case study on man in the middle attack

Man-in-the-Middle Attack: Types and Examples

Man-in-the-Middle Attack Definition

A man-in-the-middle (MITM) attack is a form of cyberattack in which criminals exploiting weak web-based protocols insert themselves between entities in a communication channel to steal data.

None of the parties sending email, texting, or chatting on a video call are aware that an attacker has inserted their presence into the conversation and that the attacker is stealing their data.

While most cyberattacks are silent and carried out without the victims' knowledge, some MITM attacks are the opposite. They might include a bot generating believable text messages, impersonating a person's voice on a call, or spoofing an entire communications system to scrape data the attacker thinks is important from participants' devices.

Types Of Industries And Personas That Are Most Vulnerable To MITM Attacks

A MITM attack may target any business, organization, or person if there is a perceived chance of financial gain by cyber criminals. The larger the potential financial gain, the more likely the attack.

Sales of stolen personal financial or health information may sell for a few dollars per record on the dark web . At first glance, that may not sound like much until one realizes that millions of records may be compromised in a single data breach.

Popular industries for MITM attacks include banks and their banking applications, financial companies, health care systems, and businesses that operate industrial networks of devices that connect using the Internet of Things (IoT). Millions of these vulnerable devices are subject to attack in manufacturing, industrial processes, power systems, critical infrastructure, and more.

SCORE and the SBA report that small and midsize business face greater risks, with 43% of all cyberattacks targeting SMBs due to their lack of robust security.

Types of Man-in-the Middle (MITM) Attacks

Let us take a look at the different types of MITM attacks.

1. Email Hijacking

As its name implies, in this type of attack, cyber criminals take control of the email accounts of banks, financial institutions, or other trusted companies that have access to sensitive data—and money. Once inside, attackers can monitor transactions and correspondence between the bank and its customers.

In more malicious scenarios, attackers spoof, or fake, the bank's email address and send customers emails instructing them to resend their credentials—or worse, send money—to an account controlled by the attackers. In this MITM attack version, social engineering , or building trust with victims, is key for success.

2. Wi-Fi Eavesdropping

In Wi-Fi eavesdropping, cyber criminals get victims to connect to a nearby wireless network with a legitimate-sounding name. But in reality, the network is set up to engage in malicious activity. The wireless network might appear to be owned by a nearby business the user frequents or it could have a generic-sounding, seemingly harmless name, such as "Free Public Wi-Fi Network." In some cases, the user does not even need to enter a password to connect.

Once victims are connected to the malicious Wi-Fi, the attacker has options: monitor the user's online activity or scrape login credentials, credit or payment card information, and other sensitive data.

To guard against this attack, users should always check what network they are connected to. With mobile phones, they should shut off the Wi-Fi auto-connect feature when moving around locally to prevent their devices from automatically being connected to a malicious network.

3. DNS Spoofing

Domain Name System (DNS) spoofing, or DNS cache poisoning, occurs when manipulated DNS records are used to divert legitimate online traffic to a fake or spoofed website built to resemble a website the user would most likely know and trust.

As with all spoofing techniques, attackers prompt users to log in unwittingly to the fake website and convince them that they need to take a specific action, such as pay a fee or transfer money to a specific account. The attackers steal as much data as they can from the victims in the process.

4. Session Hijacking

Session hijacking is a type of MITM attack in which the attacker waits for a victim to log in to an application, such as for banking or email, and then steals the session cookie. The attacker then uses the cookie to log in to the same account owned by the victim but instead from the attacker's browser.

A session is a piece of data that identifies a temporary information exchange between two devices or between a computer and a user. Attackers exploit sessions because they are used to identify a user that has logged in to a website. However, attackers need to work quickly as sessions expire after a set amount of time, which could be as short as a few minutes.

5. Secure Sockets Layer (SSL) Hijacking

Most websites today display that they are using a secure server. They have "HTTPS," short for Hypertext Transfer Protocol Secure, instead of "HTTP" or Hypertext Transfer Protocol in the first portion of the Uniform Resource Locator (URL) that appears in the browser's address bar. Even when users type in HTTP—or no HTTP at all—the HTTPS or secure version will render in the browser window. This is a standard security protocol, and all data shared with that secure server is protected.

SSL and its successor transport layer security (TLS) are protocols for establishing security between networked computers. In an SSL hijacking, the attacker intercepts all data passing between a server and the user’s computer. This is possible because SSL is an older, vulnerable security protocol that necessitated it to be replaced—version 3.0 was deprecated in June 2015—with the stronger TLS protocol.

5. ARP Cache Poisoning

The Address Resolution Protocol (ARP) is a communication protocol used for discovering the link layer address, such as a media access control (MAC) address, associated with a given internet layer address. The ARP is important because it translates the link layer address to the Internet Protocol (IP) address on the local network.

In this scheme, the victim's computer is tricked with false information from the cyber criminal into thinking that the fraudster's computer is the network gateway. As such, the victim's computer, once connected to the network, essentially sends all of its network traffic to the malicious actor instead of through the real network gateway. The attacker then utilizes this diverted traffic to analyze and steal all the information they need, such as personally identifiable information (PII) stored in the browser.

6. IP Spoofing

IP spoofing is similar to DNS spoofing in that the attacker diverts internet traffic headed to a legitimate website to a fraudulent website. Instead of spoofing the website’s DNS record, the attacker modifies the malicious site's IP address to make it appear as if it is the IP address of the legitimate website users intended to visit.

7. Stealing Browser Cookies

In computing, a cookie is a small, stored piece of information. A browser cookie, also known as an HTTP cookie, is data collected by a web browser and stored locally on a user's computer. The browser cookie helps websites remember information to enhance the user's browsing experience. For example, with cookies enabled, a user does not have to keep filling out the same items on a form, such as first name and last name.

Stealing browser cookies must be combined with another MITM attack technique, such as Wi-Fi eavesdropping or session hijacking, to be carried out. Cyber criminals can gain access to a user's device using one of the other MITM techniques to steal browser cookies and exploit the full potential of a MITM attack. With access to browser cookies, attackers can gain access to passwords, credit card numbers, and other sensitive information that users regularly store in their browsers.

How Does a Man-in-the-Middle (MITM) Attack Work?

Regardless of the specific techniques or stack of technologies needed to carry out a MITM attack, there is a basic work order:

Person A sends Person B a message.
The MITM attacker intercepts the message without Person A's or Person B's knowledge.
The MITM attacker changes the message content or removes the message altogether, again, without Person A's or Person B's knowledge.

In computing terms, a MITM attack works by exploiting vulnerabilities in network, web, or browser-based security protocols to divert legitimate traffic and steal information from victims.

Examples Of Man-In-The-Middle Attacks

In 2013, Edward Snowden leaked documents he obtained while working as a consultant at the National Security Administration (NSA). The documents showed that the NSA pretended to be Google by intercepting all traffic with the ability to spoof SSL encryption certification. The NSA used this MITM attack to obtain the search records of all Google users, including all Americans, which was illegal domestic spying on U.S. citizens.

Internet Service Provider Comcast used JavaScript to substitute its ads for advertisements from third-party websites. This kind of MITM attack is called code injection. The web traffic passing through the Comcast system gave Comcast the ability to inject code and swap out all the ads to change them to Comcast ads or to insert Comcast ads in otherwise ad-free content.

A famous man-in-the-middle attack example is Equifax , one of the three largest credit history reporting companies. The company had a MITM data breach in 2017 which exposed over 100 million customers’ financial data to criminals over many months.

A flaw in a banking app used by HSBC, NatWest, Co-op, Santander, and Allied Irish Bank allowed criminals to steal personal information and credentials, including passwords and pin codes.

MITM attacks contributed to massive data breaches. The biggest data breaches in 2021 included Cognyte (five billion records), Twitch (five billion records), LinkedIn (700 million records), and Facebook (553 million records).

MITM Issues in Mobile Apps

Everyone using a mobile device is a potential target. Many apps fail to use certificate pinning . Certificate pinning links the SSL encryption certificate to the hostname at the proper destination. This process needs application development inclusion by using known, valid, pinning relationships. It cannot be implemented later if a malicious proxy is already operating because the proxy will spoof the SSL certificate with a fake one.

A proxy intercepts the data flow from the sender to the receiver. If it is a malicious proxy, it changes the data without the sender or receiver being aware of what is occurring.

