What is a man-in-the-middle attack?
Authored by a Symantec employee
A man-in-the-middle attack requires three players. There’s the victim, the entity with which the victim is trying to communicate, and the “man in the middle,” who’s intercepting the victim’s communications. Critical to the scenario is that the victim isn’t aware of the man in the middle.
How does a man-in-the-middle attack work?
How does this play out? Let’s say you received an email that appeared to be from your bank, asking you to log in to your account to confirm your contact information. You click on a link in the email and are taken to what appears to be your bank’s website, where you log in and perform the requested task.
In such a scenario, the man in the middle (MITM) sent you the email, making it appear to be legitimate. (This attack also involves phishing, getting you to click on the email appearing to come from your bank.) The attacker also created a website that looks just like your bank’s website, so you wouldn’t hesitate to enter your login credentials after clicking the link in the email. But when you do that, you’re not logging into your bank account, you’re handing over your credentials to the attacker.
MITM attacks: Close to you or with malware
Man-in-the-middle attacks come in two forms, one that involves physical proximity to the intended target, and another that involves malicious software, or malware. This second form, like our fake bank example above, is also called a man-in-the-browser attack.
Attackers execute a man-in-the-middle attack in two phases — interception and decryption.
With a traditional MITM attack, attackers need access to an unsecured or poorly secured Wi-Fi router. These types of connections are generally found in public areas with free Wi-Fi hotspots, and even in some people’s homes, if they haven’t protected their network. Attackers will scan the router looking for specific vulnerabilities such as a weak password.
Once attackers find a vulnerability, they’ll use tools to intercept and read the victim’s transmitted data. They then insert their tools between the victim’s computer and the websites the user visits.
A successful man-in-the-middle attack does not stop at interception. The victim’s encrypted data has to be unencrypted, so that the attacker can read and act upon it.
What is a man-in-the-browser attack?
With a man-in-the-browser attack (MITB), an attacker needs a way to inject malicious software, or malware, into the victim’s computer. This can be achieved by phishing.
Phishing is when a fraudster sends an email or text message to a user that appears to originate from a trusted source, such as a bank, as in our original example. By clicking on a link or opening an attachment in the phishing message, the user can unwittingly load malware on to the computer.
The malware then installs itself on the browser without the user’s knowledge. The malware records the data sent between the victim and specific targeted websites, such as financial institutions, and transmits it to the attacker.
7 types of man-in-the-middle attacks
Attackers can use MITM attacks to gain control of devices in a variety of ways.
1. IP spoofing
Every computer on the internet has an internet protocol (IP) address, which is similar to the street address for your home. By spoofing an IP address, an attacker can trick you into thinking you’re interacting with a website or someone you’re not, perhaps giving the attacker access to information you’d otherwise not share.
2. DNS spoofing
Domain Name Server, or DNS, spoofing is a technique that forces a user to a fake website rather than the real one the user intends to visit. If you are a victim of DNS spoofing, you may think you’re visiting a safe, trusted website when you’re actually interacting with a fraudster. The perpetrator’s goal is to divert traffic from the real site or capture user login credentials.
3. HTTPS spoofing
When doing business on the internet, seeing “HTTPS” in the URL, rather than “HTTP” is a sign that the website is secure and can be trusted. In fact, the “S” stands for “secure.” An attacker can fool your browser into believing it’s visiting a trusted website when it’s not. By redirecting your browser to an unsecure website, the attacker can monitor your interactions with that website and possibly steal personal information you’re sharing.
4. SSL hijacking
When your computer connects to an unsecure server — indicated by “HTTP” — the server can often automatically redirect you to the secure version of the server, indicated by “HTTPS.” A connection to a secure server means standard security protocols are in place, protecting the data you share with that server. SSL stands for Secure Sockets Layer, a protocol that establishes encrypted links between your browser and the web server.
In an SSL hijacking, the attacker uses another computer and secure server and intercepts all the information passing between the server and the user’s computer.
5. Email hijacking
Attackers sometimes target email accounts of banks and other financial institutions. Once they gain access, they can monitor transactions between the institution and its customers. The attackers can then spoof the bank’s email address and send their own instructions to customers. This convinces the customers to follow the attackers’ instructions rather than the bank’s. As a result, an unwitting customer may end up putting money in the attackers’ hands.
6. Wi-Fi eavesdropping
Attackers set up Wi-Fi connections with very legitimate sounding names, similar to a nearby business’s. Once a user connects to the fraudster’s Wi-Fi, the attacker will be able to monitor the user’s online activity and be able to intercept login credentials, payment card information, and more. This is just one of several risks associated with using public Wi-Fi. You can learn more about such risks here.
7. Stealing browser cookies
To understand the risk of stolen browser cookies, you need to understand what one is. A browser cookie is a small piece of information a website stores on your computer.
An online retailer might store the personal information you enter and shopping cart items you’ve selected on a cookie so you don’t have to re-enter that information when you return.
An attacker can hijack your browser cookies. Since cookies store information from your browsing session, attackers can gain access to your passwords, address, and other sensitive information.
How to help protect against a man-in-the-middle attack
With the arsenal of tools readily available to carry out a man-in-the-middle attack, it makes sense to take steps to help protect yourself, your data, and your connections. Here are just a few.
- Make sure “HTTPS” — with the S — is always in the URL bar of the websites you visit.
- Be wary of potential phishing emails from attackers asking you to update your password or any other login credentials. Instead of clicking on the link provided in the email, manually type the website address into your browser.
- Never connect to public Wi-Fi routers directly, if possible. Install and use a virtual private network (VPN) like Norton Secure VPN. A VPN encrypts your internet connection on public hotspots to protect the private data you send and receive while using public Wi-Fi, like passwords or credit card information.
- Since MITB attacks primarily use malware for execution, you should install a comprehensive internet security solution, such as Norton Security, on your computer. Always keep the security software up to date.
- Be sure that your home Wi-Fi network is secure. Update all of the default usernames and passwords on your home router and all connected devices to strong, unique passwords. Or consider using Norton Core™, the only secure home router with Norton protection built in*. (It comes with a 1-year complimentary subscription to Norton Core Security Plus.)
In our rapidly evolving connected world, it’s important to understand the types of threats that could compromise the security of your personal information. Stay informed and make sure your devices are fortified with proper security.
Managing your connected home’s security today is a tall order.
Enter Norton Core. A secure router for your connected home — because smart homes need smart security solutions.
Help protect your PCs, phones and tablets, and now your IoT devices too.
Symantec Corporation, the world’s leading cyber security company, allows organizations, governments, and people to secure their most important data wherever it lives. More than 50 million people and families rely on Symantec’s Norton and LifeLock comprehensive digital safety platform to help protect their personal information, devices, home networks, and identities.
© 2018 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, the Checkmark Logo, Norton, Norton by Symantec, LifeLock, and the Lockman Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the United States and other countries. Firefox is a trademark of Mozilla Foundation. Google Chrome is a trademark of Google, Inc. Mac, iPhone