Solving the Bigger Data Question in Cybersecurity
Cybersecurity Business Model: When in Rome...

What is a Man In The Middle Attack (MITM)

An earlier version of this post originally appeared at ICANN blog on 2 October 2015.

Many years ago, your local telephone service offered you options. You could subscribe to a private line or you could subscribe to a more economical service that you would share with some of your neighbors. This shared service was called a party line. The shared configuration had two characteristics. If you wanted to place a call, you had to wait until the circuit was idle, i.e., you had to wait until all the other parties on the shared circuit weren’t also trying to place calls. More worrying, however, was that other parties on the shared circuit could listen in on, join in (welcomed or not), or disrupt any conversation.

Ethernet and WiFi share these same characteristics. This is an important reason why everyone is encouraged to use encryption to prevent the forms of eavesdropping common to shared media or party lines.

Eavesdropping is one of several kinds of attacks we call man in the middle attacks. Each man in the middle or MITM attacks involves an attacker (or a device) that can intercept or alter communications between two parties who typically are unaware that the attacker is present in their communications or transactions. Let’s look at three examples of Internet MITM attacks.

Evil Twin Access Point attack


When you attempt to connect to a wireless network, your Wi-Fi devices will try to “associate” with a nearby access point (AP). Attackers can use software to turn an ordinary laptop into an access point, and then will use the name of an access point you may recognize or trust so that you or your device will connect to this “evil twin” rather than the “good one” (Original series Star Trek fans will recall the episode “Mirror, Mirror”. Once your device connects to the evil twin AP, the attacker can intercept your company login or credit card information, and he may connect you to the site you intended to visit to perpetuate the deception. The attacker may redirect you to fake web sites, mail servers or other sites where you might unsuspectingly enter personal information or download additional malicious software. (Note: Lisa Phifer offers two excellent technical articles on evil twin AP attacks here.)

Encryption or antivirus software can help, but your best defense against evil twin APs is to exercise caution when connecting to free or unsecured WiFi networks.

Man In The Browser attack (MiTB)

Imagine all the mischief an attacker might make if he could sit “inside” your browser and read or modify what you type or what a website sends to you. Sadly, attackers have gone beyond imagining such scenarios. MiTB attacks make use of a proxy Trojan horse, software that inserts itself between your browser and a web server, typically during a financial transaction or an e-merchant purchase. The attacker can use the proxy Trojan, which is a keylogger, rootkit, a malicious browser helper object or a plug-in, to steal your banking credentials, alter amounts of transactions, or make additional transactions, often during your banking or merchant session.   

Consider using an anti-keylogger or rootkit detection software to protect against MiTB attacks, but keep in mind that such malware are commonly delivered via phishing emails or drive-by downloads from sketchy or compromised web sites, so stop and think before you visit sites or open hyperlinks in email messages.

Main In The Email Attack (MITE)


Now imagine if an attacker were to sit in the middle of an email exchange between two parties and impersonate not just one but both parties. For example, an attacker might compromise an executive's (public or private) email account,, impersonate that executive and instruct an employee to share sensitive information. To ensure that the impersonation remains intact, the attacker may also intercept or impersonate the employee in all other email exchanges. Attackers use similar business email compromise (BEC)  attacks to impersonate executives who authorize payments. The objective in this scenario is to influence an employee, e.g., an accountant to issue a payment or funds transfer to the attacker. MITEs that involve executive impersonation are also called CEO Fraud attacks

In certain variants of this BEC an attacker will impersonate in a supply-chain fraud scheme; here, the attacker uses a compromised email account to insert himself into a negotiation for a purchase of a product or service. The attacker impersonates the supplier to make an attractive offer to the customer and also impersonates the customer to the true supplier to again ensure that the impersonation remains intact. The attacker attempts to close a deal and request payment and completes the fraud by modifying payment instructions in email messages or invoice attachments (even PDFs!) so that funds the customer sends are redirected to an account the attacker holds. 

BEC often begins with a phishing attempt, so apply your phishing awareness. Additionally, be on the lookout for deceptive email addresses in the cc: line of emails you receive, especially domain names that appear to be the same when certain fonts are used (pattern.tld/pattem.tld, or common typos ( Look for anomalies in correspondence: style, presence or absence of your standard business language, and specially changes to payment locations and account numbers. Perhaps most importantly, don't rely entirely on email for business transactions, especially ones that involve financial account numbers and delivery addresses. Confirm these through a "paper" purchase order process or a phone call. 

MITMs abound

Many Internet protocols are vulnerable to Man In The Middle attacks, making it one of the most common tools in the attacker toolbox. Encryption - PGP, S/MIME, DNSSEC, certain VPNs - mitigate MITM attacks but attacks like BEC demonstrate that attackers seek novel ways to use impersonation. Be vigilant!


Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.