What’s a MITM (man in the middle) attack?
A man in the middle attack is a type of cyber attack in which a hacker eavesdrops on a private exchange between two parties. The hacker can intercept sensitive information, or even impersonate one of the parties to manipulate the interaction. Since neither side is aware of the interloper, they exchange information as though talking to a trusted party.
A MITM attack aims to gather sensitive, private data – like bank details or login credentials – from unsuspecting victims. This data can then be used to seize control of your bank account, or engage in identity theft. Typically, this type of attack is deployed on financial platforms or e-commerce sites. There have also been a number of MITM attacks targeting crypto users in recent years.
In very simple terms, it’s akin to calling your bank, and the call being intercepted by an interloper who you reveal your details to. This person can both gather and use your personal data, and may also pose as the bank manager to advise you to transfer your funds to a fraudulent account.
How do MITM attacks work?
A digital man in the middle attack comprises two key “phases”: interception and decryption.
As the name suggests, the interception phase relates to the hacker gaining access to your private conversation with a website. This is generally done in one of two ways:
- An evil twin attack involves a hacker setting up an unsecured public wifi, and waiting for victims to use the connection. The fake WiFi will likely have the same SSID as an existing network, making it look legitimate to the user. Once connected, the hacker – who will have deployed monitoring software on the connection – positions themselves between the user and the website. This means they can log everything the user is doing. Say you decide to log in to your digital banking app; the perpetrator will be able to spy on your login credentials and use them at a later date. Alternatively, if you decide to make a purchase online, the attacker will be able to see your credit card details as you enter them.
- Another option is for the hacker to simply monitor – or sniff – activity on a HTTP (unsecured) website. HTTP sites don’t encrypt data entered on their interface, meaning that with a few easy steps, hackers can monitor activity on the site. This enables them to capture data entered there by unsuspecting users, such as login credentials or banking info.
A successful man in the middle attack needs to go undetected. Since the majority of internet traffic follows the SSL protocol (encrypted), it needs to be decrypted before it can be read. And all of this needs to happen without the website or the victim knowing.
There are a number of ways attackers might decrypt data discreetly:
- HTTPS Spoofing
HTTPS Spoofing entails the attacker creating a fake domain name very similar to an existing target domain with HTTPS encryption. For example, instead of mycitybank.com, an attacker might create the domain name myc1tybank.com, hoping that the user won’t notice. The victim might enter private information, such as login credentials or banking details – all of which will be captured by the hacker. The fake site is unencrypted, meaning everything the victim enters there will appear in plain text to the hacker.
- SSL Beast
In an SSL Beast attack, a victim downloads some malicious code that permits the hacker to disable encryption on the target site. This means all the victim’s interaction with that site will be shown clearly to the hacker, including passwords and personal details entered there. Neither the victim, nor the target site, will be aware of the hack.
- SSL Hijacking
Here, the hacker is able to spy on an exchange between a user and a secure site by forging authentication keys to both sides. This means the attacker can eavesdrop on all interactions between the parties, while the connection still appears secure at both ends.
- SSL Stripping
SSL stripping allows an attacker to downgrade a secure HTTPS site to HTTP. To achieve this, the hacker intercepts the Transport Layer Security (TLS) authentication sent by the website. This protocol – the encryption guarantee – is removed from the exchange. Meanwhile, the “stripped” unencrypted version of the site is sent to the victim.