Data theft is one of the most widespread security breaches in recent years, with 2017 seeing a record number of data breaches. One popular way for hackers to steal data is by using a Man-in-the-Middle attack, which can lead to identity theft, fraud, and more. So what is this attack? Here’s an easy explanation that’ll help you understand how it works and how to avoid it.
What is A Man-in-the-Middle Attack?
The Man-in-the-Middle attack is a type of attack that allows hackers to intercept, monitor, and alter data as it travels between two parties and also to eavesdrop on the communication. In this attack, a hacker inserts themselves in the middle of a conversation, thereby gaining access to whatever information is being transmitted.
This includes credit card numbers, social security numbers, and more. So how does a Man-in-the-Middle attack work? A hacker or cybercriminal uses an unsecured wireless hotspot to insert themselves between your device and the website you’re trying to visit. They can then watch what you type while they make changes. For example, they could enter your email address into the form field for your password and steal your identity in just seconds.
MITM Attack Progression Stages
A Man-in-the-Middle attack happens when a hacker is able to intercept and manipulate traffic between two parties. The hacker inserts themselves into the middle of a conversation, intercepting the data that’s exchanged. This is done by eavesdropping on the network traffic in some way. These attacks are most effective when they’re used in conjunction with social engineering, which is an attempt to convince someone they are talking to who they really aren’t.
Interception
A common way of doing this is with a passive attack, in which an attacker makes free and malicious WiFi hotspots available to the public. These are usually referred to by their city or location name. Once someone connects through them, the attacker gains full visibility into any online data exchanges that person does. Things like browsing history and passwords can be seen without having to do anything more than connect over these insecure hotspots.
The attacker will then be able to use this information to perform a variety of hacking activities like stealing login credentials, installing malware on your computer, sending spam messages, or even extortion.
Attackers who want a more direct approach to intercepting may send one of these types of attacks:
- ARP Spoofing: The process of spoofing an attacker’s MAC address with the user’s IP address. As a result, data that is sent to the host IP address which was originally intended for legitimate users will now enter into traffic meant for attackers.
- IP Spoofing: uses an attacker to disguise their identity by disguising the applications IP address. As a result, users attempting to access a website connected with that application are sent instead to the attackers’ website.
- DNS Spoofing: DNS cache poisoning, also known as DNS hijacking, is a method of taking control over the address records for certain web domains and redirecting users to malicious websites or servers. These methods typically involve infiltrating a DNS server and altering its contents so that legitimate website addresses are redirected to other sites.
Decryption
After Interception follows decryption which sneaks in without alerting the user or application that the connection was intercepted in any way. In order to unblock encrypted traffic, a number of methods exist which can be used:
- SSl Stripping: A downgrading attack intercepts the TLS authentication sent from an application to the user and sends unencrypted information while technically keeping a secure session with an application. This is how HTTPS attacks are created.
- SSL Beast: Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. In order to decrypt its cookies and authentication tokens, the app’s cipher block chaining (CBC) has been compromised in order to read them before they’re received by the browser.
- HTTPS Spoofing: Once the initial connection request to a secure site is made, this threat sends an invalid certificate that tricks your browser into thinking it’s accessing a trustworthy website. With access granted now under the attacker’s control and without any other credentials required, attackers can then capture anything you enter while interacting with said online application before it gets sent over to its intended destination.
How to Prevent Man in The Middle Attacks
To prevent Man in the Middle attacks, you can follow these steps below to make sure that your computer’s data stays on the safe side.
- Use a firewall to protect your network
- Keep your antivirus software updated
- Enable two-factor authentication for logging in to important accounts