What is man in the middle list a few examples of MITM attacks?

172.3k views

App SecurityThreats

Table of Contents Show

MITM attack progression
Interception
Using Imperva to protect against MITM
The Two Phases of a Man-in-the-Middle Attack
1. Interception
2. Decryption
Real-World Examples of a MITM Attack
How to Detect a MITM Attack
Prevention and How to Prepare

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers or an illicit password change.

Additionally, it can be used to gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.

Broadly speaking, a MITM attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door.

Man in the middle attack example

MITM attack progression

Successful MITM execution has two distinct phases: interception and decryption.

Interception

The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.

Attackers wishing to take a more active approach to interception may launch one of the following attacks:

IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.
ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.

Decryption

After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:

HTTPS spoofing sends a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
SSL hijacking occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.

For users, this means:

Avoiding WiFi connections that aren’t password protected.
Paying attention to browser notifications reporting a website as being unsecured.
Immediately logging out of a secure application when it’s not in use.
Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For website operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens.

It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.’

Using Imperva to protect against MITM

MITM attacks often occur due to suboptimal SSL/TLS implementations, like the ones that enable the SSL BEAST exploit or supporting the use of outdated and under-secured ciphers.

To counter these, Imperva provides its customer with an optimized end-to-end SSL/TLS encryption, as part of its suite of security services.

Hosted on Imperva content delivery network (CDN), the certificates are optimally implemented to prevent SSL/TLS compromising attacks, such as downgrade attacks (e.g. SSL stripping), and to ensure compliancy with latest PCI DSS demands.

Offered as a managed service, SSL/TLS configuration is kept up to date maintained by a professional security, both to keep up with compliency demands and to counter emerging threats (e.g. Heartbleed).

Finally, with the Imperva cloud dashboard, customer can also configure HTTP Strict Transport Security (HSTS) policies to enforce the use SSL/TLS security across multiple subdomains. This helps further secure website and web application from protocol downgrade attacks and cookie hijacking attempts.

A man-in-the-middle (MITM) attack is a type of cyberattack where attackers intercept an existing conversation or data transfer, either by eavesdropping or by pretending to be a legitimate participant. To the victim, it will appear as though a standard exchange of information is underway — but by inserting themselves into the “middle” of the conversation or data transfer, the attacker can quietly hijack information.

The goal of a MITM attack is to retrieve confidential data such as bank account details, credit card numbers, or login credentials, which may be used to carry out further crimes like identity theft or illegal fund transfers. Because MITM attacks are carried out in real time, they often go undetected until it’s too late.

The Two Phases of a Man-in-the-Middle Attack

A successful MITM attack involves two specific phases: interception and decryption.

1. Interception

Interception involves the attacker interfering with a victim’s legitimate network by intercepting it with a fake network before it can reach its intended destination. The interception phase is essentially how the attacker inserts themselves as the “man in the middle.” Attackers frequently do this by creating a fake Wi-Fi hotspot in a public space that doesn’t require a password. If a victim connects to the hotspot, the attacker gains access to any online data exchanges they perform.

Once an attacker successfully inserts themselves between the victim and the desired destination, they may employ a variety of techniques to continue the attack:

IP Spoofing: Every Wi-Fi-connected device has an internet protocol (IP) address that is central to how networked computers and devices communicate. IP spoofing involves an attacker altering IP packets in order to impersonate the victim’s computer system. When the victim tries to access a URL connected to that system, they’re unknowingly sent to the attacker’s website instead.
ARP Spoofing: With Address Resolution Protocol (ARP) spoofing, the attacker uses falsified ARP messages to link their MAC address with a victim’s legitimate IP address. By connecting their MAC address to an authentic IP address, the attacker gains access to any data sent to the host IP address.
DNS Spoofing: Domain Name Server (DNS) spoofing, also known as DNS cache poisoning, involves an attacker altering a DNS server in order to redirect a victim’s web traffic to a fraudulent website that closely resembles the intended website. If the victim logs in to what they believe is their account, attackers can gain access to personal data and other information.

