What’s a Man-in-the-Middle Attack, and How Can You Prevent One?
When you share confidential information with someone, you want to know who you’re talking to – and be sure nobody else is listening. If a stranger secretly snuck between and successfully impersonated your conversation partner, they’d have your secrets, and you might never know someone else was listening. Cyberattacks like that can easily happen online. They’re called “Man-in-the-Middle” (MITM) attacks, and since they’re so powerful, cybercriminals have developed many types. Here’s what you need to know – including how to stay safe.
Examples of MITM attacks
Let’s take a classic, simple example, based on a MITM attack we covered in Naked Security several years ago. A cybercriminal sends you an email convincing you to go online with your bank or a government agency, ostensibly to solve a security problem or claim a tax refund.
But the link provided in the email doesn’t connect you to the legitimate site. Instead, you’re bounced to a site owned by the cybercriminal. That site mimics the official site nearly perfectly. You enter your user ID and password, and perhaps the two-factor authentication code you received via text message. But that information doesn’t go to your bank. Instead, the “man in the middle” uses it to immediately log on to your account and perform a transaction in your name.
Banks have become more sophisticated about recognizing these types of attacks, but you get the idea. You thought you were communicating with a legitimate web site, but someone else was controlling the conversation, giving them access to your data. Maybe they stole your credit card or social security number. Or, alternately, your company’s trade secrets – or even your country’s military secrets.
MITM attacks come in different flavors
MITM attacks don’t just observe and reroute your communication. They can also strip it of encryption, grab the content, re-encrypt it, and forward it to your intended destination, so nobody ever realizes what’s happened.
As we said, there are many forms of man-in-the-middle attacks. Here are just a few:
Compromised public Wi-Fi. A hacker might eavesdrop on an unencrypted public Wi-Fi connection you’re using. Or they might create a fake public Wi-Fi hotspot (an “evil twin”) that mimics a legitimate hotspot. As soon as you log onto the fake hotspot, the hacker can intercept everything you send to a site, and everything it sends back to you.
IP spoofing. Here, the criminal impersonates another device by using its IP address. It then connects to a server which recognizes that IP address as legitimate, and gives it access to sensitive data and applications. It’s an MITM attack because the criminal spoofs the IP address identification in both directions. First to the server, which thinks it’s getting a legitimate inbound communication request. And second, back to the legitimate sender (who thinks they’re communicating directly with the legitimate server, and doesn’t realize someone’s standing in between, intercepting everything).
DNS spoofing, also known as DNS cache poisoning. Here, the criminal compromises a database containing the “Domain Name System” (DNS) information needed to find a website on the internet. That might mean a large-scale DNS server that serves millions of people. But it also might be the local DNS cache on your own computer that lets it quickly find internet locations without first connecting to a remote DNS server. When your computer consults the corrupted database, it thinks it’s going to the correct site, but it’s actually connecting to a site the criminal owns. He then intercepts your content – including, for example, your site password – before forwarding it to where it belongs.
Since man-in-the-middle attacks are often performed by malware, it’s essential to protect yourself with advanced anti-malware software such as Sophos Home Premium. Here are a few other steps that can help you resist many of these attacks:
- Use Virtual Private Networks (VPNs) when you’re in a public place.
- Don’t visit sites that aren’t protected by secure HTTPS: look for HTTPS rather than HTTP in the web address. This isn’t foolproof, but it helps.
- Stay away from websites when your browser warns they’re unsafe.
- Use two-factor authentication on sites that offer you the option.
- Don’t click email links or open attachments you aren’t expecting.
Make sure your home Wi-Fi network is protected with strong passwords, and strong encryption. For example, use WPA2-PSK (AES) encryption, not WEP-64, WEP-128, or WPA-PSK.