In a sense, a man-in-the-middle attack (MITM) is like eavesdropping. Data is sent from point A (computer) to point B (server/website), and an attacker can get in-between these transmissions. They then set up tools programmed to “listen in” on transmissions, intercept data that is specifically targeted as valuable, and capture the data. Sometimes this data can be modified in the process of transmission to try to trick the end user to divulge sensitive information, such as log in credentials. Once the user has fallen for the bait, the data is collected from the target, and the original data is then forwarded to the intended destination unaltered.
How Does It Work?
There are two forms of these types of attacks- the man-in-the-middle attack, which involves being within physical proximity to the intended target, and another that only involves malware, known as a man-in-the-browser (MITB) attack.
With a traditional MITM attack, the attacker needs to have access to an unsecured, or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes. An attacker will scan the router using code looking for specific weaknesses such as default or poor password use, or security holes due to poor configuration of the router. Once the attacker has found the vulnerability, they will then insert their tools in between the users’ computer and the websites the user visits.
A newer variant of this attack has been gaining popularity with cybercriminals due to its ease of execution. With a man-in-the-browser attack, all an attacker needs is a way to inject malware into the computer, which will then install itself into the browser without the users’ knowledge, and will then record the data that is being sent between the victim and specific targeted websites, such as financial institutions, that are coded into the malware. Once the malware has collected the specific data it was programmed to collect, it then transmits that data back to the attacker.
A good example of these types of attacks was the recent discovery of the POODLE bug, which could have allowed attackers to intercept data transmitted between web browsers, capture login credentials for financial, e-commerce, and other types of online accounts, and allow the attackers to take over those accounts.
A similar attack dubbed “FREAK” was discovered on March 3rd, 2015 by researchers, that could potentially allow attackers to sniff encrypted traffic between a web site visitor and web site via a MITB attack. This vulnerability is due to older encryption modes from the 90s left in the code of many Google and Apple products and forgotten about. As a result of this, hackers can use the older code to easily decrypt messages.
How do I avoid these types of attacks?
- Make sure “HTTPS” is always in the URL bar of the websites you visit.
- Be wary of potential phishing emails from attackers asking you to update your password or any other log in credentials. Instead of clicking in the link provided in the email, manually type the website in questions address into the URL bar of your browser and proceed from there.
- Never connect to public Wi-Fi routers directly if possible. You can use a Virtual Private Network (VPN), or you can use a browser plug-in such as HTTPS Everywhere or ForceTLS.
- Since MITB attacks primarily use malware for execution, you should have a comprehensive Internet security solution such as Norton Security installed on your computer, and be sure to keep the program up to date.
- Be sure that your home network is secured. Change all of the default usernames and passwords on your home router and any other equipment.