Man in the Middle (MITM) Attack

What is a MITM attack

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers or an illicit password change.

Additionally, it can be used to gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.

Broadly speaking, a MITM attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door.

Man in the Middle (MITM) Attack

MITM attack progression

Successful MITM execution has two distinct phases: interception and decryption.


The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.

Attackers wishing to take a more active approach to interception may launch one of the following attacks:

  • IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.
  • ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
  • DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.


After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:

  • HTTPS spoofing sends a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
  • SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
  • SSL hijacking occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
  • SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application's site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

Man in the middle attack prevention

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.

For users, this means:

  • Avoiding WiFi connections that aren’t password protected.
  • Paying attention to browser notifications reporting a website as being unsecured.
  • Immediately logging out of a secure application when it’s not in use.
  • Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For website operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens.

It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.'

How to protect from packet sniffers

What Are Packets?

When using the internet to send emails, access bank accounts, upload images, or even type in a URL, the data being sent is broken into pieces. These pieces, or packets, are sent from your computer to the receiving end. The receiving end could be another computer or a server.

These packets must travel through the Internet to their destination, which could leave the packets vulnerable to packet sniffers.

Wireshark Packet Sniffer Software Screenshot

What Is A Packet Sniffer?

A packet sniffer is also known as a packet or protocol analyzer. Furthermore, this tool works by intercepting and logging the traffic between two computers on a network. Additionally, a packet sniffer can be bought and used as an independent physical piece of hardware or used as software on a computer.

The software would use the device’s network card to monitor network traffic. A popular and open-source packet sniffer is Wireshark, which is typically used by security researchers as a penetration testing program.

How Does A Packet Sniffer Work?

For wired networks, a packet sniffer is able to have access to all or a portion of the traffic being transmitted depending on the configuration of the network switches.

For wireless networks, a packet sniffer is only able to scan one channel at a time. If the host device running the packet sniffer has multiple wireless network interfaces then it is possible to scan multiple channels.

Who Uses Packet Sniffers?

The original purpose of a packet sniffer was for administrative uses, such as penetration testing and monitoring the traffic on a network. Therefore, network admins utilize packet sniffers on a corporate network to run diagnostics and to troubleshoot problems.

Hackers now use packet sniffers to steal information and data from victims. Traffic is more susceptible to being seen and stolen when it is sent on an unencrypted network.

Sometimes, packet sniffers can be used with other tools and programs to intercept and manipulate packets. These manipulated packets can be used to deliver malware and malicious content.

Public wireless networks are especially susceptible to packet sniffing attacks, as they are usually unprotected and can be connected to by anyone.

Protecting Yourself From Packet Sniffers

Aside from refraining from using public networks, encryption is your best bet to protect yourself from potential packet sniffers. Using HTTPS, the secure version of HTTP, will prevent packet sniffers from seeing the traffic on the websites you are visiting.

To make sure you are using HTTPS, check the upper left corner of your browser.

One effective way to protect yourself from packet sniffers is to tunnel your connectivity a virtual private network, or a VPN.

A VPN encrypts the traffic being sent between your computer and the destination. This includes information being used on websites, services, and applications. A packet sniffer would only see encrypted data being sent to your VPN service provider.

Security Briefs

On September 25, 2017, hackers gained access to Deloitte’s global email server through an administrative account that was not properly secured. Ensure your network is prepared to ward off hackers from gaining access to your business-sensitive information. Find out what we know about the breach, how the attack took place and what we can learn from this breach.

On September 7, 2017, a large-scale data breach was announced. Equifax, one of the three major credit reporting agencies, revealed that a data breach may have affected 143 million consumers by exposing Social Security numbers and other personal information. Learn what Equifax revealed, who was affected and steps you can take to protect your personal information.

On May 3, 2017, a massive phishing attack targeted Google Docs, and anyone with a Gmail account was a potential victim. Learn how the attack slipped by Google, how this type of phishing attack was different and tips to avoid becoming a phishing attack victim.

Read this security brief to better understand how the Dyn DDoS attack in October 2016 took place, and what you can do to ensure your devices don’t fall victim to hackers.

Locky: Security Brief

Find out what Locky ransomware is, how it’s spread, how it works and what you can do to protect yourself and your network.