How To Prevent Risky Man-in-the-Middle Attack (MiTM) Types?
- Alex Smith
Updated on: 14/02/2023
436 Views | 0 Comments
Modern businesses run with the help of data and sending confidential information is an essential part of these contemporary businesses. This includes sending important emails, retrieving data from internal databases, and accessing online business applications. These empower maximum productivity as well as a competitive advantage. That said, depending on these data transfers across the internal networks and the internet offer a great opportunity for malicious hackers to intercept the traffic and access all of your business's sensitive information. This interception of traffic is called Man-in-the-Middle Attack (MiTM).
It is crucial for businesses to retain their sensitive company credentials and data to survive the competition. Thus, it is important for them to know what MiTM attacks mean, the various types of Man-in-the-Middle Attacks, the key security vulnerabilities, and how they can prevent these risky MiTM attacks. This article covers it all!
Table of Contents
- What Is Man-in-the-Middle Attack (MiTM)?
- How Do Man-in-the-Middle Attacks Work?
- Common Types of Man-in-the-Middle Attacks & Categories They Belong To
- Standard Threat Vectors For MiTM Attacks
- What Are The Most Usual Man-in-the-Middle Attack Techniques?
- How To Detect A MiTM Attack?
- Man-in-the-Middle Attack Prevention: Ways To Stay Safe
What Is Man-in-the-Middle Attack (MiTM)?
Man-in-the-Middle Attacks can be termed the most common type of cybersecurity attack permitting the attackers to eavesdrop on the communication or intercept communication between two targets. Thus, this cyber attack takes place between two targets or communicating hosts. This enables the attacker to literally listen to a conversation that they usually cannot listen to. Therefore, the name “Man-in-the-Middle”.
That said, the MiTM attacks can be a menace to your online security as without proper protective measures these cyber attacks are very easy to execute, quite difficult to detect, and permits the attacker to have real-time access to various sensitive information.
How Do Man-in-the-Middle Attacks Work?
A Man-in-the-Middle Attack occurs when an online communication between two people is successfully intercepted or wiretapped by a third party or a cyber attacker. In this process, both people whose online communication has been wiretapped are unaware of the process.
Let us see a typical MiTM example or Man-in-the-Middle Attack example to understand the scenario.
Hypothetically, let’s name the two communicating parties Bob and Oliver. The cyber attacker is named, say, Shawn. Now, Bob wants to email Oliver to send her some money. Both parties are exchanging public encryption keys as well as account numbers. They are unaware of a third party, Shawn, who is continuously spying on their online communication. So, in this case, Shawn is acting as a “Man-in-the-Middle”.
That said, Shawn possesses the capability to intercept the message Oliver sends as a reply to Bob. He can send his account details to Bob pretending to be Oliver which Bob would send money trusting the reply is coming from Oliver. But the fact remains that Bob has actually sent money to Shawn (who posed as Oliver) thinking he has sent it to Oliver.
Common Types of Man-in-the-Middle Attacks & Categories They Belong To
There are seven common types of MiTM Attacks. This includes -
1. Cookie Hijacking
Cookies are essential for users. They are usually small packets of data that all websites store on the visitor’s system. Cookies are used so that a user will not have to re-enter their information such as any personal information every time he or she visits the same websites. This is a great source of collecting personal information and mostly cyber attackers target these cookies to get their job done. They can easily hijack your browser cookies and gain access to your saved login credentials and various other sensitive information.
2. DNS Spoofing
DNS Spoofing or Cache Poisoning Attack (DNS Cache Poisoning) is referred to as a cyber attack wherein the altered DNS (Domain Name System) records are utilized to redirect online traffic to a scam website that completely resembles its intended destination. To simplify it, the attacker makes use of DNS spoofing to divert the targeted user to a fake website and not the real site that looks similar to the real one. Therefore, the user is tricked into trusting that they are on the actual website and can also leave their login credentials to the cyber attacker.
3. Email Hijacking
In case of an email hijacking attack, the middleman will spy on a transaction between a customer and their financial institution or bank. Following this, the attacker will spoof the email address of the bank and send incorrect information to the customer so that they send the money to the attacker and not the bank.
