In conversations as a cyber security professionals we have had many discussions about different types of attacks – from SQL Injection attacks to password brute forcing and everything in between. Yet, there seems to be one type that causes more questions than most: “Man in the Middle” (MITM) attacks. Let’s clear up some of the confusion.
What a MITM attack is
At its core, a MITM attack is a type of eavesdropping attack that occurs when a malicious actor inserts himself between two communicating parties. This allows the attacker to relay all communication, listen to it, modify it, and even impersonate one of the parties.
Nothing new
One of the most famous examples of a MiTM attack happened in 1568, long before computers were even invented. Known as the Babington Plot, communications between Mary Stuart and her supporters surrounding a plot to assassinate Queen Elizabeth I were intercepted by a third party. Altering the content of the messages revealed the identities of those involved in the plot, and they were executed.
In more recent times, MITM attacks have been used by everyone from criminals looking to commit financial fraud to the NSA looking to intercept Google searches. These modern MITM attacks, and the ones that the term is most applied to these days, are generally executed in the realm of Information Technology. There is a variety of ways that this technique can be used. Essentially, anytime there is communication between two parties a MiTM attack can be performed.
MITM and emails
When it comes to emails, this is often done using Domain Name Resolution (DNS) spoofing, in which an attacker convinces a victim that they are the authoritative DNS server and then routes the traffic to a server that the attacker controls. In the case of attacks against financial institutions, attackers will gain control of an email account of someone like a financial advisor or bank representative and then send an email purporting to be this person asking victims to send money to bank accounts owned by the attacker. Other cases are real estate closings and commercial transactions which are frequent targets: a hacker first acquires access to a firm’s server, then redirects all e-mails associated with the firm’s server to the hacker’s server. This allows him to subsequently change payment information and other information in those e-mails to defraud the firm and those working with the firm.
The confusion
A lot of the confusion seems to stem from the fact that unlike an SQL injection attack, which by definition only works against SQL databases, a MITM attack is not limited to one technology or type of technology. Instead, it is an umbrella term and can be performed anytime there are two parties communicating – typically combined with other techniques such as phishing. This ambiguity is the reason that one of the most robust attack type classifications, the ATT&CK matrix from Mitre, doesn’t even list MiTM in their matrix of attack types.
The bad news
If a MITM attack is successfully performed, the victim has no idea that the attack is happening. In the case of fraudulent emails during real estate closings for example, the email was sent from a legitimate address, the victim has reason to trust the sender (i.e. title company), and there is plausible reason for the compromised email account to be asking for money to fund the business transaction. If the MiTM attacker used DNS spoofing, the victim would have to be actively monitoring every DNS request and know the legitimate DNS servers IP address by heart and then notice the discrepancy. And while there is software out there that can help detect DNS spoofing, a regular consumer will not be using it.
The good news
Without you even noticing, there are many protections against MITM attacks already in – such as right now while you are reading this article. One of the major reasons for websites to implement HTTPS is to greatly increase the difficulty of performing MITM attacks. When you first browsed to this website, your browser verified the validity of the SSL certificate of this website to ensure that the website you are visiting is exactly who it says it. Have you ever gotten a warning from your browser that the website your visiting isn’t safe? That’s usually because the SSL certificate is either expired or for a different website than the one you are visiting. This is how the browser tries to help you avoid being caught in a MiTM attack. To protect against financial attacks from compromised email accounts, many organizations require secondary authentication to help prevent that type of MiTM attack. Typically, before allowing monetary transfers a phone call to confirm the information and the request sent by email are mandatory.
Bottom Line
While there are many different types of MiTM attacks and they can occur in a variety of ways, Man-in-the-Middle means an attacker is positioned to intercept and/or modify communications between two parties. Email conversations are prone to this and DNS spoofing is a common way of achieving it.