How to Detect a Man-in-the Middle (MITM) Attack?

Because MITM attacks rely on elements more closely associated with other cyberattacks, such as phishing or spoofing—malicious activities that employees and users may already have been trained to recognize and thwart—MITM attacks might, at first glance, seem easy to spot.

However, given the escalating sophistication of cyber criminals, detection should include a range of protocols, both human and technical. As with all cyber threats, prevention is key.

The following are signs that there might be malicious eavesdroppers on your network and that a MITM attack is underway:

Unusual disconnections : Unexpected or repeated disconnections from a service—when a user is oddly kicked out of a service and must sign in again and again—are usually a sign of a MITM attempt or attack. Cyber criminals seek as many opportunities to scrape usernames and passwords, and while having to repeatedly enter a username and password might seem like a minor inconvenience to the user, this is an action MITM attackers need to happen over and over again to be successful.
Strange URLs : In a spoofing scam, cyber criminals create bogus websites that look identical to recognizable, trusted ones to lure victims into entering their credentials. In the MITM version of this attack, the webpage delivered to the user in their browser is a spoofed site, and the URL in the address window is clearly not the recognizable address of the trusted site or application. MITM attackers use a DNS hijack so that users will interact and engage with the spoofed site while malicious code intercepts their messages and collects their data. For any and all personal financial transactions, users should carefully examine the webpages of their financial institutions to determine if something seems unfamiliar.
Public, unsecured Wi-Fi : Public Wi-Fi available from unfamiliar establishments should be avoided if possible. This is different from municipal Wi-Fi, which is free connectivity offered by cities so residents can connect to the internet. Even if users do not perform banking transactions or other tasks involving sensitive data on a public Wi-Fi, a MITM attack can still send malicious code to a device to eavesdrop on chats and messages. Criminals are known to use innocent-sounding Wi-Fi network names, such as "Local Free Wireless," so beware. Attackers may be offering free connectivity, but they observe all of the user's activity, too.

Impact Of Man-In-The-Middle Attacks On Enterprises

MITM attacks are serious and require man-in-the-middle attack prevention. Enterprises face increased risks due to business mobility, remote workers, IoT device vulnerability, increased mobile device use, and the danger of using unsecured Wi-Fi connections.

The 2022 Cybersecurity Almanac , published by Cybercrime Magazine, reported $6 trillion in damage caused by cybercrime in 2021. This figure is expected to reach $10 trillion annually by 2025 .

MITM attacks collect personal credentials and log-in information. An attack may install a compromised software update containing malware. Unencrypted communication, sent over insecure network connections by mobile devices, is especially vulnerable.

Business News Daily reports that losses from cyber attacks on small businesses average $55,000.

How to Prevent Man-in-the-Middle Attacks?

Sound cybersecurity practices will generally help protect individuals and organizations from MITM attacks.

Update and secure home Wi-Fi routers: This is perhaps the most important, as work-from-home (WFH) policies usually mandate that employees use a home router to connect to the internet to access the corporate network. Wi-Fi router software , known as firmware, should be updated from time to time. This process needs to be carried out manually because firmware updates are not automatic. Also, make sure that the router's security settings are set to the strongest, which according to the Wi-Fi Alliance, is currently WPA3 .
Use a virtual private network (VPN) when connecting to the internet: VPNs encrypt the data traveling between the devices and the VPN server. Encrypted traffic is harder to modify.
Use end-to-end encryption: Where possible, instruct employees to turn on encryption for emails and other communication channels. For added security, only use communications software that offers encryption right out of the box. Some applications automatically turn on encryption in the background—such as WhatsApp Messenger , for example. However, if employees wish to verify that their messages are indeed encrypted, they will need to carry out a special process, such as scanning and comparing QR codes available in the WhatsApp application on each person's phone.
Install patches and use antivirus software: These might be basic cybersecurity practices, but they are worth mentioning because they are easy to forget. Further, with WFH policies, employees are now responsible for ensuring that all patches are installed and security software is updated on their devices. IT staff may need to explain the importance of this to employees to strengthen endpoint security.
Use strong passwords and a password manager: Because passwords are not going away anytime soon, encourage employees to use strong passwords and a password manager. For company-owned devices, IT staff can install mobile device management software that features a password policy with rules pertaining to password length, complexity (i.e., use of special characters), aging, history/reuse, and the maximum number of password attempts before the device is remotely wiped.
If available, deploy multi-factor authentication (MFA): So you do not rely on passwords alone, organizations should encourage the use of MFA for access to devices and online services. This practice has quickly become organizations' best defense against threats.
Only connect to secure websites: This means look for a tiny padlock icon all the way to the left of the website URL in the browser's address bar. It is a sign that the webpage you are visiting is secure and using the HTTPS protocol. For security, employees—and web users overall—should never connect to regular HTTP sites or ones that do not have the padlock icon visible. To ensure this, users can consider installing a free browser plugin that can enforce this rule. Further, most comprehensive cybersecurity platforms include web filtering protocols that restrict employees from accessing non-HTTPS sites. Fortinet provides this with its FortiGuard Web Filtering service .
Encrypt DNS traffic: The DNS is the internet's distributed directory service. Applications use DNS to resolve a domain name to an IP address. However, when the DNS wants to connect to the external recursive DNS resolver, privacy and security become an issue because the DNS is distributed and no single security protocol exists. The handful of mechanisms that have emerged, including DNS over TLS (DoT) and DNS queries over HTTPS, encrypt DNS traffic between the user's computer and the external DNS resolver to validate the resolver's authenticity using certificates to ensure that no other party can impersonate the resolver.
Adopt the zero-trust philosophy: Zero trust is a security concept that requires organizations to not automatically trust anything inside or outside its perimeters. Instead, they must first verify anything trying to connect to their systems before granting access. The model is "never trust, always verify," and it relies on continuous verification across every device, user, and application. Zero-trust approaches can prevent a MITM attack from starting or can protect an organization's assets if a MITM attack is already underway.
Deploy a UEBA solution: User and entity behavior analytics (UEBA) uses machine learning to detect even the tiniest of anomalies in the behavior of both users and devices connected to the corporate network. As cyberattacks become more complex and as threat vectors can appear anywhere, machine learning tools are increasingly used to monitor small changes in behavior that might be suspicious and indicative of a MITM attack. The Fortinet UEBA solution , FortiInsight, not only continuously monitors the behavior of all users and endpoints but also employs automation to respond to threats in real time.

Frequently Asked Questions about Man-in-the-Middle Attacks

Get A Cyber Threat Assessment Today

Get Insights into your Network Vulnerabilities with Cyber Security and Threat Assessment.

There are 2-ways to find the state of your network security - wait for a breach to happen or proactively carry out a security threat assessment. Sign up today to get a zero cost assessment done on your security landscape and network utilization.

Quick Links

Free Product Demo

Explore key features and capabilities, and experience user interfaces.

Resource Center

Download from a wide range of educational material and documents.

Free Trials

Test our products and solutions.

Contact Sales

Have a question? We're here to help.

‘Ultimate’ MiTM Attack Steals $1M from Israeli Startup

Share this article:

Researchers uncovers “ultimate man-in-the-middle attack” that used an elaborate spoofing campaign to fool a Chinese VC firm and rip off an emerging business.

Hackers pulled off an elaborate man-in-the-middle campaign to rip off an Israeli startup by intercepting a wire transfer from a Chinese venture-capital firm intended for the new business.

New research by Check Point Software details how the security vendor uncovered the wire-transfer heist, in which an attacker used unique tactics—including communicating through email and even canceling a critical in-person meeting–to fool both parties on either end of the transfer, researchers said.

Check Point became involved in the incident when a $1 million wire-transfer made between the two parties never reached the startup, researchers said in a report posted online Thursday .

“The first domain was essentially the same as the Israeli startup domain, but with an additional ‘s’ added to the end of the domain name,” researchers wrote. “The second domain closely resembled that of the Chinese VC company, but once again added an ‘s’ to the end of the domain name.”

To appear as if communication with the companies was legitimate, the attacker then sent two emails with the same headline as the original thread. The first was to the VC from the Israeli lookalike domain spoofing the email address of the Israeli startup’s CEO, and the second to the Israeli startup from the lookalike Chinese VC company domain spoofing the VC account manager that handled the investment, researchers said.

