Written by Gonzalo Torres
Published on September 24, 2018

What is a Man-in-the-middle attack?

A Man-in-the-middle attack is a generic name for any cyber attack where someone gets in between you and whatever you’re doing online: between you and your online banking; or between you and your chat with mom; or between your work emails and whoever is meant to send/receive them; or between you and the box where you enter your payment details; or, or, or.

This article contains :

    Imagine your mail carrier taking a peek at your letters before delivering them to you. Helping themselves to that brand new credit card that’s coming in the post with your name on it. Changing a few sentences in that letter you just wrote to your ex. Sharing your most intimate details with the highest bidder among your neighbors.

    In a Man-in-the-middle attack, hackers get between you and your online banking, your chat with mom, your work emails, your payment details...

    That’s what a Man-in-the-middle attack (MITM from now on, because ain’t nobody got time for that) boils down to — only it happens online. MITM attacks allow hackers to intercept, send and receive data to and from your device undetected until the transaction is complete.

    Common targets of MITM attacks (hint: money, money, money)

    The most common targets of MITM attacks are

    • online shopping sites

    • online banking sites

    • any other sites where you have to log in before accessing account and credit card details

    Unsurprisingly, criminals go where your money is.

    Types of Man In The Middle attack

    Email hijacks (or how to lose $500,000 with just one little email)

    If the idea of someone intercepting your emails — and even sending emails from your own account — sounds like science-fiction to you, you need to meet the Luptons.

    The Luptons are a British couple who decided to sell their apartment. When the sale went through, their lawyer emailed them to ask for their bank account number so he could transfer them the money. The Luptons happily obliged.

    What the Luptons didn’t know was that a band of cyber criminals had read their lawyer’s email, as well as their reply. Right away, these criminals emailed the lawyer from the Luptons’ very own email account, told him to ignore the previous bank account number, and to please send the money to a different account instead. That’s how these criminals stole £333,000 (nearly $500,000) from Paul and Ann Lupton.

    The Luptons weren't targeted by blind chance. Hacking tools can mass scan unsecured emails for the right combination of words

    “Wait, but it’s extraordinarily unlucky that someone happened to be spying on their email communications at that particular moment” you might be thinking. “The odds of that happening must be astronomically small”.

    It doesn’t work like that.

    The Luptons weren’t targeted by blind chance, and it wasn’t personal either — hacking tools now allow criminals to essentially mass scan unsecured email communications, searching for the right combination of words, until they find what they’re looking for. As you saw with the Lupton example, it can happen to anyone.

    Wi-Fi MITM (a.k.a. OMG WTH)

    Wi-Fi eavesdropping is a huge deal. Wi-Fi Man In The Middle attacks usually take the form of a rogue networks or an ‘evil twin' (which, if you’ve ever watched a soap opera, is exactly what it sounds like).

    • Rogue networks are simply public Wi-Fi networks set up by hackers, complete with enticing names like "Free WiFi" or "Looks like Starbucks WiFi But Isn't."

    • Evil twin attacks are when the hackers set up public Wi-Fi networks that completely mimic legitimate networks you've used in the past. This can fool your devices into connecting automatically, because they are designed to make your life easier and not have you repeatedly enter passwords.

    Either way, the hackers completely own these connections, and when people connect to them, everything they do now goes through the hackers. The hacker can then steal their passwords, login and payment details, and other sensitive personal data.

    Evil twins can look just like their nice counterpart — the Wi-Fi network of the hotel you’re staying at, or the coffee shop you’re patronizing, or the airport you’re transiting through

    “So how am I supposed to know if the free Wi-Fi I just connected to is real or fake? How can I protect myself?” you might be thinking. Worry not — there’s hope, and it’s relatively easy. We’ll get to that in a minute.

    But first, let’s have a look at...

    Session Hijacks (or how stealing cookies is something grown-ups do now)

    Another type of MITM attack is when criminals grab a hold of the bits of code your browser generates to connect to different websites. This is known as cookie hijacking, and it’s nowhere near as much fun as it sounds.

