When three isn’t a crowd: Man-in-the-Middle (MitM) attacks explained

Gone are the days when eavesdropping is just the stuff of spies and the town gossip. In fact, it has evolved to become everyone’s favorite pastime. Thanks to the internet, it is exponentially easier now more than ever to idle by and catch juicy information than to press your ear against your neighbor’s wall.

While we can easily forgive and forget listeners within earshot of our vicinity when we’re having conversations in public, digital eavesdropping, on the other hand, raises the privacy red flag to new heights. And this can quickly be done via taking advantage of two things: one, our penchant for connecting to Wi-Fi networks (whether they’re insecure or not, whether they’re for public use or private use); and two, the exploitation of that Wi-Fi network. Suffice to say, digital eavesdropping isn’t and shouldn’t be considered a pastime, especially if you have the skills and the means to do so.

And when it comes to eavesdropping online, the term that immediately comes to mind is man-in-the-middle, essentially a scenario wherein a third person places themselves in the middle of two parties communicating with each other. A third wheel, so to speak. However, this person or entity is unseen by the two parties. In fact, they don’t even know that they are in the company of a third wheel.

While we know that eavesdropping is generally a passive exercise—Person C takes the role of listener-observer, and not get involved with Person A and Person B while they chat—MitM attacks are anything but. On top of snooping, controlling the conversation is required; thus, contact with the targets is inevitable. This makes a MitM attack an active exercise. And such an interfering activity demands inventiveness, attention, patience, guile, and the willingness to be as deeply involved as needed to attain their goal.

MitM attacks could be aggressive, always surreptitious, and invasive.

Not to mention worrying and creepy. How can threat actors do this, and why even do it?

MitM attacks involve the unlawful tapping of a network to exploit transactions, conversations, and data transfers on-the-fly. Threat actors can do this by taking advantage of weaknesses of a network or of any of its elements like software (browser, VoIP, etc.).

Many organizations practice what are essentially MitM tactics—whether they claim they know of this or not—so they can monitor their employees. Some do it for advertising purposes, as in the case of Superfish, a piece of software that was pre-installed in Lenovo consumer products.

Governments are also known operators of MitM attacks to proactively spy on their citizens, circumvent security measures of technologies, spy on enemy countries to steal classified information, and steal money from financial institutions based on other countries to fund their projects.

Furthermore, we’ve seen MitM used in large part of the modus operandi of a criminal group to essentially steal from the clients of private European companies they targeted. They did this by infiltrating target networks to gain access to email accounts, monitoring payment requests from these companies, and then—putting themselves in the middle of the email conversation by impersonation—instructing clients to send payments to bank accounts the criminal group controls.


Read: How to encrypt your email


Okay, so, we have Wi-Fi eavesdropping and email hijacking as two types of MitM attacks. Are there others?

These are just two of the most common types. Others are:

  • ARP poisoning
  • DNS spoofing
  • Port stealing
  • STP mangling

Note that not all the types we mentioned can be done in all kinds of computer networks. For example, ARP poisoning can be done against systems connected via Ethernet in a LAN. However, this cannot be done when attacking remote systems.

There are also different ways a threat actor can perform MitM attacks, such as sniffing, injecting, hijacking, stripping, and filtering.

I’ve read somewhere that MitM comes in many forms. What are they?

There is an attack called man-in-the-browser (MitB), which starts when a piece of malware arrives on user systems, runs when the browser runs and then does its magic by modifying banking transactions behind the scenes while maintaining the appearance of legitimacy to the unknowing user. That said, one can deduce that MitB attacks are made for financial fraud.

MitB attacks are particularly dangerous to users and tricky to spot because criminals can siphon off money even though security controls, mechanisms, and encryption are present on the bank website, and the user’s antivirus program is working normally.

Then there’s a type used against mobile devices called man-in-the-mobile (MitMo). This is also known as man-in-the-phone. Like, MitB, this is also malware, and its purpose is to specifically circumvent SMS two-factor authentication. It does this by monitoring incoming messages with transaction authentication numbers (TAN) and other verification codes sent over to users via SMS. Android users are mainly targeted by MitMo malware like SpyEye and ZeuS. CatchApp, an app capable of stealing encrypted chat messages from WhatsApp, is another example of software that can perform MitM attacks on mobile devices.

Still, in the realm of mobiles, we now have the relatively new type called man-in-the-app, wherein an attacker can use a self-signed certificate to communicate directly with a compromised app.

Then we have MitM for the cloud called the Internet of Things, appropriately called man-in-the-cloud and man-in-the-IoT, respectively.

Are MitM attacks still happening?

Yes. They’re quite prevalent, actually. Some types of MitM attacks are easy to do, and there are readily available hacking tools a budding threat actor can use to set up an attack. It’s even possible (if not highly likely) for insider threats in a company to conduct such attacks within the organization’s intranet.

Unfortunately, detecting most of the MitM attack types are difficult. Therefore, nipping such attacks in the bud by prevention is still very important. And preventive measures to counter this type of attack also enhance a network’s security and privacy.

Since prevention is better than cure in this case, what are the ways to protect me from MitM attacks?

  • Avoid using public Wi-Fi networks, if you can, especially if they are not password-protected. If you do use secure Wi-Fi, limit your use to browsing, reading, and other activities that wouldn’t involve you entering your credentials.
  • Like we always say, log out of secured sessions whenever you’re not using them. Majority of social networks do this automatically the moment you kill the browser or close its tab, but it still pays to log out manually for others.
  • If possible, access only websites sporting the green lock or those using the HTTPS protocol. Also, if you can use apps or extensions, such as HTTPS Everywhere, to force the browser to visit the secured versions of websites you visit, then install them.
  • Apply multiple authentications to accounts if this option is available.
  • If possible, install and use a virtual private network (VPN) when conducting your sensitive transactions and communications online, or if you absolutely feel the need to use a public Wi-Fi connection.
  • Look out for potential phishing emails asking you to update your passwords. In line with this, also be wary of emails carrying attachment, which could be a malware that could expose you to MitM attacks.
  • Make sure that your home router is configured securely as well. You can do this by changing the default router username and password to a unique and strong one.

Additional reading:



*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Jovi Umawing. Read the original post at: https://blog.malwarebytes.com/101/2018/07/when-three-isnt-a-crowd-man-in-the-middle-mitm-attacks-explained/