“This infrastructure gave the attacker the ability to conduct the ultimate man-in-the-middle attack,” researchers wrote. “Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination.”

Indeed, the attackers sent 18 emails to the VC firm and 14 to the startup in the course of the campaign to disrupt the transaction and modify bank details so the wire eventually was sent to an account that attackers could access. Check Point traced the stolen money to a bank account belonging a closed business in Hong Kong, researchers said.

Attackers even managed to use this communication to cancel a meeting that was scheduled in Shanghai between the Chinese owner of the account where the transfer was headed and the CEO of the Israeli startup, researchers said. The hackers sent separate emails to each party that used different excuses for the cancellation, according to Check Point.

“Without this crucial act from the attacker’s side, the whole operation would probably have failed,” researchers said. “It’s reasonable to expect that during the meeting, the account owner would be asked to verify the bank account changes that were made.”

This act in and of itself showed that the attackers had experience, but what they did after they successfully pulled off their heist showed another level of arrogance, researchers said.

“Instead of cutting all lines of communication after such a heist, the threat actor(s) did not cease their efforts but tried to go after another round of the VC investment,” they wrote in their report.

Even after the parties affected by the attack remediated it, the CFO of the Israeli startup continues to receive one email every month from the spoofed CEO account that asks him to perform a wire transaction, researchers added.

The attack is a cautionary tale to anyone using wire transfers to send significant sums of money to put safeguards in place before the transaction goes through to ensure it can’t be intercepted by a third party, and then to have incident response in place after to handle any crisis scenario immediately, researchers said.

Check Point offered a number of recommendations to avoid scenarios like the one they uncovered, including: adding a second verification to ensure the transaction made it to the intended party directly after sending it; keeping audit and access logs; maintaining all evidence of the transaction in case an investigation is needed; and using tools to identify any look-alike domains that may have been registered and appear suspect.

Threatpost Webinar: Risk around third-party vendors is real and can lead to data disasters. We rely on third-party vendors, but that doesn’t mean forfeiting security. Join us on Dec. 18 th at 2 pm EST as Threatpost looks at managing third-party relationship risks with industry experts Dr. Larry Ponemon, of Ponemon Institute; Harlan Carvey, with Digital Guardian and Flashpoint’s Lance James. Click here to register .

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw

More than 100,000 Zyxel networking products could be vulnerable to a hardcoded credential vulnerability (CVE-2020-29583) potentially allowing cybercriminal device takeover.

Feds Pinpoint Russia as ‘Likely’ Culprit Behind SolarWinds Attack

The widespread compromise affecting key government agencies is ongoing, according to the U.S. government.

Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data

Underground marketplace pricing on RDP server access, compromised payment card data and DDoS-For-Hire services are surging.

InfoSec Insider

Securing Your Move to the Hybrid Cloud

Why Physical Security Maintenance Should Never Be an Afterthought

Conti’s Reign of Chaos: Costa Rica in the Crosshairs

How War Impacts Cyber Insurance

Rethinking Vulnerability Management in a Heightened Threat Landscape

Cloud Security
Vulnerabilities
Critical Infrastructure
Cryptography
Mobile Security
Security Analyst Summit
Web Security
Elizabeth Montalbano
Nate Nelson

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Our Network

Computerworld
Network World

Man-in-the-middle (MitM) attack definition and examples

Man-in-the-middle cyberattacks allow attackers to intercept communications or alter them. Detecting MitM attacks is difficult, but they are preventable.

man in the middle phone on a string communicaiton

What is a man-in-the-middle-attack?

A man-in-the-middle (MitM) attack is a type of cyberattack in which communications between two parties is intercepted, often to steal login credentials or personal information, spy on victims, sabotage communications, or corrupt data.

“MitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,” says Johannes Ullrich, dean of research at SANS Technology Institute. “So, they’re either passively listening in on the connection or they’re actually intercepting the connection, terminating it and setting up a new connection to the destination.”

MitM attacks are one of the oldest forms of cyberattack . Computer scientists have been looking at ways to prevent threat actors tampering or eavesdropping on communications since the early 1980s .

“MITM attacks are a tactical means to an end,” says Zeki Turedi, technology strategist, EMEA at CrowdStrike. “The aim could be spying on individuals or groups to redirecting efforts, funds, resources, or attention.”

Though MitM attacks can be protected against with encryption, successful attackers will either reroute traffic to phishing sites designed to look legitimate or simply pass on traffic to its intended destination once harvested or recorded, making detection of such attacks incredibly difficult.

Man-in-the-middle attack examples

MitM encompass a broad range of techniques and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers establish an HTTPS connection between themselves and the server, but use an unsecured HTTP connection with the victim, which means information is sent in plain text without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely controlled by malicious actors, who can now monitor, collect, or manipulate all information the user sends.

“These types of attacks can be for espionage or financial gain, or to just be disruptive,” says Turedi. “The damage caused can range from small to huge, depending on the attacker’s goals and ability to cause mischief.”

In a banking scenario, an attacker could see that a user is making a transfer and change the destination account number or amount being sent. Threat actors could use man-in-the-middle attacks to harvest personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. The EvilGrade exploit kit was designed specifically to target poorly secured updates. Given that they often fail to encrypt traffic, mobile devices are particularly susceptible to this scenario.

“These attacks can be easily automated,” says SANS Institute’s Ullrich. “There are tools to automate this that look for passwords and write it into a file whenever they see one or they look to wait for particular requests like for downloads and send malicious traffic back.”

While often these Wi-Fi or physical network attacks require proximity to your victim or targeted network, it is also possible to remotely compromise routing protocols. “That’s a more difficult and more sophisticated attack,” explains Ullrich. “Attackers are able to advertise themselves to the internet as being in charge of these IP addresses, and then the internet routes these IP addresses to the attacker and they again can now launch man-in-the-middle attacks.”

“They can also change the DNS settings for a particular domain [known as DNS spoofing],” Ullrich continues. “So, if you’re going to particular website, you’re actually connecting to the wrong IP address that the attacker provided, and again, the attacker can launch a man-in-the-middle attack.”

While most attacks go through wired networks or Wi-Fi, it is also possible to conduct MitM attacks with fake cellphone towers. Law enforcement agencies across the U.S., Canada and the UK have been found using fake cell phone towers—known as stingrays —to gather information en masse. Stingray devices are also commercially available on the dark web .

Researchers from the Technical University of Berlin, ETH Zurich and SINTEF Digital in Norway recently discovered flaws in the authentication and key agreement (AKA) protocols used in 3G, 4G and due to be used in 5G wireless technology rollouts that could lead to attackers performing MitM attacks.

Man-in-the-middle attack prevention

Though flaws are sometimes discovered, encryption protocols such as TLS are the best way to help protect against MitM attacks. The latest version of TLS became the official standard in August 2018 . There are also others such as SSH or newer protocols such as Google’s QUIC.

If it becomes commercially viable, quantum cryptography could provide a robust protection against MitM attacks based on the theory that it is impossible to copy quantum data, and it cannot be observed without changing its state and therefore providing a strong indicator if traffic has been interfered with en route.

For end-user education, encourage staff not to use open public Wi-Fi or Wi-Fi offerings at public places where possible, as this is much easier to spoof than cell phone connections, and tell them to heed warnings from browsers that sites or connections may not be legitimate. Use VPNs to help ensure secure connections.

“The best methods include multi-factor authentication, maximizing network control and visibility, and segmenting your network,” says Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks.

Prevention is better than trying to remediate after an attack, especially an attack that is so hard to spot. “These attacks are fundamentally sneaky and difficult for most traditional security appliances to initially detect,” says Crowdstrike’s Turedi.

How common are man-in-the-middle attacks?

Though not as common as ransomware or phishing attacks, MitM attacks are an ever-present threat for organizations. IBM X-Force’s Threat Intelligence Index 2018 says that 35 percent of exploitation activity involved attackers attempting to conduct MitM attacks, but hard numbers are difficult to come by.

“I would say, based on anecdotal reports, that MitM attacks are not incredibly prevalent,” says Hinchliffe. “Much of the same objectives—spying on data/communications, redirecting traffic and so on—can be done using malware installed on the victim’s system. If there are simpler ways to perform attacks, the adversary will often take the easy route.”

A notable recent example was a group of Russian GRU agents who tried to hack into the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague using a Wi-Fi spoofing device.

