refrain from connecting to public Wi-Fi networks.  
• Use a VPN if possible. Using a VPN offers improved cyber security as it hides your IP address by ricocheting it through a private server and encrypting the data being transmitted between the sender and receiver.   
• Delete browser cookies however if you need to keep the cookies, use a VPN if possible while online to keep them hidden. 
• Make sure your system is installed with a reliable anti-virus network as MITB attacks typically infect your system with malware to steal your credentials.  
• Update your system to detect and patch vulnerabilities. 
• Make sure that your Wi-Fi is secure and that the passwords needed to access them are strong. 

How can Securiwiser help?  

Our aim is to also ensure that our clients (whether they are individual users or business owners) are confident in their knowledge about various cyber threats that their businesses and system may face, increasing trends and frequencies of certain threats and protection and prevention methods that are cost effective and time saving.   

Criminals often gain unauthorised access by exploiting underlying vulnerabilities that are unknown to the device owner. Securiwiser can conduct regular scans for your system and provide the exact details of found vulnerabilities or compromises. We can further explain these vulnerabilities or threats to our clients and provide the best course of action that will save your business time and money.