How does a MITM attack work?
Imagine you get an email which requires you to log into your bank and the email ‘looks’ like it's from your bank, so you click on the link and submit your credentials only to find out that after submitting the information you don’t get inside your account. Well sad to say but all your bank details are with the attacker now. In this situation, the attacker made a look-alike website and email template for your bank which makes it look legitimate.
These types of attacks can happen targeting your bank account, social media, email accounts or any type of online account you may have depending on the attacker’s motives.
The easiest and most common way of a MITM attack is to give free WIFI (let me explain). An attacker sets up a malicious free WIFI hotspot which is not password protected. Once you log into the network, the attacker will have complete visibility to all your online activities.
Every website has an IP address. IP Spoofing is when an attacker tricks you into thinking that you're accessing a legitimate website but instead access a look-alike site made by the attacker. The attacker disguises himself by altering the packet headers in the IP address so that visitors will be redirected to the attacker’s site.
When an attacker sends falsified ARP (Address Resolution Protocol) messages over a network, which results in linking the attackers MAC address to a legitimate IP address of a computer or a server. As a result, when a user sends data or requests to the host, the data will be sent to the attacker’s site.
DNS spoofing is when an attacker infiltrates a DNS server and alters the website address records which results in users to be redirected to the attacker’s site. If this happens to you, then you will think you're on a safe site but in reality, you will interact with a fraudster.
When your request is made to a secure site, the attacker sends a fake certification. This results in accessing an unsecured site while the attacker fools the browser to think it’s accessing a secured site. The attacker now has access to monitor your interactions with the website and possibly steal personal information.
When accessing an HTTP server, the server often automatically redirects you to an HTTPS secure server. The ‘S’ in HTTPS stands for ‘secure’ and this means that the site has an SSL certificate (Secure Socket Layer). During an SSL hijacking, the attacker sends fake authentication keys to both the user and the server which seems to be a secure connection, but the attacker controls the whole session.
Stealing Browser Cookies
Browser cookies are bits of data which are saved on your browser. For example, when you log into social media or online shops, after the first entry of your credentials you don’t have to type them again on a later occasion as the site will fill it automatically. Once an attacker steals your browser cookies, they will have access to all your social media, online shops, and even possibly your bank details.
How to be protected from MITM
There are many ways a MITM can take place and so are the mitigation methods. Staying safe is always better than waiting for something to happen and then trying to solve it.
- Protect your WIFI: Make sure your home WIFI is secure by updating the usernames and passwords on your router by using strong passwords.
- Make sure that all the sites you visit have an SSL certification. Best way to see this is to check the URL for an ‘HTTPS’
- Most man-in-the-middle attacks happen by malicious software being installed on your computers. Always keep an antivirus software on your computer and up to date.
- Try to avoid connecting to public WIFI directly. Always try to use a VPN so that when sensitive information is transmitted, it will be encrypted and not accessible for the attacker.
If you want to learn more about the most common cyber-attacks, have a look at our previous article.