Greater adoption of HTTPS and more in-browser warnings have reduced the potential threat of some MitM attacks. In 2017 the Electronic Frontier Foundation (EFF) reported that over half of all internet traffic is now encrypted, with Google now reporting that over 90 percent of traffic in some countries is now encrypted. Major browsers such as Chrome and Firefox will also warn users if they are at risk from MitM attacks. “With the increased adoption of SSL and the introduction of modern browsers, such as Google Chrome, MitM attacks on Public WiFi hotspots have waned in popularity,” says CrowdStrike’s Turedi.

“Today, what is commonly seen is the utilization of MitM principals in highly sophisticated attacks,” Turedi adds. “One example observed recently on open-source reporting was malware targeting a large financial organization’s SWIFT network, in which a MitM technique was utilized to provide a false account balance in an effort to remain undetected as funds were maliciously being siphoned to the cybercriminal’s account.”

The threat still exists, however. For example, the Retefe banking Trojan will reroute traffic from banking domains through servers controlled by the attacker, decrypting and modifying the request before re-encrypting the data and sending it on to the bank. A recently discovered flaw in the TLS protocol—including the newest 1.3 version—enables attackers to break the RSA key exchange and intercept data.

The proliferation of IoT devices may also increase the prevalence of man-in-the-middle attacks, due to the lack of security in many such devices. CSO has previously reported on the potential for MitM-style attacks to be executed on IoT devices and either send false information back to the organization or the wrong instructions to the devices themselves.

“IoT devices tend to be more vulnerable to attack because they don’t implement a lot of the standard mitigations against MitM attacks,” says Ullrich. “A lot of IoT devices do not yet implement TLS or implemented older versions of it that are not as robust as the latest version.”

A survey by Ponemon Institute and OpenSky found that 61 percent of security practitioners in the U.S. say they cannot control the proliferation of IoT and IIoT devices within their companies, while 60 percent say they are unable to avoid security exploits and data breaches relating to IoT and IIoT.

“With the mobile applications and IoT devices, there’s nobody around and that’s a problem; some of these applications, they will ignore these errors and still connect and that defeats the purpose of TLS,” says Ullrich.

Editor’s note: This story, originally published in 2019, has been updated to reflect recent trends.

More from this author

How stagecoach stops bec attacks with security training, email controls, how decision-making psychology can improve incident response, interim data deal and brexit: what cisos need to know now the uk has left the eu, uk telecommunications security bill aims to improve telco security for 5g rollouts, most popular authors.

Cynthia Brumfield Contributing Writer

Show me more

Redefining multifactor authentication: why we need passkeys.

Threat hunting is still at an early stage, but AI can help

Keeping up with AI: OWASP LLM AI Cybersecurity and Governance Checklist

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Reaping the Benefits of Security Metrics

Man-in-the-Middle (MITM) Attack: Definition, Examples & More

Share Man-in-the-Middle (MITM) Attack: Definition, Examples & More | StrongDM on LinkedIn
Share Man-in-the-Middle (MITM) Attack: Definition, Examples & More | StrongDM on Twitter
Share Man-in-the-Middle (MITM) Attack: Definition, Examples & More | StrongDM on Reddit
Share Man-in-the-Middle (MITM) Attack: Definition, Examples & More | StrongDM on Facebook
Share Man-in-the-Middle (MITM) Attack: Definition, Examples & More | StrongDM on Hacker News
Role-based, attribute-based, & just-in-time access to infrastructure
Connect any person or service to any infrastructure, anywhere
Logging like you've never seen

In this article, we go over the man-in-the-middle attack definition and discuss the different types of these attacks. We'll take a deep dive into the dangers of man-in-the-middle attacks and address some examples. By the end of this article, you'll have a complete understanding of how a man-in-the-middle attack works and how to detect and prevent one.

What is a Man-in-the-Middle (MITM) Attack?

A man-in-the-middle (MITM) attack is a cyber attack in which a threat actor puts themselves in the middle of two parties, typically a user and an application, to intercept their communications and data exchanges and use them for malicious purposes like making unauthorized purchases or hacking.

By secretly standing between the user and a trusted system, such as a website or application, a cybercriminal can easily obtain sensitive data. The user assumes they're interacting exclusively with a trustworthy site and willingly relinquishes login credentials, financial information, or other compromising data.

Estimates show that 35% of exploitation activity involves man-in-the-middle attacks.

Cybercriminals either listen in on the interactions by inserting themselves between a line of internet communications or directly impersonate a party through website spoofing for man-in-the-middle attacks. As logins and data entries occur, a hacker can obtain the information to steal someone's identity, access or control a user's account, make purchases or fund transfers, or breach a perimeter into an organization's network.

The Danger of Man-in-the-Middle Attacks

Man-in-the-middle attacks offer hackers a path to intercept sensitive information such as usernames, passwords, credit card numbers, and bank account details. It's dangerous because the user has no idea there is another presence between them and the application they're interacting with or that their data is rerouting to a malicious party.

Once a criminal has this information, they can manipulate account credentials, steal funds, or make unauthorized purchases. Because of its scope, MITM attackers often target banking, online retailers, and software-as-a-service (SaaS) platform customers.

Nearly 58% of all posts on criminal forums and marketplaces contain banking data of others collected by MITM or other attack types.

Man-in-the-middle attacks are often used as an initial gateway for long-term advanced persistent threat (APT) campaigns within organizations. By obtaining a user's credentials for specific applications, hackers can penetrate numerous points on the attack surface to make their way into an entire network to mine company data, disrupt production environments, or take over the entire IT infrastructure.

Types of Man-in-the-Middle Attacks

A man-in-the-middle attack in cyber security qualifies as any circumstance where a threat actor places themselves between a user and an entity such as a network, website, or application to obtain information. The method by which hackers obtain that information varies using different forms of spoofing, a method of impersonating trusted online entities or websites. The main types of MITM attacks include:

IP Spoofing: A cybercriminal alters the Internet Protocol (IP) address of a website, email address, or device and spoofs the entity—making the user think they're interacting with a trusted source when they're really passing information to a malicious actor.
DNS Spoofing: For Domain Name System (DNS) spoofing, a spammer creates and operates a fake website that the user is familiar with and routes them to it to acquire user credentials or other information.
HTTPS Spoofing: A user assumes a website has the HyperText Transfer Protocol Secure (HTTPS), meaning they have their computer data encrypted to the website host. However, they were secretly redirected to a non-secure HTTP website, allowing criminals to track interactions and steal information.
Email Hijacking: Attackers secretly gain access to a banking or credit card company's email accounts to monitor transactions and steal information. They might also use the email account or a spoofed email address slightly different from the actual one to provide false instructions to the customers, such as wiring money into a new checking account.
Wi-Fi Eavesdropping: Spammers create public Wi-Fi networks or hotspots that appear to be a nearby business or other trusted source. Users who connect then have all their activity and sensitive data intercepted.
SSL Hijacking: An extension of HTTPS spoofing, hijacking the Secure Sockets Layers (SSL) is when a hacker takes this protocol responsible for encrypting HTTPS connections and intercepts user data traveling between them and the server they're connecting to.
Session Hijacking: Commonly known as browser cookie theft, an attacker will steal information stored on web browser cookies, such as saved passwords.

Business email compromise (BEC), an incident that commonly leads to email hijacking, resulted in over $1.8 billion made by scammers in 2020.

3% of all phishing attacks are carried out through malicious websites, assisting in IP, HTTPS, and DNS spoofing attacks.

Examples of Man-in-the-Middle Attacks

Man-in-the-middle attacks cause significant harm to businesses and their customers. Here are a few real examples of MITM attacks that took some organizations by storm:

Equifax website spoofing compromises millions of users

In 2017, there was a confirmed data breach at Equifax that exposed over 143 million Americans. As a result, Equifax created a website called equifaxsecurity2017.com to let customers see whether the breach impacted them. The issue was that the website used a shared SSL for hosting—with thousands of other websites using the same certificate. DNS (through fake websites) and SSL spoofing took place to redirect users to a phony website or intercept data from the site.

2.5 million customers were impacted by the man-in-the-middle attacks, putting the total at 145.5 million for the total incident at Equifax.

Lenovo machines distributed to customers with adware installed

A 2014 incident occurred when Lenovo distributed computers with Superfish Visual Search adware. This made it possible to create and deploy ads on encrypted web pages and alter SSL certificates to add their own — so attackers could view web activity and login data while someone was browsing on Chrome or Internet Explorer.

Security software vendors like Microsoft and McAfee coordinated directly with Lenovo to make software updates just after a few days of discovering the vulnerability to remove Superfish adware.

Who is at Risk of Man-in-the-Middle Attacks?

Both consumers and businesses can fall victim to MITM incidents in their respective capacities.

Customers who are tricked into connecting to a phony Wi-Fi network, entering a spoofed website, or communicating with a hijacked email account risk having their information tracked, stolen, and used for harm. In particular, users of any website or application that requires a login authentication process or stores financial data make ideal targets.

Alternatively, businesses with interactive websites and software apps that store a lot of customer information could find themselves at high risk. In addition to operation slowdowns from mitigating or responding to a man-in-the-middle attack, the recovery process of handling legal liability issues and rebuilding brand trust makes it essential for firms to allocate resources toward detecting and protecting against a MITM attack.

How Does a Man-in-the-Middle Attack Work?

The man-in-the-middle attack process has a two-stage approach: interception and decryption.

Interception

During the interception step, the cybercriminal attempts to put themselves between the client and server—typically a user and web application. Depending on the type of man-in-the-middle attack, there are a few ways the attacker could approach this:

Creating a non-secure Wi-Fi network or hotspot in a crowded area for people to connect and view their information.
Accessing a Wi-Fi network, typically by taking advantage of a weak password or by installing a packet sniffer to analyze traffic and scan for vulnerabilities , points of entry, and ideal targets.
Creating a fake website with spoofed DNS and routing the user through phishing or redirecting them from the intended HTTPS site.
Manipulating IP protocols to persuade users to change passwords or log in to an app.

After targets are determined and fall for the bait, cybercriminals use data capture tools to transmit any login information and web activity back to them and decrypt it into readable text. During the decryption phase, the intercepted data becomes usable to the criminal.

For example, the cybercriminal will take login credentials captured from the fake website and use them on the actual one. From there, they could change the user's password, steal vital financial information, or use the credentials for longer-term initiatives such as a company network or a more severe attack.

Popular Man-in-the-Middle Attack Tools

Cybercriminals, researchers, and other professionals commonly utilize automation and intelligence tools to target or orchestrate penetration testing in an IT environment. For the most part, MITM software lets users scan networks to find vulnerabilities and potentially weak passwords. Some of the most popular MITM attack software tools include:

Ettercap: Open-source tool for analyzing network protocols, hosts, and activity. Can intercept network traffic data, capture credentials, and decrypt password data.
dSniff: A suite of password and network analysis tools that lets users pull passwords, email contents, and files, intercept network traffic data, and deploy man-in-the-middle attacks using HTTPS redirects.
Cain and Abel: Initially created as a password recovery tool, it developed into a packet sniffing and analysis software to evaluate a network and perform spoofing while also being able to carry out other cyber attacks such as brute force .

How to Detect Man-in-the-Middle Attacks

While man-in-the-middle attack prevention is the ideal scenario, early identification of MITM threats leads to smooth and swift mitigation. Here are a few man-in-the-middle attack symptoms and detection methods:

Observing slow or disconnected services: If a user attempts to log in to an account and keeps getting timed out, that's a possible indication that a spammer is disconnecting the session so they can intercept credentials. The service itself may also be noticeably slow because it is spoofed and, therefore, not configured correctly in the way of an actual website or app.
Seeing obscure websites or email addresses: Small alterations such as a few characters off in the addresses on the website search bar indicate a possible DNS spoof. Additionally, one form of email hijacking is when a spammer uses a domain similar to the one they're impersonating to send and receive messages or deliver commands.
Deploying packet inspections: Packet inspection techniques such as deep packet inspection (DPI) analyze network traffic to find abnormal events such as an outsider scanning vulnerabilities or intercepting traffic data.
Connecting to unsecured WiFi or websites: Without realizing it, a user may find themselves connected to a WiFi network tagged as "unsecure"—a possible MITM attack to lure devices. They also could intend to go to a particular website they know uses HTTPS but be rerouted to a non-secure, HTTP site.

How to Prevent Man-in-the-Middle Attacks

Putting your teams in a proactive position to defend against man-in-the-middle requires a holistic framework incorporating certain best practices and technology into the mix. Here are some preventive controls you can use to protect your users and network:

Prioritize HTTPS connections: Avoid websites with no HTTPS connection indicated in the website address. You can also implement DNS over HTTPS, which encrypts DNS requests, hiding your online activity.
Avoid unsecure/public WiFi: Though it may seem convenient, public WiFi could be a trap used to target users that don't have solid cyber awareness.
Incorporate MFA: Multi-factor authentication (MFA) helps avoid issues you might have after a cybercriminal obtains credentials. Acquiring an additional authentication factor such as a hardware token or face scan prevents the hacker from being able to access an account.
Practice network segmentation: Zero Trust Architecture is an excellent framework for network security, particularly for using principles such as network segmentation to defend against man-in-the-middle attacks. This element of Zero Trust refers to dividing the network into secured segments to isolate incidents and prevent lateral movement by threat actors.
Encrypt your emails: For email hijacking, secure/multipurpose internet mail extensions (S/MIME) encrypt email contents and certify emails with certificates to authenticate senders.
Use a certificate management system: Automated solutions for managing network SSL certificates ensure a centralized and streamlined method for remediating expired ones susceptible to hijacking.
Utilize Privileged Access Management (PAM) : Implement privileged access controls to enforce least privilege and restrict account creation and permissions to the minimal level technical staff need to do their job.

MITM Attack Concepts to Know

Some concepts to know to get an easier grasp on a MITM attack include:

Spoofing: Technique commonly used in man-in-the-middle attacks where a trusted system, such as a website or IP address, pretends to be something else through replication or delusion to gain a target's confidence.
Hijacking: Tactics for MITM where an attacker entirely takes control over an email account, website, or SSL to insert themselves between a user and system.
Phishing: Often done through email or on websites, it's a tactic commonly used in MITM attacks where a spammer or criminal attempts to steal information or deliver malware by pretending to be a trusted sender or legitimate website.
Eavesdropping: Part of the MITM attack process where a successful hacker intercepts data transmissions and communications between two users or users and services.

How StrongDM Simplifies MITM Attack Protection

The StrongDM Dynamic Access Management (DAM) platform offers a centralized authentication, permission management, and resource visibility solution. Administrators can easily manage their network, applications, and users with top-quality cybersecurity controls specific to man-in-the-middle attacks.

StrongDM helps you prevent and detect MITM attacks through MFA implementation, secure remote access tools, and the use of request signatures that validate the time and payload of client application requests to prevent data interceptions. StrongDM can be used alongside your VPN or replace it altogether . Organizations can also enforce least privilege access based on roles and approvals while continuously collecting data for activity and weblogs.

MITM Attacks: Frequently Asked Questions

What causes a man-in-the-middle attack.

MITM happens because of an array of system vulnerabilities and incidents such as an unsecure website, email account compromises (EAC), and an uneducated user. When vulnerabilities occur where someone can spoof or hijack an IP address, DNS, SSL, website, or WiFi network, a cybercriminal can put themselves in between the user and the online service they are communicating with to complete the attack.

What is the effect of a man-in-the-middle attack?

Information compromise is the initial effect of successful MITM attacks. Once criminals have the data they need, they can breach user accounts or financially benefit from stealing funds or purchasing items with stolen credit cards. More prolonged-term effects, specifically against organizations, occur when hackers use MITM to penetrate company networks to disrupt or shut down a production environment.

What is the key requirement for a man-in-the-middle attack to be successful?

The key in MITM is properly executing the insertion point between the user and application. This means the cybercriminal must create a trustworthy WiFi network or website, access an email account, or find a way to mask an IP address well enough that the user believes they are interacting with the desired service.

Is man-in-the-middle a DoS attack?

Though not the same, MITM can be used as part of a Denial-of-Service (DoS) attack. DoS floods a network or server with so much false traffic that it shuts down entirely. Someone could use MITM to acquire credentials and breach a network, then deploy DoS from the inside to shut it down.

Does VPN prevent man-in-the-middle?

Yes, but not by itself. VPNs let you connect to the internet from a private and encrypted connection—making your data unreadable to criminals. With a VPN, you'll be able to protect against MITM if the objective is to target internet activity data of a specific user, as seen with WiFi eavesdropping and some forms of HTTPS spoofing. However, you're still vulnerable to MITM once you've entered the site, app, or network.

Protect Against Man-in-the-Middle with StrongDM

In man-in-the-middle attacks, cybercriminals use spoofing, hijacking, or eavesdropping techniques to put themselves between a user and services such as a web application to steal financial information or login credentials. Proper authentication , data encryption , and best practices such as avoiding non-secure WiFi or websites and constantly being aware of potential phishing or system hijacking are the best ways to protect against MITM.

Sign up for our 14-day free trial to see how StrongDM's infrastructure access platform combines authentication, authorization, networking, and observability into a simple solution for finding and defending against man-in-the-middle attacks.

About the Author

Andrew Magnusson , Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn .

What is a Man-in-the-Middle Attack: Detection and Prevention Tips

A man-in-the-middle (MitM) attack is a form of cyberattack where important data is intercepted by an attacker using a technique to interject themselves into the communication process. The attacker can be a passive listener in your conversation, silently stealing your secrets, or an active participant, altering the contents of your messages, or impersonating the person/system you think you’re talking to.

Think back to the 20th century, when your younger sibling would pick up the phone when you were talking to your crush. You didn’t know they were listening, and then they went and tattled on you. That’s a basic MitM attack.

MitM Process
MitM Techniques
MitM Detection
MitM Prevention

How Does A Man-in-the-Middle Attack Work?

MitM attack visual of how they work in four steps

Download the full Netcat cheatsheet

Most MitM attacks follow a straightforward order of operations, regardless of the specific techniques used in the attack.

In this example, there are three entities, Alice, Bob, and Chuck (the attacker).

Chuck covertly listens to a channel where Alice and Bob are communicating
Alice sends a message to Bob
Chuck intercepts and reads Alice’s message without Alice or Bob knowing
Chuck alters messages between Alice and Bob, causing unwanted/damaging responses

MitM techniques are usually employed early in the cyber kill chain – during reconnaissance, intrusion, and exploitation. Attackers often use MitM to harvest credentials and gather intelligence about their targets.

Multi-factor authentication (MFA) can be an effective safeguard against stolen credentials. Even if your username and password are scooped up by a man-in-the-middle, they’d need your second factor to make use of them. Unfortunately, it’s possible to bypass MFA in some cases.

Here is a practical example of a real-world MiTM attack against Microsoft Office 365 where MFA was bypassed by the attacker:

User clicks a phishing link that takes them to a fake Microsoft login page where they enter their username and password
The fake webpage forwards the username and password to the attacker’s server
The attacker forwards the login request to Microsoft, so they don’t raise suspicion
Microsoft sends the two-factor authentication code to the user via SMS
User enters the code into the fake webpage
The fake page forwards 2FA code to the attacker’s server
The attacker uses Evilginx to steal the session cookie
The attacker forwards the user’s 2FA code to Microsoft, and now the attacker can log in to Office 365 as the compromised user by using the session cookie, and has access to sensitive data inside the enterprise

You can see this exact attack happen in a live environment during our weekly cyber-attack workshops.

MitM Attack Techniques and Types

Here are a few of the common techniques that attackers use to become a man-in-the-middle.

1. ARP Cache Poisoning

Address Resolution Protocol (ARP) is a low-level process that translates the machine address (MAC) to the IP address on the local network.

Attackers inject false information into this system to trick your computer to think the attacker’s computer is the network gateway. When you connect to the network, the attacker is receiving all of your network traffic (instead of your real network gateway) and passes the traffic along to its real destination. From your perspective, everything is normal. The attacker is able to see all of your packets.

Chuck (our attacker) joins your network and runs a network sniffer
Chuck inspects your network packets to attempt to predict the sequence numbers of your packets between you and the gateway
Chuck sends a packet to your computer with the faked source address of the gateway and the correct ARP sequence to fool your computer into thinking the attacker’s computer is the gateway
At the same time, Chuck floods the gateway with a Denial of Service (DoS) attack so you receive the fake ARP packet before the gateway is able to respond
Chuck fooled your computer into thinking the attacker’s laptop is the real gateway, and the MitM attack is successful

2. DNS Cache Poisoning

DNS cache poisoning is when the attacker gives you a fake DNS entry that leads to a different website. It might look like Google, but it’s not Google, and the attacker captures whatever data – username and password, for example – you enter into the faked website.

Chuck figures out that you use a certain DNS resolver.
Chuck knows this resolver is vulnerable to exploits, like an older version of BIND.
Chuck uses this exploit to tell the DNS resolver that www.example.com lives at an IP address that they own.
You go to www.example.com from your computer, and the DNS resolver tells you that the IP address of that site is the attacker’s machine!
Chuck completes the connection to the real website so you don’t realize there is anyone listening, but he is able to see all the packets that you (or anyone else that uses this DNS resolver to connect to www.example.com ) are sending.

3. HTTPS Spoofing

HTTPS is one of the ways users know that their data is “safe.” The S stands for secure. At least that is what an attacker wants you to think. Attackers set up HTTPS websites that look like legitimate sites with valid authentication certificates, but the URL will be just a bit different. For example, they will register a website with a unicode character that looks like an ‘a’ but isn’t. Continuing with the “example.com” example, the URL might look like https://www.example.com, but the ‘a’ in “example” is a cyrillic “a”, which is a valid unicode character that appears just like an arabic “a” with a different unicode value.

Chuck gets you to visit his website www.example.com with the Cyrillic “a” using some kind of attack, phishing for example.
You download the CA certificate for the fake website.
Chuck signs the certificate with his CA private key and sends it to you.
You store the certificate in your trusted key store.
Chuck relays the traffic to the real www.example.com , and he is now a real MitM listening to your traffic

4. Wi-Fi Eavesdropping

Attackers listen to traffic on public or unsecured Wi-Fi networks, or they create Wi-Fi networks with common names to trick people into connecting so they can steal credentials or credit card numbers or whatever other information users send on that network. Kody from SecurityFWD has several different videos that show how easy this is.

5. Session Hijacking

Session hijacking is a MitM attack where the attacker watches for you to log into a web page (banking account, email account, for example) and then steals your session cookie to log into that same account from their browser. This is the attack we demonstrate in our Live Cyber Attack workshop we mentioned previously.

Once the attacker has your active session cookie on their computer, they can do whatever you could do on that website. Our guy Chuck could transfer all of your savings to an offshore account, buy a bunch of goods with your saved credit card, or use the stolen session to infiltrate your company network and establish a stronger foothold on the corporate network.

Are MitM Attacks Common?

MitM attacks have been around for a long time, and while they’re not as common as phishing and malware or even ransomware, they are usually part of targeted attacks with specific intent. For example, an attacker who wants to steal a credit card number might snoop on a coffee shop Wi-Fi for that data. Another attacker might use MitM techniques as part of a larger plan to break into a large enterprise. Our MitM Cyber Attack Lab demonstrates how an attacker can use malware to intercept network traffic and gain entry into the enterprise email system.

How to Detect a Man-in-the-Middle Attack

MitM attacks can be difficult to catch, but their presence does create ripples in the otherwise regular network activity that cybersecurity professionals and end-users can notice. The conventional wisdom is more prevention than detection.

Signs to Look For

Here are some signs there may be extra listeners on your networks.

Unexpected and/or repeated disconnections : Attackers forcefully disconnect users so they can intercept the username and password when the user tries to reconnect. By monitoring for unexpected or repeated disconnections, you can pinpoint this potentially risky behavior proactively.
Strange addresses in your browser address bar : If anything in the address looks odd, even by a little, double-check it. It could be a DNS hijack. For example, you see https:\\www.go0gle.com instead of https:\\www.google.com
You log into a public and/or unsecured Wi-Fi : Be very careful of what networks you connect to, and avoid public Wi-Fi if possible. Attackers create fake networks with known IDs like “local free wireless” or some other common name to trick people into connecting. If you connect to the attacker’s Wi-Fi, they can easily see everything you send on the network.

How to Prevent a Man-in-the-Middle Attack

Here are several best practices to protect you and your networks from MitM attacks. None of them are 100% fool-proof.

General Best Practices

Overall, good cybersecurity hygiene will help protect you from MitM attacks.

