Man-In-The-Middle Attack


Learning Objectives

After reading this article you will be able to:

  • Define a man-in-the-middle attack
  • Explore several types of man-in-the-middle attacks
  • Outline methods to protect against man-in-the-middle attacks

What is a man-in-the-middle attack?

In a man-in-the-middle attack, attackers places themselves between two devices (often a web browser and a web server) and intercept or modify communications between the two. The attackers can then collect information as well as impersonate either of the two agents. In addition to websites, these attacks can target email communications, DNS lookups, and public WiFi networks. Typical targets of man-in-the-middle attacks include SaaS businesses, e-commerce businesses, and users of financial apps.

You can think of a man-in-the-middle attacker like a rogue postal worker who sits in a post office and intercepts letters written between two people. This postal worker can read private messages and even edit the contents of those letters before passing them along to their intended recipients.

In a more modern example, an man-in-the-middle attacker can sit between a user and the website they want to visit, and collect their username and password. This can be done by targeting the HTTP connection between the user and the website; hijacking this connection lets an attacker act as a proxy, collecting and modifying information being sent between the user and the site. Alternately the attacker can steal a user’s cookies (small pieces of data created by a website and stored on a user’s computer for identification and other purposes). These stolen cookies can be used to hijack a user’s session, letting an attacker impersonate that user on the site.

man-in-the-middle attacks can also target DNS servers. The DNS lookup process is what allows web browsers to find websites by translating domain names into IP addresses. In DNS man-in-the-middle attacks such as DNS spoofing and DNS hijacking, an attacker can compromise the DNS lookup process and send users to the wrong sites, often sites that distribute malware and/or collect sensitive information.

Man In The Middle Attack

What is email hijacking?

Another common man-in-the-middle attack is email hijacking, which attackers use to infiltrate e-mail servers by putting themselves in between an email server and the web. Once the server is compromised, the attackers can monitor email communications for various purposes. One such scam involves waiting for a scenario where one person needs to transfer money to another (e.g. a customer paying a business). The attackers can then use a spoofed email address to request that the money be transferred to an attacker’s account. The email will seem legitimate and innocuous to the recipient (“Sorry there’s a typo in my last email! My account number is actually: XXX-XXXX”) making this attack very effective and financially devastating. In 2015, a cyber-crime ring in Belgium used email hijacking to steal over 6 million euro from various European companies.

Why is it risky to use public WiFi networks?

man-in-the-middle attacks are frequently perpetrated over WiFi networks. Attackers can create malicious WiFi networks that either seems harmless or are clones of legitimate WiFi networks. One a user connects to the compromised WiFi network, an attacker can monitor that user’s online activity. Sophisticated attackers may even redirect the user’s browser to fake copies of legitimate websites.

What are ways to protect against a man-in-the-middle attack?

Since there are a number of ways to commit man-in-the-middle attacks, there is not an all-in-one solution for these attacks. One of the most fundamental way to protect against the man-in-the-middle attacks that target HTTP traffic is to adopt SSL/TLS, which create secure connections between users and web services. Unfortunately this is not a foolproof solution, as there are some more sophisticated man-in-the-middle attacks that can work around SSL/TLS protection. To further protect against these kinds of attacks, some web services implement HTTP Strict Transport Security (HSTS), which forces secure SSL/TLS connections with any browser or app, blocking any unsecured HTTP connections and also preventing cookie theft. Learn more about HSTS on the Cloudflare blog.

Authentication certificates can also be used to protect against man-in-the-middle attacks. An organization can implement certificate-based authentication on all of their devices, so that only users with properly configured certificates can access their system.

To prevent email hijacking, Secure/Multipurpose Internet Mail Extensions (S/MIME) can be used. This protocol encrypts emails and lets users digitally sign emails with a unique Digital Certificate, letting the receiver know that the message is legitimate.

Individual users can also protect themselves from man-in-the-middle attacks by avoiding submitting any sensitive information on any public WiFi network unless they are protected by a secure Virtual Private Network (VPN).