« Solving the Bigger Data Question in Cybersecurity | Main | Cybersecurity Business Model: When in Rome... »

Monday, 03 April 2017

What is a Man In The Middle Attack (MITM)

An earlier version of this post originally appeared at ICANN blog on 2 October 2015.

Many years ago, your local telephone service offered you options. You could subscribe to a private line or you could subscribe to a more economical service that you would share with some of your neighbors. This shared service was called a party line. The shared configuration had two characteristics. If you wanted to place a call, you had to wait until the circuit was idle, i.e., you had to wait until all the other parties on the shared circuit weren’t also trying to place calls. More worrying, however, was that other parties on the shared circuit could listen in on, join in (welcomed or not), or disrupt any conversation.

Ethernet and WiFi share these same characteristics. This is an important reason why everyone is encouraged to use encryption to prevent the forms of eavesdropping common to shared media or party lines.

Eavesdropping is one of several kinds of attacks we call man in the middle attacks. Each man in the middle or MITM attacks involves an attacker (or a device) that can intercept or alter communications between two parties who typically are unaware that the attacker is present in their communications or transactions. Let’s look at three examples of Internet MITM attacks.

Evil Twin Access Point attack

519471784_446b4bf07f_m

When you attempt to connect to a wireless network, your Wi-Fi devices will try to “associate” with a nearby access point (AP). Attackers can use software to turn an ordinary laptop into an access point, and then will use the name of an access point you may recognize or trust so that you or your device will connect to this “evil twin” rather than the “good one” (Original series Star Trek fans will recall the episode “Mirror, Mirror”. Once your device connects to the evil twin AP, the attacker can intercept your company login or credit card information, and he may connect you to the site you intended to visit to perpetuate the deception. The attacker may redirect you to fake web sites, mail servers or other sites where you might unsuspectingly enter personal information or download additional malicious software. (Note: Lisa Phifer offers two excellent technical articles on evil twin AP attacks here.)

Encryption or antivirus software can help, but your best defense against evil twin APs is to exercise caution when connecting to free or unsecured WiFi networks.

Man In The Browser attack (MiTB)

Imagine all the mischief an attacker might make if he could sit “inside” your browser and read or modify what you type or what a website sends to you. Sadly, attackers have gone beyond imagining such scenarios. MiTB attacks make use of a proxy Trojan horse, software that inserts itself between your browser and a web server, typically during a financial transaction or an e-merchant purchase. The attacker can use the proxy Trojan, which is a keylogger, rootkit, a malicious browser helper object or a plug-in, to steal your banking credentials, alter amounts of transactions, or make additional transactions, often during your banking or merchant session.   

Consider using an anti-keylogger or rootkit detection software to protect against MiTB attacks, but keep in mind that such malware are commonly delivered via phishing emails or drive-by downloads from sketchy or compromised web sites, so stop and think before you visit sites or open hyperlinks in email messages.

Main In The Email Attack (MITE)

BEC
https://www.fbi.gov/news/stories/business-e-mail-compromise

Now imagine if an attacker were to sit in the middle of an email exchange between two parties and impersonate not just one but both parties. For example, an attacker might compromise an executive's (public or private) email account,, impersonate that executive and instruct an employee to share sensitive information. To ensure that the impersonation remains intact, the attacker may also intercept or impersonate the employee in all other email exchanges. Attackers use similar business email compromise (BEC)  attacks to impersonate executives who authorize payments. The objective in this scenario is to influence an employee, e.g., an accountant to issue a payment or funds transfer to the attacker. MITEs that involve executive impersonation are also called CEO Fraud attacks

In certain variants of this BEC an attacker will impersonate in a supply-chain fraud scheme; here, the attacker uses a compromised email account to insert himself into a negotiation for a purchase of a product or service. The attacker impersonates the supplier to make an attractive offer to the customer and also impersonates the customer to the true supplier to again ensure that the impersonation remains intact. The attacker attempts to close a deal and request payment and completes the fraud by modifying payment instructions in email messages or invoice attachments (even PDFs!) so that funds the customer sends are redirected to an account the attacker holds. 

BEC often begins with a phishing attempt, so apply your phishing awareness. Additionally, be on the lookout for deceptive email addresses in the cc: line of emails you receive, especially domain names that appear to be the same when certain fonts are used (pattern.tld/pattem.tld, icann.org/icanm.org) or common typos (securityskeptic.com/securityskeptic.co). Look for anomalies in correspondence: style, presence or absence of your standard business language, and specially changes to payment locations and account numbers. Perhaps most importantly, don't rely entirely on email for business transactions, especially ones that involve financial account numbers and delivery addresses. Confirm these through a "paper" purchase order process or a phone call. 

MITMs abound

Many Internet protocols are vulnerable to Man In The Middle attacks, making it one of the most common tools in the attacker toolbox. Encryption - PGP, S/MIME, DNSSEC, certain VPNs - mitigate MITM attacks but attacks like BEC demonstrate that attackers seek novel ways to use impersonation. Be vigilant!

Posted at 08:45 AM in All matters security, Anti-Malware and Anti-phishing |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories