Specific numbers are hard to pin down on man-in-the-middle (MitM) attacks, but according to IBM's X-Force Threat Intelligence Index 2018, more than one-third of exploitation of inadvertent weaknesses involved MitM attacks. Exactly how do these hacks play out? How do criminals get in and steal information – and how are their techniques evolving?
Here's a closer look at the elements of a MitM attack, how they work, and how organizations can avoid becoming a victim.
What Is a Man-in-the-Middle Attack?
MitM attacks are attempts to "intercept" electronic communications – to snoop on transmissions in an attack on confidentiality or to alter them in an attack on integrity.
"At its core, digital communication isn't all that much different from passing notes in a classroom – only there are a lot of notes," explains Brian Vecci, field CTO at Varonis. "Users communicate with servers and other users by passing these notes. A man-in-the-middle attack involves an adversary sitting between the sender and receiver and using the notes and communication to perform a cyberattack."
The victim, he adds, is "blissfully ignorant of the 'man in the middle,' often until it's far too late and information has already been compromised."
How Do MiTMs Work?
Lots of ways, including IP, DNS, HTTPS spoofing, SSL/email hijacking, and Wi-Fi eavesdropping. "And thanks to the Internet, the attacker can often be anywhere," Vecci says.
One common attack involves a hacker setting up a fake public Wi-Fi hotspot for people to connect to, adds Kowsik Guruswamy, CTO with Menlo Security.
"People think they are accessing a legitimate hotspot," he says, "but, in fact, they are connecting to a device that allows the hacker to log all their keystrokes and steal logins, passwords, and credit card numbers."
Another popular MitM tactic is a fraudulent browser plugin installed by a user, thinking it will offer shopping discounts and coupons, Guruswamy says.
"The plugin then proceeds to watch over user's browsing traffic, stealing sensitive information like passwords [and] bank accounts, and surreptitiously sends them out-of-band," he says.
Michael Covington, VP of product strategy at Wandera, cites two main types of MitM attacks impacting mobile users.
"The first is when the attacker has physical control of network infrastructure, such as a Wi-Fi access point, and is able to snoop on the traffic that flows through it," he says. "The second is when the attacker tampers with the network protocol that is supposed to offer encryption, essentially exposing data that should have been protected."
But Isn't Encryption Supposed to Prevent MitM Attacks?
Yes. However, sophisticated spyware or surveillance "lawful intercept" software, such as Exodus and Pegasus, are occasionally finding ways to compromise the infrastructure of secure mobile messaging platforms like WhatsApp without necessarily cracking the encryption algorithm itself.
How Are MitM Attacks Evolving?
With the explosion of Internet of Things (IoT) devices in daily lives, the possibilities for MitM attacks have also ramped up. Many of these technologies were developed without security in mind, and they are being deployed by users faster than security can keep pace. For example, researchers are unearthing dangerous vulnerabilities related to unsecured radio frequency (RF) communications in the embedded systems in industrial and medical devices.
Hackers continue to look for new strategies to catch users off-guard with MitM, Varonis' Vecci says.
"Varonis' incident response team is seeing an uptick in adversaries using a very tricky MitM attack to bypass multifactor authentication, breach Office 365 tenants, and pivot to on-prem systems," he says.
It starts with a phishing email that "lures a victim to a fake Office 365 login page where the attacker can snoop on the credentials used to access data, even breaking through two-factor authentication," Vecci explains. "Users might have no idea anyone's watching, but the attacker can use the technique to get access to systems and data both in the cloud and inside the data center if they know what they're doing."
The end result? "The MitM can end up hijacking a user's credentials and then use them to get access to data that's not even being passed," Vecci says.
Another example, highlighted last week on Dark Reading, involves an Israeli startup that lost a significant chunk of venture capital funding due to an elaborate, multistep MitM attack. The attack started with email snooping, resulted in a fraudulent wire transfer, and ended with a $1 million theft.
The attack was discovered when the Chinese venture capital firm attempting to transfer the funds to the startup was alerted by its bank to an issue with the transaction. Soon after, the Israeli startup realized it had not received seed funding it expected. Check Point became involved once the two parties realized they'd been duped.
Best Practices for Preventing MiTM
User education remains the No. 1 defense for avoiding MitM attacks, Vecci says.
"Use a VPN, skip public Wi-Fi, and verify the sites you log into are legit by making sure they use secure, HTTPS connections," he also advises. "Knowing what's normal for users, devices, and data makes it far more likely that you'll spot this kind of attack once it happens."
What activities should raise a red flag?
"Maybe a user is logging in from a new location or device, or at 3 a.m. when most people are asleep. Or maybe they're suddenly accessing data they've never seen, especially if it's sensitive," Vecci says. "Unless you're watching your company's critical data and can spot suspicious user activity, draw correlations between seemingly normal events, and connect the dots between users, devices, and data, you can easily miss a successful attack like this one."
Menlo Security's Guruswamy suggests advising users to heed the following tips:
Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio