What is Man in the Middle Attack
Medium Attack (MITM) is a common term in which the perpetrator puts himself in a conversation between the user and the application – either by attempting to or imitating one of the parties, making it seem like the normal data exchange is ongoing.
The purpose of the attack is to steal personal information, such as login credentials, account details and credit card numbers. Targeted users of financial applications, SaaS businesses, e-commerce sites and other websites where sign-in is required.
Information obtained during an attack can be used for many purposes, including identity theft, unauthorized wallet transfers or illegal password changes.
In addition, it can be used to locate a site within a protected perimeter during the entry phase of a continuous continuous attack (APT).
In general, MITM attacks are the equivalent of a postman who opens your bank statement, writes down your account details, then renews the envelope and delivers it to your door.
How Man in the Middle Attacks Work
Most MitM attacks follow specific operational guidelines, regardless of the specific tactics used in these attacks.
In this example, there are three organizations, Alice, Bob and Chuck (invader).
- Chuck secretly listens to the channel where Alice and Bob talk
- Alice sends a message to Bob
- Chuck decides and reads Alice’s message without Alice or Bob knowing
- Chuck exchanges messages between Alice and Bob, creating unwanted / harmful responses
Attackers often use MitM to harvest authenticity and gather intelligence about their intentions.
Multi-factor authentication (MFA) can be an effective protection against stolen verification. Unfortunately, MFA may pass in some cases.
Here is a practical example of a real MiTM attack on a Microsoft Office 365 where the MFA passed by the attacker:
A user clicks on a phishing scam link that leads them to a false Microsoft page where they enter a username and password.
- A fake webpage transmits a username and password to the attacker’s server
- The attacker sends a login request to Microsoft, so they do not file a complaint
- Microsoft sends a two-step verification code to the user via SMS
- The user enters the code on a fake web page
- The fake page transfers the 2FA code to the attacker’s server
- Attacker uses Evilginx to steal a session cookie
- The attacker passes the 2FA user code to Microsoft, and now the attacker can sign in to Office 365 as a reduced user using a session cookie, and you can access sensitive information within the business.
Also Read: Install Ngrok In Android Termux And Linux
Man in the Middle Attack Progression and Types
The first step is to capture the user’s traffic via the attacker’s network before it reaches its destination.
Attackers who wish to take an active approach may start one of the following attacks :
- IP spoofing involves the attacker disguising himself as a program by changing the packet titles to the IP address. As a result, users who try to access the URL linked to the app are redirected to the attacker’s website.
- ARP spoofing is the process of linking the attacker’s MAC address to the official user’s IP address to a local network using fake ARP messages. As a result, the data sent by the user to the hosted IP address is instead transmitted to the attacker.
- DNS spoofing, also known as DNS cache poisoning, involves infiltrating a DNS server and modifying a website address record. As a result, users trying to access the site are sent a modified DNS record to the attacker’s site.
- HTTPS spoofing sends a fake certificate to the victim’s browser as soon as the first request to connect to a secure site is made. Contains a digital thumbprint associated with a corrupted application, which is verified by a browser based on an existing list of trusted sites. The attacker was then able to access any data entered by the victim before being transferred to the app.
- SSL hijacking occurs when the attacker passes fraudulent verification keys to both the user and the system during TCP capture. This setup seems to be a secure connection when, in fact, the middle man is in control all the time.
How to Detect a Man in the Middle Attack
Common sense is to protect rather than to gain.
Signs to Look For
Here are some features that may have additional listeners in your networks.
- Unexpected disconnection and / or duplication: Attackers forcefully interrupt users to retrieve a username and password when a user tries to reconnect. By monitoring the unexpected or repeated interruptions, you can identify these dangerous behaviors.
- Unusual addresses in your browser’s address bar: If anything in the address looks weird, even if it’s small, double check it. It could be a DNS hijacker. For example, you see https: \\ www.go0gle.com instead of https: \\ www.google.com
- Accessing public and / or insecure Wi-Fi: Be very careful about which networks you connect to, and protect public Wi-Fi if possible. Attackers create fake networks with IDs known as “local free wireless” or another common name to trick people into communicating. When you connect to the attacker’s Wi-Fi, they can easily see everything you are sending to the network.