An on-path attacker places themselves in between victims and the services they are trying to reach, often for the purposes of stealing data.
After reading this article you will be able to:
Copy article link
On-path attackers place themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two. The attackers can then collect information as well as impersonate either of the two agents. In addition to websites, these attacks can target email communications, DNS lookups, and public WiFi networks. Typical targets of on-path attackers include SaaS businesses, ecommerce businesses, and users of financial apps.
You can think of an on-path attacker like a rogue postal worker who sits in a post office and intercepts letters written between two people. This postal worker can read private messages and even edit the contents of those letters before passing them along to their intended recipients.
In a more modern example, an on-path attacker can sit between a user and the website they want to visit, and collect their username and password. This can be done by targeting the HTTP connection between the user and the website; hijacking this connection lets an attacker act as a proxy, collecting and modifying information being sent between the user and the site. Alternately the attacker can steal a user’s cookies (small pieces of data created by a website and stored on a user’s computer for identification and other purposes). These stolen cookies can be used to hijack a user’s session, letting an attacker impersonate that user on the site.
On-path attackers can also target DNS servers. The DNS lookup process is what allows web browsers to find websites by translating domain names into IP addresses. In DNS on-path attacks such as DNS spoofing and DNS hijacking, an attacker can compromise the DNS lookup process and send users to the wrong sites, often sites that distribute malware and/or collect sensitive information.
Another common attack is email hijacking, which on-path attackers use to infiltrate email servers by putting themselves in between an email server and the web. Once the server is compromised, the attackers can monitor email communications for various purposes. One such scam involves waiting for a scenario where one person needs to transfer money to another (e.g. a customer paying a business). The attackers can then use a spoofed email address to request that the money be transferred to an attacker’s account. The email will seem legitimate and innocuous to the recipient (“Sorry there’s a typo in my last email! My account number is actually: XXX-XXXX”) making this attack very effective and financially devastating. In 2015, a cyber-crime ring in Belgium used email hijacking to steal over 6 million euro from various European companies.
On-path attacks are frequently perpetrated over WiFi networks. Attackers can create malicious WiFi networks that either seems harmless or are clones of legitimate WiFi networks. Once a user connects to the compromised WiFi network, an on-path attacker can monitor that user’s online activity. Sophisticated attackers may even redirect the user’s browser to fake copies of legitimate websites.
Since on-path attackers use a number of methods, there is not an all-in-one solution for these attacks. One of the most fundamental ways to protect against attacks that target HTTP traffic is to adopt SSL/TLS, which creates secure connections between users and web services. Unfortunately this is not a foolproof solution, as more sophisticated on-path attackers can work around SSL/TLS protection. To further protect against these kinds of attacks, some web services implement HTTP Strict Transport Security (HSTS), which forces secure SSL/TLS connections with any browser or app, blocking any unsecured HTTP connections and also preventing cookie theft. Learn more about HSTS on the Cloudflare blog.
Authentication certificates can also be used to protect against these attacks. An organization can implement certificate-based authentication on all of their devices, so that only users with properly configured certificates can access their system.
To prevent email hijacking, Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used. This protocol encrypts emails and lets users digitally sign emails with a unique Digital Certificate, letting the receiver know that the message is legitimate.
Individual users can also protect themselves from on-path attackers by avoiding submitting any sensitive information on any public WiFi network unless they are protected by a secure Virtual Private Network (VPN).