This attack can happen in various forms of online communication such as web surfing, E-mail, Social Media etc. The main aim of the MITM attack is to steal user’s sensitive data such as Account details, user login credentials including Username and Password, credit card number. The main target of malicious users are mainly e-commerce sites, SaaS businesses, financial applications where login is required to access the services. The data which is obtained during the attack is then used for various purposes which include unapproved fund transfer, illicit password change, identity theft etc. Moreover, the MITM attack is used for gaining a foothold inside the secured perimeter during the infiltration stage of an APT (Advanced persistent threat) assault.
Figure 1 MITM Attack Scenario
In the above diagram, one can see the working of a MITM attack. A MITM attack enables a malicious user to intercept the conversation which is taking place during the transmission of data from one computer to another for illegal purposes. As represented in the diagram, one can see that malicious user inserts himself in-between the flow of traffic amidst server and client. Now, this enables the attacker to insert false information during the transmission process.
Types of MITM attack
There are various types of MITM attacks which are discussed below:
- Wi-Fi Eavesdropping
This attack is also called an “evil twin” attack in which malicious user tries to trick unsuspecting target user into connecting to a malicious Wi-Fi network. In this case, the malicious user sets up a Wi-Fi hotspot near a location where one can usually connect with public Wi-Fi network. Since users set their devices to remember & automatically reconnect to known Wi-Fi networks so that as they come in the vicinity of malicious hotspot they can automatically connect to the network, and the user thinks that the devices relate to a real network. Now, the attacker acts as a gatekeeper to the Internet and he can perform several man-in-the-middle techniques.
- Email Hijacking
It is the type of cyber-attack in which a malicious user compromises an email account of the user. In this technique, the malicious user uses the following three techniques such as social engineering tools, email spoofing and inserting viruses on a user’s computer. In this attack, the hacker compromises and gains access to the target email account and after that attacker silently monitors the communication between the client and uses the malicious information for illegal purposes.
- IP Spoofing Attacks
In a network architecture, all systems connected to the network have an IP address and many corporate intranet networks provide an IP address to the system. In this technique, hacker mimics the IP address of an Authorised device and this enables an unauthorized user to infiltrate a network. In this case, an attacker may also perform DOS (Denial of Service) attack and this technique can be used in performing MITM attack in which hacker acts as a middleware between two systems.
- SSL Stripping
SSL Stands for Secure Socket Layer. It is the encryption protocol which is used for protecting the website. Using SSL Stripping, the malicious user intercepts and forwards network traffic from a user and then the user tries to connect with the encrypted website. After that, hacker intercepts and connects with the encrypted site on behalf of the user and moreover, a hacker creates a duplicate website so that it can be displayed to the user. In this case, the user thinks that he is visiting the actual website, but the malicious user has “stripped” the SSL protocol out of user network connection.
- Session Hijacking
This is a type of Man-in-the-middle attack which is typically used for compromising social media accounts. As with most of the social media web sites, the websites store a “session browser cookie” on the machine of the user. This attack mainly occurs when an attacker steals a session cookie and moreover this can happen when the user’s machine is infected with malware and browser hijacks.
- ARP Spoofing
Address Resolution Protocol (ARP) spoofing is a technique in which malicious user sends an ARP request and then sends a fake reply to the target machine. The hacker acts as a router during this process which enables the user to intercept traffic and this attack is limited to LAN (Local Area Network) which uses ARP protocol.
This is a type of attack in which a malicious user tries to exploit the vulnerabilities in the web browsers. In this case, Trojan horses, Java exploits, SQL injections, computer worms and browser add-ons are some of the attack vectors which are commonly used for fetching financial information.
Some Key Concepts of MITM Attack
There are some key concepts of MITM attack which are discussed below:
- It is a type of attack which occurs when a hacker user inserts himself as a relay/proxy into the session of communication between two systems over the internet.
- A Man-in-the-middle attack exploits the real-time processing of conversations, transactions and transfer of other data.
- This attack enables the malicious user to send, receive and intercept data during the transmission process.
MITM Attack Progression
There are two distinct phases of MITM execution that are Interception and decryption.
The first step is to intercept user’s traffic through the malicious user network before it reaches to the destination device. The simplest means of doing this attack is that the attacker can create a free malicious Wi-Fi hotspot available to the public. Once the victim connects with such hotspot, the malicious user gets all the access to the data which is being transmitted between two nodes. The malicious user can take any approach for interception and can launch any sort of cyber-attack such as ARP spoofing, IP spoofing and DNS spoofing.
After a successful interception process, there are two-way SSL traffic that need to be decrypted without giving any alertness message to user or application. There are several techniques exist to achieve this such as SSL beast (browser exploit against SSL/TLS), HTTPS spoofing, SSL stripping and SSL hijacking etc are some of the ways.
Prevention against MITM Attack
There are various ways which can be used for Mitigating MITM attack which is discussed below:
- Authentication Certificates
By creating Certificate-Based Authentication one can protect individual network or system such as email system, Wi-Fi networks etc by implementation certificate-based authentication for every machine and device. With this only endpoint which are properly configured, user can access the network services. These certificates are user-friendly and there is no additional hardware required for managing the network.
- S/MIME (Secure/Multipurpose Internet Mail Extensions)
S/MIME extension encrypts the email during the transmission process as well as during at rest which ensures that only intended recipient are able to read them. This will not allow a malicious user to alter the actual data sent by the user.
- Use of VPN (Virtual Private Network)
The use of VPN technology in the network will encrypt the communication initiated started between two nodes. An encrypted VPN service will limit the hacker’s ability for reading and modifying web traffic.
- Hashing Based Data Integrity Check
Hashing is another form of securing the data. In hashing, one must calculate a unique hashing value for data and append it to the message and then send it to the receiver. During communication between two nodes if the malicious user changes the data then the hash value of that data should also be changed. Because, in this case, a new hash value will be generated for the data and that hash value will be sent to the target user and target user will easily get know if data is altered by someone during transmission because of different hash value which is generated for that data.
- Ensure that the websites that are visited are secured with HTTPS.
- HSTS (HTTP Strict Transport Security) is a web server directive which tells web browser and user agents how to handle the connection through a response header sent at beginning and back to the browser.
- Never purchase or sell products over public Wi-Fi network.
- If the website is using SSL protocol, then take care that the insecure SSL/TLS protocols are disabled and only TLS 1.1 and TLS 1.2 should be enabled.
In this, we have discussed what is MITM attack with explanation of various types of MITM attacks. In this, we have also discussed some types of MITM attacks which are commonly used by hackers and moreover some of the preventive steps are also provided in order to mitigate happening of MITM attack.: