In 2015, the Luptons, a couple in the UK, decided to sell their daughter’s apartment for £340,000. Once they had a buyer, it was a simple matter of dotting the i’s and crossing the t’s. They received an email from their lawyer asking for the couple’s banking account information to execute the payment. The Luptons provided the requested info. Soon after, the lawyer received another email from the Luptons asking to disregard the bank account info sent earlier and to wire money to a different account. The lawyer complied with the request and made the transfer. Except the second email was not sent by the Luptons. It was sent by cybercriminals, who intercepted the communication and posed as the couple to re-route the payment to their account. The crime was soon discovered and, eventually, the Luptons were able to recover their funds.
This is a real-life example of a man-in-the-middle (MITM) attack. And most victims are not as lucky as the Luptons.
How man-in-the-middle attacks work
MITM is a type of cyberattack, where the attacker eavesdrops on, and often hijacks the communication between, two legitimate parties.
An attacker hacks into the secure or unsecure connection, intercepts communication, and can then use the interception to spy on the two parties, impersonate one or both parties, re-route the communication, etc.
There are various ways to intercept communication:
- ARP spoofing: the attacker sends falsified Address Resolution Protocol messages over a local area network. The attacker’s MAC address is then linked to the IP address of the victim’s computer or server. Once the connection is established, the attacker will start receiving data that’s, in fact, intended for the IP address of the victim.
- DNS spoofing: the attacker replaces the IP addresses stored in the DNS server with a corrupted one. Whenever victims go to a particular website, they are then unknowingly redirected to the false website placed there by the attacker. This allows the attacker to capture their victims’ data – e.g., login information, credit card entries, etc.
- mDNS spoofing: the attacker responds to a network device request with fake data. Multicast DNS allows for the performance of DNS-like activities, but they are done on a local area network. This simplifies the local name resolution system, which results in users not even being aware of which addresses their devices are communicating with. That’s where attackers position themselves.
- Wi-Fi eavesdropping: the attacker listens to communication conducted through public or unsecure Wi-Fi networks. They can also set up their own public Wi-Fi networks. This interception allows them to steal the data users enter when communicating with the network.
- Session hijacking: the attacker waits for you to enter your login information to access a website and then steals the temporary cookies generated by the website. These cookies are generated in order for the user to access various features and links without having to enter their login information every time.
- HTTPS spoofing: the attacker creates a domain that looks similar to the domain of the targeted website – e.g., instead of bankofamerica.com, it’s bаnkofamerica.com, where the first ‘a’ is actually written in Cyrillic. Once victims land on the website, the attacker places their certificate in their victims’ trusted key store. Victims are then redirected to the legitimate website, but the attacker can now listen to their traffic.
- Rogue access point: the attacker installs a wireless access point onto a network without authorization from a local network administrator. Devices with wireless cards then auto-connect to it, which allows the attacker to listen to all the network traffic of the device.
How to prevent man-in-the-middle attacks
It is often difficult to detect an MITM attack, which means they can go unnoticed for months, if not years. This type of access can cause serious damages to an organization and its employees. Therefore, make sure you MITM-proof your system.
- Teach your employees responsible digital behavior: do not connect to public networks, don’t click on unusual URLs, and report any and all suspicious behavior to the IT staff.
- Use Virtual Private Networks in your organization.
- Use SSL/TLS for your emails. This will encrypt the data before it’s transferred. Use end-to-end encryption for video chats and other communication channels
- Set up multi-factor authentication wherever possible.
- Only use secure browsers and keep them up to date. Furthermore, use such plugins as ForceTLS to make sure that only HTTPS websites can be visited.
- Create a secure private Wi-Fi network for your employees. Separate it from the network you provide to your guests.
- Add a layer of protection with a DNS sinkhole solution, which will prevent access of malicious URLs on an organizational level.
- Keep your anti-malware software up to date.
- Switch to a password manager that will store log-in credentials instead of having your browser do that. This will help prevent session hijacking attempts.
- Regularly audit your system.
- Deploy an intrusion detection system – a solution that monitors your network or systems for malicious activity.
Man-in-the-middle attacks can be particularly damaging as, often, their detection takes a significant amount of time. Cyberattackers, in many instances, are willing to wait for weeks, if not months, before “weaponizing” their access in an attempt to gather as much information as possible. Whether you are a government agency, a healthcare provider, or an educational institution, make sure to take every precaution to protect your information from getting compromised.