Protecting Yourself from Man-in-the-Middle Attacks

Imagine this: you're sitting in a coffee shop, working on your laptop. 

You're logged into your bank's website, and you're about to make a withdrawal. Suddenly, someone sits down next to you and starts typing on their own laptop. You watch as they log into your bank's website and start making transfers out of your account.

Sounds far-fetched? It's not. This is known as a man-in-the-middle attack. And it's one of the most common types of cyberattacks out there.

In this article, we'll go over the different types of man-in-the-middle attacks, the techniques used to launch them, and how to protect yourself from them.

What if someone was sitting in between you and the website you’re trying to visit? They can see everything you're doing, and even worse, they can change the data that's being sent between you and the site. 

This is what a typical man-in-the-middle attack looks like. It’s similar to eavesdropping on a conversation, except the third party can manipulate the conversation without the the other two participants knowing. It's a type of attack that happens when a hacker intercepts your connection to a website and changes the data that's being sent between you and the website. Once the attacker inserts themselves into an ongoing transaction, they insert malicious links or data in an attempt to steal confidential information or cause damage. These attacks can occur when you're using public Wi-Fi, for example, or when you're logged in to an untrustworthy website.

MITM attacks can be broadly classified into 2 types:

Active Session Attack

In an active attack, the hacker interrupts the client’s actual communication. From this point, the attacker can communicate directly with the server and perform actions that a user can. This can include actions like sending messages, replaying old messages, modifying messages that are being passed, or deleting messages from the transmission. 

Passive Session Attack 

A passive attack occurs when the attackers listens in on the message stream or transaction, without making any alterations to the data transferred. The attacker simply observes the data transmitted across the network without disturbing the communication. The information collected from the passive attack can then be used to launch an active attack later.

Listed below are some of the common techniques that are used to carry out Main-in-the-Middle attacks:

Spoofing

The definition of spoofing is to trick someone with false information. In cybersecurity, it is the act of impersonating a legitimate entity in order to steal resources, or information. The attackers usually use a false identity to gain access to a network. Cybercriminals often use the names of large, well-known organizations to trick users into divulging sensitive information. Spoofing attacks can be of many types - IP spoofing, DNS spoofing, GPS spoofing, text message spoofing among others. 

Session Hijacking

Session hijacking is the act of stealing a user's session credentials. The attacker can use these credentials to gain access to the user's account and perform unauthorized, malicious actions on behalf of the user. Also known as TCP session hijacking, this attack is usually carried out by a remote attacker who controls the victim's machine.  The attacker can use this technique to carry out MITM attacks. 

Sniffing

Sniffing is a hacking technique in which an attacker to monitor a network by intercepting network traffic. Sniffers are used by hackers to steal sensitive information, such as credit card numbers, passwords, chat sessions, and account information. Sniffing tools allow attackers can capture and analyze all network traffic - both protected and unprotected. 

SSL Stripping

SSL stripping is a technique used to remove the encryption offered by a https website and convert it to http. This unsecure state of the website makes it susceptible to eavesdropping and data manipulation. This attack is also known as a downgrade attack and can allow attackers to gain access to networks and intercept network connections. 

Packet Injection

Packet injection is a technique hackers use to interrupt or modify the packets of data that are sent over an already existing internet connection. This is done by intercepting the packets and replacing them with their own malicious data. It is very common for attackers to use this method to launch Denial of Service (DoS) attacks and MITM attacks. It is also known as packet forging.

It can be difficult to detect MITM attacks. Fortunately, there are steps you can take to protect yourself from them. 

Avoid Public Networks - Public networks are networks that are accessible to anyone who wants to access them. Employees should not be permitted to use public networks particularly while working with sensitive data. It is also a good practice to have separate networks for employees and  guests or outsiders.

Use VPNs - Use Virtual Private  Networks (VPNs) to create secure connections between your company and other online apps. However, while a VPN connection can disable many of the locations from which a MITM attack can be launched, they can’t disable all. Using a VPN ensures that your traffic is semi-anonymous, making it very difficult for attackers to launch a targeted attack against you. In addition, it encrypts the data that is in-transit. 

Use updated versions of browsers - The latest versions of Internet browsers will often include security updates which will reduce the likelihood of MITM attacks. Additionally, having a software update policy can help prevent MITM attacks by ensuring that your systems are patched for all known vulnerabilities.

Implement MFA -  Multi-factor authentication is a security best practice that requires the user to personally verify every login attempt. This can provide a simple but effective additional layer of protection even if an attacker obtains your credentials. 

Secure your connections - Ensure that you connect only to https websites and implement secure protocols such as TLS, SSH, and VPNs to protect your data.