Only connect to secured Wi-Fi routers or use your wireless carrier’s encrypted connection. Connect to routers that use WPA2 security. It’s not totally foolproof, but it’s much better than nothing.
Add a VPN to encrypt traffic between end-points and the VPN server (either on the enterprise network or on the internet). If traffic is encrypted, it’s harder for a MiTM to steal or modify it.
Use end-to-end encryption for your emails, chat, and video communication (Zoom, Teams, etc.)
Keep the system patched and malware updated
Use a password manager to protect your passwords and prevent reuse of passwords
Only connect to HTTPS connections, use a browser plugin to enforce this rule
Use multi-factor authentication wherever available
Employ DNS over HTTPS, which is a new technology that protects you from DNS hijacking by encrypting your DNS requests
Follow the zero-trust principles to build internal barriers around access to data, which prevent infiltrators from moving freely throughout the network if they were to get inside
Monitor activity on the network to detect evidence (malicious network connections or abnormal user behavior, for example) of a compromise or MitM techniques in use

Why Encryption Can Protect You From MitM Attacks

End-to-end encryption can help prevent a MitM from reading your network messages. Encryption involves both the sender and the receiver using a shared key to encrypt and decrypt messages that they send and receive. Without that shared key, the messages are gobbledygook, so the MitM can’t read them.

Encryption makes it harder for an attacker to intercept and read the network data, but it isn’t impossible, and it’s not a guarantee against compromise, because attackers have developed techniques to work around encryption.

For example, in the MitM Cyber Attack Lab , we demonstrate how an attacker can steal the authentication token that contains the username, password, and MFA authentication data to log in to an email account. Once they hijack the session cookie, it doesn’t matter that the communication between the client and server is encrypted — the hacker simply logins as the end-user and can access everything the user can access.

Future of MitM Attacks

MitM attacks will continue to be a useful tool in attackers’ arsenals as long as they can continue to intercept important data like passwords and credit card numbers. It’s a perpetual arms race between software developers and network providers to close the vulnerabilities attackers exploit to execute MitM.

Take the massive proliferation of the Internet of Things (IoT) over the past few years. IoT devices don’t yet adhere to the same security standards or have the same capabilities as other devices, which makes them more vulnerable to MitM attacks. Attackers use them as a way into an organization’s network so they can move to other techniques. Who knew that a new fancy internet-capable thermostat was a security hole? Attackers do!

Wider adoption of wireless networking, 5G networks, for example, is another opportunity for attackers to use MitM to steal data and infiltrate organizations, as demonstrated at BlackHat 2019 . It is incumbent on the wireless companies to fix vulnerabilities like the ones shown at BlackHat and provide a secure backbone for users and devices.

Overall, there are more devices connected to more networks, which means more opportunities for attackers to use MitM techniques. Knowing the telltale signs of a MitM attack and putting in place detection methods can help you spot attacks before they do damage.

Check out our Live Cyber Attack Workshop , where we demonstrate how an attacker can intercept a user’s authentication token using MitM to infiltrate and steal important data and show how Varonis can detect this attack.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

Schedule a demo session with us , where we can show you around, answer your questions, and help you see if Varonis is right for you.
Download our free report and learn the risks associated with SaaS data exposure.
Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Michael Buckbee

Michael has worked as a sysadmin and software developer for Silicon Valley startups, the US Navy, and everything in between.

6-prompts-you-don't-want-employees-putting-in-copilot

Partner Overview

Join Us for Growth, Innovation and Cybersecurity Excellence.

Become a Channel Partner

Be a Valued Partner and Embark on a Journey of Profitability.

Partner Portal

Unified Security Platform

Man-in-the Middle (MITM) Attack

Learn What Is a Man-in-the-Middle Attack, How It Works, and How to Protect Your Company

Last updated on November 9, 2023

While the nature of cyberattacks is constantly changing, and our lives are more and more influenced – if not affected – by global health problems, thus leaving our cybersecurity even more vulnerable, information remains the most powerful tool we have. When it comes to the cybersecurity of your business, the so-called man-in-the-middle attack is one of the threats you must be aware of.

What Is a Man-in-the-Middle Attack?

A man-in-the-middle attack represents a cyberattack in which a malicious player inserts himself into a conversation between two parties, impersonates both of them, and gains access to the information that the two parties were trying to share. The malicious player intercepts, sends, and receives data meant for someone else – or not meant to be sent at all, without either outside party knowing until it’s already too late.

You might find the man-in-the-middle attack abbreviated in various ways: MITM, MitM, MiM, or MIM.

Public Wi-Fi networks are most likely to be used during a man-in-the-middle attack because they usually are less secure than private Internet connections. Criminals get in the middle by compromising the Internet router, by scanning for unpatched flaws or other vulnerabilities. The next step is to intercept and decrypt the victim’s transmitted data using various techniques.

The most susceptible for a man-in-the-middle attack are the financial sites, other sites that require a login and any connection meant to be secured by a public or private key.

How Does a Man-in-the-Middle Attack Work?

As mentioned above, during a man-in-the-middle attack, a malicious player inserts himself between two parties and gains access to the information that the two parties were trying to share.

Usually, a man-in-the-middle attack has two phases:

Interception

To gain access to a network, attackers usually use open or not properly secured Wi-Fi routers. They can also manipulate DNS servers. Their goal is to find weak passwords, but they may also take advantage of IP spoofing or cache poisoning . Once they get access, the victim’s data will be collected by deploying data capture tools.

During this phase, the intercepted data is decoded and ready to be used for the infelicitous purposes of the cybercriminals, which can vary from identity theft to plain disruption of business operations.

Man-in-the-Middle Attack Types

A man-in-the-middle attack can come in many shapes, yet the most common are the following:

1. IP spoofing

The Internet Protocol Address (IP) refers to a numerical label that is assigned to each device that connects to a computer network that uses the Internet Protocol for communication. IP addresses have two main functions: host or network interface identification and location addressing. By spoofing an IT address, attackers make you think that you’re interacting with a reliable website or entity, which allows them to access the information you’d otherwise keep for yourself.

2. HTTPS spoofing

The HyperText Transfer Protocol (HTTP) represents the foundation of data communication for the World Wide Web, hypertext documents including hyperlinks to other resources that users can access. HTTPS means that a particular website is secure and can be trusted, but attackers can still find ways to convince your browser that a website is safe, even if it’s not.

3. DNS Spoofing

The Domain Name System (DNS) is a hierarchical and decentralized naming system for computers, services, or other resources that are connected to the Internet, which translates more readily memorized domain names to the numerical IP addresses needed for localization and identification. By DNS spoofing , an attacker will redirect traffic to a fake website, in an attempt to pick up your credentials.

4. SSL hijacking

SSL stands for Secure Sockets Layers and is a type of protocol that enacts encrypted links between your browser and the webserver. When you connect to a secure server (guaranteed by HTTPS), you expect standard security protocols to be in place, protecting whatever data is shared between it and your devices. When someone hijacks SSL, the information shared between the victim’s device and the server is intercepted by another endpoint and another secure server.

5. E-mail hijacking

E-mail hijacking is a type of man-in-the-middle attack used by cybercriminals to target banks’ email accounts or other financial institutions. After they obtain access, all the transactions between an institution and its clients can be supervised. What’s even more dangerous – the clients will follow the attackers’ instructions while thinking they are performing regular banking operations.

6. Browser cookies theft

In technical language, cookies refer to small pieces of information – like the items you add in the cart of an online store or your address information – that websites save on your devices. By stealing cookies from your browsing sessions, cybercriminals can obtain passwords and various other types of exclusive data.

7. Wi-Fi eavesdropping

This type of man-in-the-middle attack is particularly dangerous: hackers can set up Wi-Fi connections that sound legitimate, almost just like the ones you probably already know. If users connect to them, they can literally say farewell to their online privacy: their whole online activity (including login credentials and payment card information) will be at the command of the cybercriminals.

Famous Man-in-the-Middle Examples

A. the marconi case.

The first recorded man-in-the-middle attack in history took place long before the Internet was even invented and it involves Guglielmo Marconi, a Nobel prize winner considered to be the inventor of the radio. What happened? When a legal advisor to Marconi, Professor Fleming, was making a demonstration of wireless transmission from one location to another, a Mr. Maskelyne, with his own receiver, intercepted the message that was supposed to be sent from Cornwall to the Royal Institute and then transmitted his own message.

b. World War II Interceptions

Several years after the Marconi case, during World War II, man-in-the-middle attacks orchestrated by the British intelligence targeted the Nazi forces. Aspidistra (a British medium wave radio transmitter) operators used to transmit fake messages to German listeners, with the intent of demoralizing them.

