Home / Definitions / Man in the middle attack

Man in the middle attack

Vangie Beal
Last Updated January 12, 2024 4:07 am

What’s a MITM (man in the middle) attack?

A man in the middle attack is a type of cyber attack in which a hacker eavesdrops on a private exchange between two parties. The hacker can intercept sensitive information, or even impersonate one of the parties to manipulate the interaction. Since neither side is aware of the interloper, they exchange information as though talking to a trusted party.

A MITM attack aims to gather sensitive, private data – like bank details or login credentials – from unsuspecting victims. This data can then be used to seize control of your bank account, or engage in identity theft. Typically, this type of attack is deployed on financial platforms or e-commerce sites. There have also been a number of MITM attacks targeting crypto users in recent years.

In very simple terms, it’s akin to calling your bank, and the call being intercepted by an interloper who you reveal your details to. This person can both gather and use your personal data, and may also pose as the bank manager to advise you to transfer your funds to a fraudulent account. 

How do MITM attacks work?

A digital man in the middle attack comprises two key “phases”: interception and decryption.


As the name suggests, the interception phase relates to the hacker gaining access to your private conversation with a website. This is generally done in one of two ways: 

  • An evil twin attack involves a hacker setting up an unsecured public wifi, and waiting for victims to use the connection. The fake WiFi will likely have the same SSID as an existing network, making it look legitimate to the user. Once connected, the hacker – who will have deployed monitoring software on the connection – positions themselves between the user and the website. This means they can log everything the user is doing. Say you decide to log in to your digital banking app; the perpetrator will be able to spy on your login credentials and use them at a later date. Alternatively, if you decide to make a purchase online, the attacker will be able to see your credit card details as you enter them.
  • Another option is for the hacker to simply monitor – or sniff – activity on a HTTP (unsecured) website. HTTP sites don’t encrypt data entered on their interface, meaning that with a few easy steps, hackers can monitor activity on the site. This enables them to capture data entered there by unsuspecting users, such as login credentials or banking info.


A successful man in the middle attack needs to go undetected. Since the majority of internet traffic follows the SSL protocol (encrypted), it needs to be decrypted before it can be read. And all of this needs to happen without the website or the victim knowing.

There are a number of ways attackers might decrypt data discreetly:

  • HTTPS Spoofing

HTTPS Spoofing entails the attacker creating a fake domain name very similar to an existing target domain with HTTPS encryption. For example, instead of mycitybank.com, an attacker might create the domain name myc1tybank.com, hoping that the user won’t notice. The victim might enter private information, such as login credentials or banking details – all of which will be captured by the hacker. The fake site is unencrypted, meaning everything the victim enters there will appear in plain text to the hacker.

  • SSL Beast

In an SSL Beast attack, a victim downloads some malicious code that permits the hacker to disable encryption on the target site. This means all the victim’s interaction with that site will be shown clearly to the hacker, including passwords and personal details entered there. Neither the victim, nor the target site, will be aware of the hack.

  • SSL Hijacking

Here, the hacker is able to spy on an exchange between a user and a secure site by forging authentication keys to both sides. This means the attacker can eavesdrop on all interactions between the parties, while the connection still appears secure at both ends.

  • SSL Stripping

SSL stripping allows an attacker to downgrade a secure HTTPS site to HTTP. To achieve this, the hacker intercepts the Transport Layer Security (TLS) authentication sent by the website. This protocol – the encryption guarantee – is removed from the exchange. Meanwhile, the “stripped” unencrypted version of the site is sent to the victim.

Man in the middle attack real life examples

You might think man in the middle attacks are shadowy affairs that go undetected in the digital ether. In reality, chances are you’ve heard about this type of attack in mainstream news and just weren’t aware.

Here are a couple of the most notorious MITM attacks you’ve probably already heard of.

Prism NSA spying scandal

In 2013, Edward Snowdon became the world’s most famous whistleblower, leaking documents that proved the NSA had been spying on US citizens. The organization achieved this by intercepting Google traffic to reveal search queries entered by users. This went undetected by the users themselves thanks to careful decryption

Equifax hack

In 2017, credit history platform Equifax fell prey to a MITM attack that enabled hackers to access financial data for millions of clients. The breach saw perpetrators intercept web traffic within Equifax’s interface, something that went undetected thanks to an out of date encryption certificate within the company’s security wall.

How to detect a MITM attack

One obvious sign of a man in the middle attack is repeated disruption to the website you’re using. By disconnecting you from a service, hackers force you to re-enter your private login credentials, which allows them to harvest that data.

Another telltale clue is multiple unsecured public WiFi hotspots with the same SSI – particularly when one or more of those connections is not password protected. This could indicate fake public WiFi services which, once the user connects, permit hackers to monitor your activity and data.

How to prevent a MITM attack

Now you’ve had a crash course in MITM attacks, you’re probably wondering how you can protect yourself. Here are a few security essentials you should be following to protect your privacy online.

Use a VPN

A virtual private network creates an encryption tunnel between your browser and your internet service provider. The standard of encryption used by most VPN providers would take thousands of years to hack. This ensures nobody – neither the service provider nor a hacker – can see your activity or personal data.

Be aware of HTTP websites

HTTP websites don’t encrypt communication between the client and the server. Instead they display all communications in plain text. This means anyone able to intercept the conversation can also read it. It pays be aware whether the site you’re using is HTTP, because this gives crucial insight into how visible your activity is.

Don’t use public WiFi for sensitive transactions

With hackers easily able to deploy a fake network and spy on your activity, public WiFi hotspots can be a risky business. You should never conduct sensitive transactions, or enter private login details, on a public network. One small oversight can turn into a costly mistake.

A secure connection is essential

Interacting online carries a host of risks that you may never have considered. That’s why it’s so important that your digital security infrastructure repels those risks before they can affect you.

A VPN is an essential tool for anyone who uses the internet. By creating an encryption tunnel backed by AES-256, VPNs ensure your sensitive data remains out of reach – even if you encounter a MITM attack.