What is a Man-in-the-Middle Cyber Attack?

Man-in-the-Middle cyber attack – When the hacker gets in between!

A Man-in-the-Middle (MITM) attack occurs when hacker successfully intercepts any online communication (social media, email, web surfing etc) happening between two systems. The attacker relays and alters the communication. However, the parties involved think that they are communicating with each other over a secure and private connection. The hacker can target any of the private information inside a device too.

Such attacks are termed as “man-in-the-middle” cyber attacks as they occur between two legitimate communication hosts (or people) while the hacker “listens” to the internet conversation between their devices (smartphones for example.) These are conversations the hacker should not be able to access.

Types of Man-in-the-Middle attacks

Session Hijacking

Most web applications make use of a login mechanism which generates a temporary session token. Hence, the user does not have to type a password for every future request. In session hijacking, a hacker sniffs sensitive traffic and tracks down the session token of a user. The hacker uses the token to make requests in disguise of the user. Once the attacker is in possession of the user’s hijacked token, he can do everything that can be done by the user. The attacker steals the browser cookies of a user. If he gets access to the log-in cookies, then he can easily login as the user and assumes his identity online.

Packet Sniffing

In a sniffing cyber attack, the hacker makes use of packet capture tools to identify low-level packets. The attacker, with the help of specific wireless devices used to monitor internet traffic, accesses packets that are not intended to be accessed (such as packets meant for other hosts).

Email Hijacking

This is type of Main-in-the-Middle attack is largely used by the hackers to target important email accounts of big organizations, especially banks and financial institutions. Once the hackers gain access to these accounts, they start to monitor transactions and wait for the appropriate time to make the eventual cyber attack.

For example, the hacker may wait for the time when a customer is due to transfer money into an account. The hacker will respond to the customer, by spoofing the email address of the company and providing their own bank credentials instead of those of the company. The customer thinks they are sending the payment to their legitimate financial institution, but instead the hacker receives the money.

Wi-Fi Eavesdropping

Wi-Fi connections are happy hunting grounds for many Main-in-the-Middle attacks. There are many ways in which a hacker can do so. In one such way, a hacker sets up a legitimate-sounding Wi-Fi connection. Once an unsuspecting user connects to the hackers WiFi (thinking it is the open WiFi connection of a coffee shop or other), the hacker gains access to the device of the user.

In another approach, the hacker may establish a fake Wi-Fi node that is disguised as a genuine Wi-Fi access point. Thereby, he steals the personal information of anyone connected to it.

Packet Injection

In a packet injection attack the hacker leverages the monitoring mode of their devices and injects malicious packets into the data communication streams of the user. These malicious packets are blended with the genuine data communication streams of the user and appear to be an integral part of the communication. This method also involves sniffing in order to determine the patterns and timing of sending the malicious packets.

Secure Socket Layer (SSL) Stripping

Using HTTPS is common these days as protection against DNS or ARP spoofing. Hackers use SSL stripping to first intercept packets and then to change their HTTP-based requests to HTTP equivalent endpoints. This forces the host to send unencrypted requests to the server. This way, the attacker can have access to sensitive information of the user.

How to protect against Man-in-the-Middle attacks?

Technologies that can protect against Man-in-the-Middle attacks:

  1. Secure Multipurpose Internet Mail Expansions

    Secure Multipurpose Internet Mail Expansions (S/MIME) encrypt emails so that only intended recipients can read it. S/MIME allows the user to digitally sign emails with the help of a unique, private digital certificate or key. The virtual identity of the sender is tied with the email and the recipients have the assurance that the email actually came from the correct user.

    Even if hackers access the mail servers of an organization, they will not be able to access the employee private keys (which are stored elsewhere) and hence, cannot sign the mails digitally. Digital signing of emails and messages must be standardized. Recipients should be educated to only trust digitally signed messages. This helps differentiate spoofed emails from legitimate ones.

  2. Virtual Private Network

    Virtual Private Networks (VPN) can be used to establish a secure environment to send sensitive information across a local area network (LAN). VPNs use key-based encryption to establish a subnet for sending secure communications. Even if the hacker is successful in breaching a shared network, it will not be possible for the hacker to decode the VPN encrypted internet traffic.

  3. Public Key based authentication

    Man-in-the-Middle attacks are normally based on spoofing. Hence, pair-based authentication of public keys (such as RSA) is used in multiple layers of the stack. This ensures the user about the authenticity of the things he is communicating with.

  4. Forced HTTPS

    HTTPS prevents a hacker from using any data she may have sniffed as it helps to communicate safely over HTTP via a private-public key exchange. Hence, it is imperative that websites use HTTPS instead of allowing HTTP or its alternatives. Browser plugins must be installed by users to enforce the use of HTTPS on requests.

  5. Authentication certificates

    Certificate-based authentications should be implemented in all systems (email systems, WiFi networks, internal networks etc) so that it becomes virtually impossible for hackers to penetrate into these systems. The authentication certificates make sure that only endpoints having properly configured certificates are allowed to access the networks and systems. These certificates are user-friendly as there is no additional hardware required. No user training is needed either. The deployment of these certificates can be automated in order to make the implementation simple but to make the work much tougher for the hackers.