4. HTTPS Spoofing
HTTPS precedes a website URL. It is typically an indication that the website having it is secure to visit. However, a cyber attacker can trick the browser into trusting that a website is secure. In reality, the attacker sends it to an unsecured website. Once the visitor is trapped in the fake website, the attacker can very easily monitor what the visitor is sharing and steal them. This even includes their personal information.
5. IP Spoofing
This is another way a cyber attacker is able to trick you into giving out your sensitive information to them. For instance, they can spoof the IP address of a computer you wish to visit while deceiving you into thinking that you are actually interacting with the computer you wished to. Instead, you are communicating with the computer of the cyber attacker and possibly giving out your confidential information to them.
6. SSL Hijacking
SSL is the abbreviated term for “Secure Socket Layer”. It is a protocol creating encrypted links between a server and a browser. This type of cyberattack is indicated by an attacker intercepting the communication between the web server and the computer of the victim. In this process, the attacker generates fake certificates for the domains of the HTTPS sites the victim wishes to visit. Thus, the victim thinks they have a secure connection to the target website. But in reality, they possess a secure connection to a proxy site or cloned site that is controlled completely by the cyber attacker
7. WiFi Eavesdropping
WiFi eavesdropping is very common with public WiFi or open WiFi. In this kind of Man-in-the-Middle Attack, the evil hacker sets up a connection with a legit-sounding name. For example, if you are in a mall, the cyber attacker might set up a WiFi name “Sephora_123” WiFi to make it look and sound similar to the actual Sephora’s WiFi name. If the unaware victim connects to the fake WiFi, the malicious hacker can monitor all of their online moves including entered passwords and credit card details.
Some of the other methods used include
- Address Resolution Protocol (ARP) spoofing
- Dynamic Host Configuration Protocol (DHCP) spoofing
- Internet Control Message Protocol (ICMP) redirection
- Spanning Tree Protocol (STP) mangling
- Route mangling
- Port stealing
- Traffic tunneling
Considering all the seven types of Man-in-the-Middle Attacks, you can easily state that these cyber attacks fall into two broad categories. In the first category, the attacker gains access to a WiFi network that is either completely unsecured or poorly secured. This kind of attack takes place with the use of public WiFi hotspots. However, this can also occur with home WiFi or personal WiFi connections if that is not properly secured and if the victim is using a weak password.
With this article, we are more concentrating on the second category that makes use of malware to wiretap and spy on online communication. This kind of cyber attack is also known as a “Man-in-the-Browser Attack”. This variant of cyber attack is usually accompanied by a phishing fraud where a malicious-intended hacker impersonates a legit entity such as a bank to con their targeted victim into clicking on a link or opening an attachment that installs malware on their device.
Standard Threat Vectors For MiTM Attacks
The Man-in-the-Middle Attacks depend on a malicious hacker’s capability to impersonate business applications and/or users. It is done both technically by convincing the IT equipment that they are a legit part of your network and via messaging including fake emails and fraud websites. All of these are done with the intent to access private communications and manipulate the users into sharing their sensitive data. The following are the most common threat vectors for Man-in-the-Middle Attacks:
1. Malicious Employees
Employees are an integral part of enterprises. Invaluable industries such as Finance are highly at risk from highly skilled internal IT professionals having malicious intentions. This is the least common form of MiTM attacks. However, it is potentially the most dangerous thing for larger enterprises as it involves a malicious hacker having intimate knowledge of the security systems of a business. They are also aware of all the policies and procedures. This means that hacking the infrastructure and faking communications is much easier for them.
2. Malware Infections
Hackers with malicious intentions can also initiate various MiTM attacks via malware infections through either the user's web browser, networking hardware like WiFi routers, or personal computer. Malware infections can also be spread through remote locations and by compromising the existing, trusted IT infrastructure. That said, this method is quite hard to detect.
3. Phishing Scams
In this version of the MiTM attack, malicious hackers usually send fake emails from trusted sources such as banking websites or upper management for manipulating users into sharing passwords and various other authentication details.
A classic example of this is receiving a fraudulent email from an attacker posing as a bank requesting login access for some seemingly valid grounds. The email might look like this -
“We have experienced a security breach and your data needs to be protected right away. Please log in here to change your password.”
This login link, when clicked, takes the users to a fake version of the actual bank’s website. The attacker can get your authentication details from here which will be used later to make fraudulent withdrawals from the actual bank.
4. Router Spoofing
This is a method where the malicious actor configures his laptop as a WiFi hotspot choosing a name of a brand in the area for tricking the users to connect to his hotspot, thinking it to be a usual router. Once the user connects to him, the hacker will be abv to monitor all the traffic coming in and out from the unaware user. The attacker will also be able to get access to sensitive login details, emails, and more. This is one of the most common forms of Man-in-the-Middle Attacks.
What Are The Most Usual Man-in-the-Middle Attack Techniques?
The following are the most important and highly used MiTM techniques:
1. Packet Injection
A malicious hacker can take advantage of their device’s monitoring mode for injecting malicious packets into the data communication streams. Then the packets can easily blend in with the valid data communication streams. They appear to be a part of the communication, but remain malicious in nature. Usually, packet injection involves first sniffing for determining how and when to curate and send packets.
2. Session Hijacking
Most web applications make use of a login mechanism to generate a temporary session token. This session token is used for future requests for avoiding the users retyping a password at every page. An attacker is able to sniff the sensitive traffic in a bid to identify the session token for a user and then use it to make requests as the user. The malicious hacker does not even require to spoof once he acquires a session token.
Malicious hackers make use of packet capture tools for inspecting packets at a very low level. Using specific wireless devices that are permitted to be put into monitoring mode can let the attackers see the packets that are not intended for them to see. These kinds of packets are addressed to the other hosts.
4. SSL Stripping
Using HTTPS is a very common safeguard against DNS or ARP spoofing. Thus, the attackers make use of the SSL stripping method to intercept the packets and alter their HTTPS-based address requests to the unencrypted server. In such a scenario, sensitive information can easily be leaked in plain text.
How To Detect A MiTM Attack?
Without taking proper steps, detecting a Man-in-the-Middle Attack can be difficult. If you are not proactively searching to determine whether your communications have been intercepted, MiTM attacks can go unnoticed until it is too late. The key method to detect a possible MiTM attack is to check for proper page authentication as well as implement some kind of tamper detection. However, these procedures might require some additional forensic analysis.
Man-in-the-Middle Attack Prevention: Ways To Stay Safe
By far we have already seen what Man-in-the-Middle Attacks can do and how they are being carried out at various levels. With these, it is clear that it is crucial to adopt precautionary measures for preventing MiTM attacks before they occur rather than finding ways to detect them when they are proactive on their journey. You need to be aware of your browsing practices and recognize potentially harmful zones. These can be essential in maintaining a secure network.
Following are some of the best practices involved in Man-in-the-Middle Attack prevention and not letting your communications get compromised.
1. Forced HTTPS
HTTPS can be utilized to securely communicate over the HTTP making use of public and private key exchanges. This blocks the attackers from having any use of the data they might have sniffed. Websites must solely use HTTPS and must refrain from providing HTTP alternatives. The users, on the other hand, might go ahead and install browser plugins for enforcing to always using of HTTPS on request.
2. Powerful Router Login Credentials
It is much sought after to ensure that your default router login has been changed. This is not limited to your WiFi password but also extends to your router login credentials. If an attacker is able to get hold of your router login credentials, they might change your DNS servers and redirect it to their malicious servers. To make the situation even worse, they can even infect your router with malevolent software.
3. Public Key Pair Dependent Authentication
Typically, the Man-in-the-Middle Attacks involve spoofing something or the other. The public keypair-based authentication such as RSA can be utilized in various layers of the stack in a bid to help ensure that the things you are communicating with are legitly the things you wish to be communicating with.
4. Rigid WEP/WAP Encryption On Access Points
Possessing a strong encryption mechanism on wireless access points restricts unwanted users from joining your network only by being nearby. Thus, a weak encryption mechanism can permit an attacker to brute-force his entry into a network and start the Man-in-the-Middle Attack. That said, the stronger the implementation of encryption, the safer it is.
5. Virtual Private Network (VPN)
Virtual Private Networks or commonly known as VPNs can be effectively used in a bid to create a secure environment for sensitive information within a local area network. The VPNs make use of key-based encryption for creating a subnet to secure communication. In this way, even if an attacker gets on a shared network, he will not be able to decode the traffic in the VPN.
These are some of the ways in which you will be able to prevent risky Man-in-the-Middle Attacks which can lead to menace. Companies are required to follow preventive measures at the earliest and not spend too much time detecting if they have been targeted in a Man-in-the-Middle Attack.