Man-in-the-Middle Attacks

Cyber-attacks have been a significant threat to cyberspace for decades. It started as innocuous pranks of the Creeper and Reaper in 1970 when Bob Thomas created the first computer virus. He coded a program that could operate between computers and display the message "I'm the creeper: catch me if you can!" when it landed on computers.

In response to his prank, his friend and a co-worker, Ray Tomlinson, code a similar program with an additional feature that makes it replicate as it moved from one computer to another. Ray Tomlinson's program eliminated the 'Creeper,' and his code has been known as the 'Reaper' since then.

Cyber-attacks evolved from there to denial-of-service –DoS– created by Robert Morris in 1989 before the "virus era" in the '90s, which birthed cybersecurity. Today, cyber-attacks have taken a new criminal course, with attackers attempting to be in control of computer resources for aggrandizement. One of the devastating cyber-attacks today is the Mam-in-the-middle attack.

What is MiTM Attack?

A man-in-the-middle attack is a cyber-attack where an adversary covertly intercepts and conveys messages between two users or machines who believe they are directly communicating with one another. It involves the perpetrator positioning himself in-between two users' communication to eavesdrop on their communication or impersonate either of them.

This attack can also be staged in the data transfer process to obtain personal details, like credit card numbers, account information, and login credentials. It poses a massive threat to cybersecurity since most users of financial applications, SaaS companies, e-commerce websites, and other websites that require signing in are often the targets.

MiTM attack is sometimes referred to as machine-in-the-middle attack, monkey-in-the-middle attack, monster-in-the-middle attack, and man-in-the-browser attack. The man-in-the-browser –MiTB– attack is the most prevalent type of MiTM attack where adversaries focus on browser infection and introduce malicious proxy malware –through phishing– to the target's computing device.

MiTM attacks are categorized into passive and active attacks. • Passive Attacks A passive MiTM attack is when the adversary covertly observes communications without interfering. The attacker only eavesdrops on communications without modifying them. Data gathered during passive attacks could be used to launch an active attack. • Active Attacks An active attack is when the adversary intercepts communications and alters them. Here, the attacker stands as a bridge in-between the two users or machines.

How MiTM Attacks Work

There are two stages of MiTM attacks which are the interception and decryption stages

1. Interception Stage The interception stage involves the adversary intercepting communications between users or data between a user and a server. The intruder deceives the parties engaged into thinking they are communicating directly, while the intruder intercepts communications by acting as a proxy to read and alter the communication. The steps involved in interception are: i. The intruder first deploys a packet sniffer to detect any vulnerable network traffic like a user using an unsecured public hotspot or accessing an HTTP-based page. ii. When the target logs into the insecure website, the intruder obtains the user's information and redirects him to a phony website. iii. The phony website mirrors the real one and captures all relevant users' information. The attacker will subsequently use the captured data to access all valuable resources on the real website.

   

2. Decryption Stage The intercepted data is decoded in the decryption stage. This crucial stage allows the intruder to ultimately decode the data and use it to their advantage, such as committing identity theft or interfering with business processes like fraudulently receiving payments.

   

Methods of Deploying MiTM Attacks

1. Internet Protocol –IP– Spoofing IP spoofing occurs when adversaries change the source IP address of a webpage, device, or email to conceal the address. The users are tricked into thinking they are communicating with a reliable source, and the vital information they disclose during the communication is sent to the adversaries.
2. HTTP Spoofing This involves redirecting a browser session to an unsecured website like an HTTP-based website without the user's consent. Attackers can observe users' activities and extract personal information through this redirection.
3. DNS Spoofing DNS spoofing is mainly used to redirect traffic to a fake site or to intercept user login information. Here, adversaries change domain names to redirect traffic to fraudulent websites. Users may believe they are accessing a safe and reliable website but end up on a website maintained by attackers.
4. Email Hijacking This involves adversaries taking over email accounts of financial institutions, including banks, to observe all users' transactions. Even the bank's email address might be hijacked by hackers, who then encourage customers to transfer money to them.
5. Session Hijacking This malicious act occurs when hackers steal personal information and passwords saved on the cookies of a user's browsing session; this is why it is also known as stealing browser cookies. Cybercriminals may have unrestricted access to users' cached resources. For instance, they might make purchases, steal money from users' bank accounts, or steal their identities and private information.
6. SSL –Secure Sockets Layer– Hijacking This happens when an attacker sends the user and the program fake authentication keys during a TCP three-way handshake. As a result, what seems to be a secure connection is controlled by an adversary –MiTM.
7. SSL Stripping SSL stripping degrades HTTPS connection to HTTP, making it less secure. TLS –Transport Layer Security– encrypt HTTP to make it more secure and become HTTPS. The degrading is done by intercepting the TLS authentication transmitted from the program to the user. While the user is still connected to the application's secured session, the attacker sends the user an unencrypted version of the application's website. As such, the attacker can see the user's whole session.
8. Wi-Fi Eavesdropping One of the many threats posed by public Wi-Fi is this MiTM attack. Public Wi-Fi users are deceived into joining malicious Wi-Fi networks and hotspots during this attack. To do this, attackers create Wi-Fi connections with names that reflect those of local companies.
9. ARP Spoofing or Cache Poisoning ARP –Address Resolution Protocol– Spoofing uses bogus ARP messages to connect an intruder's MAC address with a genuine user's IP address on a local area network. As a result, information communicated by the user to the host IP address is routed to the attacker. How to Prevent MiTM Attacks i. Web owners should use secure communication protocols like HTTPS and TLS to extenuate spoofing attacks. ii. Use secure connections and avoid insecure public Wi-Fi. iii. Web users should only visit web pages with HTTPS in the URL instead of HTTP. iv. Connection to unsecured public Wi-Fi or hotspot should be made with a VPN; it encrypts connections and data transfer. v. Pay attention to notifications reporting unsecured websites. vi. Log out of a secure application when you're not using it. vii. Eschew phishing emails viii. Install anti-malware and internet security products on your computing device.

Cybercrime and the exploitation of security flaws are becoming more complex as a result of the continued development of our digitally connected environment. In order to protect yourself from man-in-the-middle attacks and other forms of cybercrime, it is essential to educate yourself on cybersecurity best practices. Having a powerful antivirus program installed on your computer at the absolute least helps keep your data safe and secure.