What is Man in the Middle Attack?
In the world of cyber security, man in the middle attack (MITM) is a type of attack where attacker sneaks unethically into the communication happening between two parties. Attacker’s purpose is to relay and alter the exchange of messages between them. Both parties remain unaware of a third party’s involvement and are in the delusion of having direct communication with each other.
Man in the middle attack is more like eavesdropping where the conversation is controlled by an attacker. The attacker builds an independent connection with victims while imparting messages between them, making it look like they are directly talking over a private connection. This attack succeeds only when an attacker is sufficient enough in satisfying the expectations of both parties while impersonating.
Technically, cyber hackers use man-in-the-middle attacks to eavesdrop on communications that take place between a client and server. This involves HTTPS connections, SSL/TLS connections, Wi-Fi connections, etc. The intruder might perform the attack to either steal login data or personal information for vicious intent.
How Man in the Middle Attack Works?
Man in the middle attack requires someone to be virtually present between the connection of two parties so as to observe them or manipulate traffic. This takes place through interfering with authentic networks or creating a fake network which can be controlled by attackers. Man in the middle attack takes place through interception and decryption.
The hacker first intercepts user’s network before reaching the targeted destination. To execute this step, the attacker performs a passive attack making malicious WiFi hotspots available for free to the public. Once the victim connects to such a hotspot, the attacker gets access to any kind of online data exchange. For a more active approach to interception, attackers may use the following alternative attacks:
- IP Spoofing: IP address spoofing is creating of Internet Protocol packets with a fake source IP address to impersonate some another computing system.
- ARP Spoofing: Attacker’s MAC address is linked with IP addresses of genuine users over a local network with the help of fake ARP messages.
- DNS Spoofing: DNS cache is infected, involving infiltrating of the DNS server and tampering of the website’s address record.
After the interception process, any two-way SSL traffic is decrypted without alerting the user or application. Following methods are required to carry out the process:
- SSL Stripping: This tool lucidly hijacks HTTP traffic over a network, observes HTTP links and redirects it and then draw those links into duplicate HTTP links.
- SSL Hijacking: This attack occurs when the attacker carries forward forged authentication keys to both victims and applications at the time of TCP handshake. Although this set up appears to be secure, however, the attacker is controlling the entire session.
Types of Man in the Middle Attacks:
According to the man in the middle attack statics, 54 – 95% of HTTPS servers are vulnerable to man in the middle attack. According to Netcraft, man in the middle attacks were expected to pose a threat to 95% of HTTPS servers in 2016. In fact, 55 man in the middle attacks were part of 35% of exploitations where more than 1/3 of exploitation involved MitM attacks, as per IBM’s X-Force Threat Intelligence Index, 2018. Some of the common and recent man in the middle attacks are as follows:
Infamously known as evil twin attack, Wi-Fi eavesdropping is a type of man in the middle attack, which deludes victims into linking to a malicious Wi-Fi network connection. To perform this attack, a hacker sets up a Wi-Fi hotspot near a public location where people usually look for free network connection.
This man in the middle attack aims to capture user’s financial information. Man in the browser attack exploits all the vulnerabilities in web browsers. When a user logs into its bank account, the malware records all of its credentials. While in some cases, malicious scripts transfer funds and then modify transaction receipts in order to hide the transaction.
Cyber-attackers sometimes aim for email accounts of banks or financial institutions. On gaining access, they monitor transactions happening in between clients and institutions. Attackers spoof the bank’s email address and send their own guidelines to the customers. This convinces the customer and they fall for the trap by delivering information as instructed, such as financial information.
Let say, an IP (internet protocol) address is very similar to the street address of your house if your device is internet friendly. When an IP is spoofed, the attacker tricks a user to believe that the interaction is with a regular website where the personal information of the user is easily accessed by the attacker.
Often on the internet, you must have noticed “HTTPS” in the URL, instead of “HTTP”. It is a sign of a secure website that can be trusted for use. The “S” here stands for “secure”. An attacker might fool your browser into considering that it’s directed to the trusted website when in fact it’s not. By redirecting your browser to an unsafe website, the attacker could monitor all your communication with that website so as to steal your personal data shared.
How Man in the Middle attack Prevention can be done?
It is difficult to detect an attack but it can be prevented with proper guidance on cyber security awareness. In fact, Man in the middle attack can be prevented by having secure network hygiene. Man in the middle attack in network security can lead to DNS and IP spoofing.
To avoid such issues, security portals and tools like KDMARC are essential for the security of an organization against man in the middle attack vectors. Kratikal offers the best kind of end to end cyber security service with its explicit tool KDMARC.
Man in the middle attack is mostly performed via emails and by implementing KDMARC, you can secure your mail with the finest email authentication protocol. It not only prevents user’s DNS and IP from spoofing but also disallows unauthorized usage of your email domain from fraudulent practices.
For Any Query:
- Email: email@example.com
- Contact: India (+91) 7428797201, USA (+1) 323 287 9435