Man-in-the-Middle Attack (MITM): Detection and Prevention Techniques
Although not as widespread of a cybersecurity threat as phishing or ransomware, MITM attacks can cause severe problems for enterprises. Attackers can use MITM attacks to steal credit card information and gain access to networks used by companies of all sizes by hijacking data and eavesdropping on sensitive exchanges of data between computers.
What is a Man-in-the-Middle Attack?
A man-in-the-middle attack is a type of cyberattack in which the attacker digitally interjects themselves into the middle of a conversation between a network user and a web application or server. As the so-called “man in the middle,” they can spy on users, intercept sensitive information, and even send their own messages while impersonating trusted computers.
There are several ways to do this depending on the vulnerabilities of your computer and/or your network.
Notable examples of MITM Attacks
- In 2003, a type of wireless router made by Belkin was found to periodically use a type of MITM attack to feed users ads for Belkin products. It accomplished this by taking over a connection being routed through it. Once done, the router failed to pass the traffic on to the user’s computer, sending them instead to a web page containing the ad. Belkin later removed this function via a firmware update following a public outcry against this feature.
- In 2013, Nokia’s Xpress mobile web browser was found to be decrypting HTTPS traffic from the phones using a kind of MITM attack, giving Nokia the ability to see its customer’s encrypted data, including financial information and passwords, without their knowledge or consent.
- In 2017, Equifax withdrew its mobile phone apps when it became apparent that they contained severe security vulnerabilities to MITM attacks.
How Does a Man-in-the-Middle Attack Work?
A man-in-the-middle attack consists of four steps.
- The attacker eavesdrops on the victim’s machine’s digital conversation with another computer.
- A message is sent from one user to another.
- The attacker intercepts the message.
- The attacker hijacks the message, then either alters it or sends their own message in its place without the other parties knowing, bypassing security measures like firewalls.
Common Types of Man-in-the-Middle Attacks
Although there are many different ways to pull off a successful MITM attack, they always involve some combination of four broad “buckets” of digital subversion with the end goal of imposing themselves into a data exchange between two computers.
The four buckets are:
- Eavesdropping
- Hijacking
- Intercepting
- Spoofing
Eavesdropping
MITM attacks usually involve the attacker eavesdropping on conversations between two computers in a network.
For example, a common type of MITM attack is called WiFi Eavesdropping. This occurs when a MITM attacker uses an unsecured WiFi network to trick people into logging into fake pages to steal their login credentials. Attackers commonly pull this off by creating fake WiFi networks with common names to trick users into logging into their accounts while the attacker eavesdrops or watches what they type while logging into different websites. This allows them to steal login credentials for their email, credit card, and even bank accounts.
Hijacking
Another type of MITM Attacks is DNS Cache Poisoning in which the attacker finds a way to take over a DNS resolver, aka a DNS recursor, which helps run a DNS by connecting computers in a network to each other. Once the recursor has been hijacked, the attacker can mislead you by telling the DNS resolver that the website you’re trying to access actually lives at a different IP address owned by the attacker. The attacker then gives your computer a fake DNS entry via the hijacked DNS resolver, leading you to a malicious website designed to look legitimate.
Intercepting
IP spoofing is a cyberattack in which the attacker intercepts and modifies the IP address of a packet of data sent from one computer to the recipient computer without the original sender knowing.
Another way MITM attackers may accomplish this is by interrupting a sequence of data sent from the trusted source. The attacker then sends data from their computer while flooding the server with a denial of service (DoS) attack, which prevents or impairs the original sender from responding in time.
Using this method, the attacker can send your computer data packets that seem like they came from a trusted source, tricking your computer into accepting data that couldcompromise the recipient’s personal info or sensitive enterprise data.
Spoofing
Spoofing is another MITM attack where a threat actor impersonates, piggybacks off, masquerades as, or mimics a legitimate sources to trick someone into acting against the interest of an organization.
Although we already covered IP spoofing earlier in this article, there are many ways spoofing can be used in MITM attacks. For example, in an HTTPS spoofing attack, attackers set up fake HTTPS websites.. This is often accomplished by sending victims phishing emails designed to look like they came from major banks, social media sites, or payment mediums like PayPal. The emails prompt the user to follow a link leading them to a fake website created by the attacker designed to look like the real thing.
The victim then downloads the Certificate Authority (CA) from the fake site, which is like a digital stamp of approval for users on public networks, indicating that they are trustworthy actors.
The attacker then digitally signs the certificate and sends it back to the user, who stores it in their trusted key store – along with all other trusted keys for legitimate websites. The threat actor then relays web traffic to the actual website and can now monitor all of the victim’s web traffic for the session.
How to Detect a Man-in-the-Middle Attack
Man-in-the-middle attacks are designed to be very stealthy. After all, the whole point is to allow the attacker to bypass security measures like firewalls.
Fortunately, they are not wholly undetectable. MITM attacks can sometimes be picked out before they cause too much damage if you know what to look for.
Signs to Look For
Unexpected or repeated connections are sometimes a telltale sign of a MITM attack. Cybercriminals will disconnect users from a network so they can intercept their login details or eavesdrop on them when they try to reconnect.
Strange URLs are another dead giveaway that you’re dealing with an MITM attack or other cybersecurity threats.. For example, if you receive a seemingly trustworthy email from “Salesforce” asking you to follow a link to verify your account information, and that link leads to “salesforcel.mobileservice2013.com/txn?id=178948” instead of “www.salesforce.com,” you may be dealing with a cybercriminal, and logging into the site may compromise your organizations network and sensitive customer information.
Using unsecured or public networks is another way to leave yourself vulnerable to MITM attacks. Remember, MITM attackers sometimes create fake WiFi networks with common names to trick you into connecting with their computer so they can watch you log into various websites.
How to Prevent a Man-in-the-Middle Attack
Generally, it is easier to prevent MITM attacks than detect them. Following these general rules can save you a lot of money and headaches in the long run.
General Best Practices
- Connect only to networks that are secured and encrypted. This is especially true for remote employees.
- If you hover your mouse over a suspicious link without clicking on it, your browser should display the URL embedded in that link. If the URL leads to a different site than advertised, never click on it.
- Pay attention to the grammar and spelling of the email. Bad grammar and spelling are usually signs that you’re not dealing with the genuine article.
- Use a VPN for employees not on an office-managed network.
- Only connect to URLs that say “HTTPS” in the beginning (example: https://www.sentinelone.com).
- Use multi-factor authentication to log in whenever possible and have a corporate-level solution for login credentials.
- Perhaps most importantly, trust no one, even behind a firewall! Cybercriminals are smart, and their methods constantly evolve. When it comes to cybersecurity, it’s always better to be safe than sorry.
How SentinelOne Can Help with MITM and Other Attacks
As long as cybercriminals can use MITM attacks to steal login credentials and other sensitive information successfully, the methods by which they seek to do so will continue to change and evolve, especially with the expansion of more IoT devices and as IT supply chains become more complex.
SentinelOne can help defend against advanced cybersecurity threats, including MITM attacks. You can request a demo of SentinelOne to see us in action and learn more about the Singularity Platform. SentinelOne’s cybersecurity solution encompasses AI-powered prevention, detection, response and hunting across endpoints, containers, cloud workloads, and IoT devices in a single autonomous platform.
Leave a Reply
Want to join the discussion?Feel free to contribute!