2. Decryption

A MITM attack doesn’t stop at interception. After the attacker gains access to the victim’s encrypted data, it must be decrypted in order for the attacker to be able to read and use it. A number of methods might be used to decrypt the victim’s data without alerting the user or application:

HTTPS Spoofing: HTTPS spoofing is a method for tricking your browser into thinking a certain website is safe and authentic when it’s not. When a victim attempts to connect to a secure site, a false certificate is sent to their browser which leads them to the attacker’s malicious website instead. This gives the attacker access to any data the victim shares on that site.

SSL Hijacking: Any time you connect to an unsecure website, indicated by “HTTP” in the URL, your server automatically reroutes you to the secure HTTPS version of that site. With SSL hijacking, the attacker uses their own computer and server to intercept the reroute, allowing them to interrupt any information passed between the user’s computer and server. This gives them access to any sensitive information the user uses during their session.
SSL Stripping: SSL stripping involves the attacker interrupting the connection between a user and a website. This is done by downgrading a user’s secure HTTPS connection to an unsecure HTTP version of the website. This connects the user to the unsecure site while the attacker maintains a connection to the secure site, rendering the user’s activity visible to the attacker in an unencrypted form.

Real-World Examples of a MITM Attack

There have been a number of well-known MITM attacks over the last few decades.

In 2015, an adware program called Superfish, which was pre-installed on Lenovo machines since 2014, was discovered to be scanning SSL traffic and installing fake certificates that allowed third-party eavesdroppers to intercept and redirect secure incoming traffic. The fake certificates also functioned to introduce ads even on encrypted pages.
In 2017, a major vulnerability in mobile banking apps was discovered for a number of high-profile banks, exposing customers with iOS and Android to man-in-the-middle attacks. The flaw was tied to the certificate pinning technology used to prevent the use of fraudulent certificates, in which security tests failed to detect attackers due to the certificate pinning hiding a lack of proper hostname verification. This ultimately enabled MITM attacks to be performed.

How to Detect a MITM Attack

If you’re not actively searching for signs that your online communications have been intercepted or compromised, detecting a man-in-the-middle attack can be difficult. While it’s easy for them to go unnoticed, there are certain things you should pay attention to when you’re browsing the web — mainly the URL in your address bar.

The sign of a secure website is denoted by “HTTPS” in a site’s URL. If a URL is missing the “S” and reads as “HTTP,” it’s an immediate red flag that your connection is not secure. You should also look for an SSL lock icon to the left of the URL, which also denotes a secure website.

Additionally, be wary of connecting to public Wi-Fi networks. As discussed above, cybercriminals often spy on public Wi-Fi networks and use them to perform a man-in-the-middle attack. It’s best to never assume a public Wi-Fi network is legitimate and avoid connecting to unrecognized Wi-Fi networks in general.

Prevention and How to Prepare

While being aware of how to detect a potential MITM attack is important, the best way to protect against them is by preventing them in the first place. Be sure to follow these best practices:

Avoid Wi-Fi networks that aren’t password-protected, and never use a public Wi-Fi network for sensitive transactions that require your personal information.
Use a Virtual Private Network (VPN) — especially when connecting to the internet in a public place. VPNs encrypt your online activity and prevent an attacker from being able to read your private data, like passwords or bank account information.
Log out of sensitive websites (like an online banking website) as soon as you’re finished to avoid session hijacking.
Maintain proper password habits, such as never reusing passwords for different accounts, and use a password manager to ensure your passwords are as strong as possible.
Use multi-factor authentication for all of your passwords.
Use a firewall to ensure safe internet connections.
Use antivirus software to protect your devices from malware.

As our digitally connected world continues to evolve, so does the complexity of cybercrime and the exploitation of security vulnerabilities. Taking care to educate yourself on cybersecurity best practices is critical to the defense of man-in-the-middle attacks and other types of cybercrime. At the very least, being equipped with a strong antivirus software goes a long way in keeping your data safe and secure.