    These bits of code, or session cookies, can contain tons of vital personal information, from usernames and passwords to pre-fill forms, your online activities — even your physical address. And once a hacker’s got a hold of all that info, there’s all kinds of things they can potentially do with it, none of them good: impersonating you online, logging onto financial stuff, identity theft and fraud, etc.

    Man In The Browser Attack

    You may be doing your online banking and seeing your usual screen — but this is just a smokescreen to keep you fooled while hackers move your money out of your account

    Man In the Browser. MITB. MIB. It all boils down to this: a Trojan infects your device, allowing criminals to get in the middle of your online transactions (emails, payments, banking, what have you), and change them to suit their needs — all without you even noticing, because what you see on your end is what the hackers want you to see.

    You may be doing your online banking and seeing your usual screen with the amount of funds you expect to see — but this is just a smokescreen to keep you fooled: your bank is receiving requests from criminals pretending to be you, moving your money out of your account, etc. You just can’t see it. By the time you realize what’s happening, it’s too late.

    These MITB trojans typically get into your computer via phishing scams, which is why we rag on you so much about how important it is not to open dodgy emails and to take proper precautions while you browse. 

    How do Man In The Middle attacks work?

    There are two steps in a MITM attack:

    Step 1: Interception

    The first order of business for Man-In-The-Middlers is to intercept your internet traffic before it reaches its destination. There are a few methods to get this done:

    • IP spoofing — Like a gang of bank robbers putting fake license plates on their getaway car, IP spoofing consists in hackers faking the real source of the data that they send to your computer, and masking it as a friendly, trusted source. Data is transmitted online in small data packets, each with its own identifying tag. IP spoofers change that tag for something your computer or smartphone recognizes as a legit website or service. Bottom line is, your device ends up talking to an impostor masking as the real thing.

    • ARP spoofing — Also going by ARP cache poisoning, or ARP poison routing, this MITM method sees hackers sending a false ARP (sounds like a belch, but stands for Address Resolution Protocol) over a LAN (not the Chilean national airline, but Local Area Network), so that the hacker’s MAC (neither the makeup nor the laptop, but rather Media Access Control) address can be linked to your IP (not a hiccup, but Internet Protocol) address and receive all the data that’s intended for you. Have you had it with the acronyms already?

    • DNS spoofing Well, here comes another one. DNS stands for Domain Name System, and it’s, well, a system for translating internet domain names from long, unpronounceable, numerical IP addresses into catchy, human-friendly titles like https://omfgdogs.com (go on, click on it — it’s awesome) and vice versa. To speed things up online, servers ‘remember’ these translations and save them in a cache. In a DNS spoofing or DNS cache poisoning attack (same thing, different name), hackers get into this cache and change the translations, so you’re automatically redirected to a fake site instead of the real one you wanted.

    Step 2: Decryption

    Once hackers have intercepted your web traffic, they have to decrypt it. Here are some common decryption methods used in MITM attacks:

    • HTTPS spoofing — For a long time, if you saw the letters HTTPS (HTTP Secure) in front of an internet address, you knew you were in good hands. HTTPS is a website certificate key that indicates your transactions on that site are encrypted and your data is therefore secure. But in a HTTPS MITM attack, a hacker installs a spoofed root security certificate so that your browser thinks it’s a certificate it trusts. Because the browser trusts it, it provides it with the encryption key needed to decipher the data you’re sending out — and now the hacker can receive and decrypt it all, read it, re-encrypt it, and send it off to its destination without either you or the final site knowing the communication was intercepted. Sneaky and dangerous — for instance, this is how your emails or online chats could be being read as you send them back and forth.

    • SSL Beast — Bring back the acronym party! The ‘beast’ part stands for Browser Exploit Against SSL/TLS. SSL is the Secure Sockets Layer protocol (it's the "Secure" in HTTP Secure). That means that hackers can exploit weak spots in the CBC (Cipher Block Chaining, I’m sorry, I wish I could say this is the last one) to grab and decrypt the data that’s going between your browser and a web server. In layman’s terms, it’s another way to maliciously decrypt our web traffic, and it sucks for us internet users.

    • SSL hijacking — An SSL Man-In-The-Middle attack works like this: when you connect to a website, your browser first connects to the HTTP (non-secure) version of the site. The HTTP server redirects you to the HTTPS (secure) version of the site, and the new secure server provides your browser with a safety certificate. Ping! You’re connected. SSL hijacking happens right before you connect to the secure server. Hackers reroute all your traffic to their computer so your information (emails, passwords, payment details, etc) goes through them first.

    • SSL stripping — SSL stripping consists on downgrading a website from HTTPS (secure) to HTTP (non-secure). A hacker, by means of a proxy server or one of those ARP spoofing tricks we mentioned above, gets between you and a secure connection, and serves you an unsecured (HTTP) version of it — so all your data, passwords, payments, etc, reach the hacker in plain, unencrypted text. Without you knowing, of course.

    Man-in-the-middle attack prevention

    MITM attacks are potentially terrible things, but there’s lots you can do to prevent and minimize the risks — and keep your data, your money, and your dignity safe.

    Always use a VPN

    In plain English, a VPN is a program or app that hides, encrypts and disguises everything you do online — your emails, chats, searches, payments, even your location. VPNs help you protect yourself from MITM attacks and secure any Wi-Fi by encrypting all your internet traffic and turning it into uncrackable gibberish for anyone who may be eavesdropping.

    There are lots of VPNs out there, and many of them are rubbish: they’re too slow, or careless with your data, or not as private as they’d want you to think they are. Luckily, your favorite online security company has a terrific VPN you can trust — and you can even try it for free.

    Remember your essential website safety tips

    Here’s a great, short guide on how to check if a website is safe. You really don’t need much technical knowledge to start using these tips, and they can potentially save you from serious trouble — online and offline

    Get a good antivirus

    MITM attacks often use malware to do their thing, so it’s essential that you get yourself some good antivirus software you can trust

    If money is tight, start with this excellent free antivirus. But if you're looking to ditch Man In the Middle Attacks, you can also try out premium protection for free, which includes a Fake Website Shield designed specifically to stop you from being redirected to imposter websites. There’s great security out there for every pocket. No excuses.

    How to prevent HTTPS Man-in-the-middle attacks

    Remember SSL from earlier? It’s the type of MITM attack that turns HTTPS security certificates into wet paper, by downgrading sites to the less secure HTTP without you noticing.

    The solution is called HSTS (HTTP Strict Transport Security), a web security policy that forces browsers and sites to connect through secure HTTPS connections, no matter what. HTTP connection? No dice. HSTS not only takes care of SSL stripping attacks, but also helps against cookie theft and session hijacks — which is a nice bonus.

    The good news is that HSTS is becoming more and more common with time, with big web players like Google, Gmail, Twitter and Paypal — and browsers like Chrome, Firefox, Safari, Edge and IE — supporting it for years now.

    There isn’t one single, easy button you can click to convert all your connections to HSTS, but it helps if you use one of those aforementioned HSTS browsers. And if you own a website or server and you’re feeling technically adventurous, here are some instructions to make it HSDS-friendly.

    How to detect a Man-in-the-middle attack

    MITM attacks are very hard to detect while they’re happening, so the best way to stay safe is good prevention

    There are a few clues that may indicate you’re being the victim of a MITM attack:

    • Sudden, long page load delays for no apparent reason.

    • URLs switching from HTTPS to HTTP.

    It’s a very short list.

    The truth is, MITM attacks are very hard to detect while they’re happening, so the best way to stay safe is good prevention: as we said earlier, get and use a VPN, avoid connecting directly to public Wi-Fi, install a trustworthy antivirus, and look out for phishing scams.

    For the technically minded, there are trusted tools that can help to detect ARP spoofing, a clear indication of a MITM attack. Wireshark is the world’s most used network protocol analyzer, it’s free and open-source, and it will help you do just that.

    SSL Eye is a free software program for Windows which determines the SSL credentials of every site you communicate with — and can therefore let you know if you’re in the middle of a MITM attack.

    Your Man-in-the-middle attack prevention checklist

    Protect your Android against threats with AVG AntiVirus

    Free install

    Protect your iPhone against threats with AVG Mobile Security

    Free install
    Gonzalo Torres