Even the Enigma decoding can be considered a case of man-in-the-middle.

c. The Lenovo Incident

Closer to our times, since December 2014, Lenovo endpoints had pre-installed software called Superfish Visual Search on them that facilitated the placements of advertisement even on encrypted pages. The software could be removed by Windows Defender thanks to an update released by Microsoft in February 2015.

A man-in-the-middle attack is dangerous. End users can carry on with their business for days or even weeks without noticing that something is wrong. Consequently, it’s almost impossible to know, during that time, what data was exposed to malicious actors. Finding out more about what happened often requires good knowledge of the internet or mobile communication protocol and security practices. Fortunately, there are some security measures you can take in order to be safe.

How to Prevent a Man-in-the-Middle Attack

1. use a vpn .

A Virtual Private Network (VPN) is used to extend a private network across a public one, enabling users to share and receive data as if their devices were directly connected to that private network. Particularly useful when talking about preventing a man-in-the-middle attack is that VPN connections can mask your IP address by bouncing it through a private server. Plus, they can encrypt the data as it’s transmitted over the Internet.

2. Access only HTTPS websites

HTTPS websites prevent attackers from intercepting communications by encrypting data.

An excellent method to go around HTTPS spoofing is by manually typing the web address you need instead of relying on links.

You can also check if the link you want to access begins with ‘https://’ or has a lock symbol, suggesting it’s secure.

3. Watch out for phishing scams

There are lots of tips that we can give you when regarding phishing precautions.

– check grammar and punctuation. Suspicious e-mails might include poor grammar or punctuation or might show an illogical flow of content.

– remember that established banks never ask you for sensitive information via e-mail. You should consider as big red flags any e-mails that ask you to enter or verify personal details or bank/credit card information.

– pay special attention to alarming e-mail content and messages where you are told that one of your accounts has been hacked, that your account has expired or other extreme issues that may provoke panic. Do not take immediate action!

– don’t fall for urgent deadlines either. This kind of e-mails usually leads the users to data harvesting websites, where sensitive personal or financial information is stolen.

– beware of shortened links. They don’t show the real name of a website, so they are a perfect way to trick users into clicking. Get used to always place your cursor on shortened links to see the target location.

If you want to learn more, check https://www.phishprotection.com/content/phishing-prevention/ .

4. Use strong router credentials

Make sure that not only your Wi-Fi password but also router credentials are changed. If these credentials are found by an attacker, they can be used to change your DNS servers to their malicious ones or to infect your router with malware.

5. Make sure your company has a software update policy

A software update policy helps you seal potential access points for a man-in-the-middle attack because up-to-date systems include all current security patches for known issues. The same should be considered for any routers or IoT devices connected to your network.

Heimdal® Patch & Asset Management Software

Schedule updates at your convenience;
See any software assets in inventory;
Global deployment and LAN P2P;
And much more than we can fit in here...

6. Adopt a zero-trust security model

Although it might seem a little too much, requiring your colleagues to authenticate themselves each time they connect to your network regardless of where they are will make it more difficult for hackers to pretend to be someone else. They would need to prove their identity before accessing the network in the first place.

7. Prevent cookie stealing

Saving passwords on web browsers or storing credit card information on shopping websites might save you a bit of time, but it also leaves you more vulnerable to hackers. You should try to avoid storing sensitive information on websites and also get used to clear your cookies regularly. If you use Chrome, you can do this by accessing History > Clear Browsing History and ticking the checkbox “Cookies and other site data”.

Heimdal ™ Security can also help. Here’s how!

As we have already seen, a man-in-the-middle attack can take various forms: IP, HTTPS or DNS Spoofing, SSL or e-mail hijacking, browser cookie theft, or Wi-Fi eavesdropping.

Some of the Heimdal™ solutions are perfect for protecting your business from them:

Heimdal Threat Prevention offers DNS and DoH security, plus a powerful and scalable Automated Patch Management system. Its Dark Layer Guard™ mitigates ransomware, next-gen attacks, and data leakage. Its Vector Detection™ tracks device to infrastructure communication and its XPloit Resilience feature closes vulnerabilities and deploys updates anywhere in the world.

For paramount protection, you can combine it with Heimdal Next-gen Endpoint Antivirus , our antivirus solution with unparalleled threat intelligence, EDR, forensics, and firewall integration.

HEIMDAL® ENDPOINT DETECTION AND RESPONSE SOFTWARE

Next-gen Antivirus & Firewall which stops known threats;
DNS traffic filter which stops unknown threats;
Automatic patches for your software and apps with no interruptions;
Privileged Access Management and Application Control, all in one unified dashboard

When it comes to email security, Heimdal™ Email Security can help you detect malware, and stop spam, malicious URLs, and phishing with simple integration and highly customizable control. If you want to take one step further, Heimdal™ Fraud Prevention will make sure that no e-mails containing fraud attempts, business e-mail compromise, or impersonation reach your inbox.

Wrapping Up

When trying to prevent a man-in-the-middle attack, there are three major aspects you must consider:

– awareness & education. People are the ones who unknowingly click on bad links or use their login data on a compromised website, allowing hackers access to their information, so making sure that your colleagues and employees know the basic principles of preventing MITM attacks is essential.

– encryption & VPNs. Use encryption on all of your company’s devices and use VPNs whenever you connect to public networks, for extra protection.

– software update policy. Make sure that all your systems are up-to-date. Even a single point of failure can put your entire network in danger.

Also, please remember that Heimdal™ Security always has your back and that our team is here to help you protect your company and your home against cyber threats and to create a cybersecurity culture to the benefit of anyone who wants to learn more about it.

Elena Georgescu

Communications & Social Media Coordinator | Heimdal®

Elena Georgescu is a cybersecurity specialist within Heimdal™ and her main interests are mobile security, social engineering, and artificial intelligence. In her free time, she studies Psychology and Marketing. Some of her guest posts on other websites include: cybersecurity-magazine.com , cybersecuritymagazine.com , techpatio.com

Article's content

Man in the middle (mitm) attack, what is mitm attack.

A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway.

The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers. Targets are typically the users of financial applications, SaaS businesses, e-commerce sites and other websites where logging in is required.

Information obtained during an attack could be used for many purposes, including identity theft, unapproved fund transfers or an illicit password change.

Additionally, it can be used to gain a foothold inside a secured perimeter during the infiltration stage of an advanced persistent threat (APT) assault.

Broadly speaking, a MITM attack is the equivalent of a mailman opening your bank statement, writing down your account details and then resealing the envelope and delivering it to your door.

Man in the middle attack example

MITM attack progression

Successful MITM execution has two distinct phases: interception and decryption.

Interception

The first step intercepts user traffic through the attacker’s network before it reaches its intended destination.

The most common (and simplest) way of doing this is a passive attack in which an attacker makes free, malicious WiFi hotspots available to the public. Typically named in a way that corresponds to their location, they aren’t password protected. Once a victim connects to such a hotspot, the attacker gains full visibility to any online data exchange.

Attackers wishing to take a more active approach to interception may launch one of the following attacks:

IP spoofing involves an attacker disguising himself as an application by altering packet headers in an IP address. As a result, users attempting to access a URL connected to the application are sent to the attacker’s website.
ARP spoofing is the process of linking an attacker’s MAC address with the IP address of a legitimate user on a local area network using fake ARP messages. As a result, data sent by the user to the host IP address is instead transmitted to the attacker.
DNS spoofing , also known as DNS cache poisoning, involves infiltrating a DNS server and altering a website’s address record. As a result, users attempting to access the site are sent by the altered DNS record to the attacker’s site.

After interception, any two-way SSL traffic needs to be decrypted without alerting the user or application. A number of methods exist to achieve this:

HTTPS spoofing sends a phony certificate to the victim’s browser once the initial connection request to a secure site is made. It holds a digital thumbprint associated with the compromised application, which the browser verifies according to an existing list of trusted sites. The attacker is then able to access any data entered by the victim before it’s passed to the application.
SSL BEAST (browser exploit against SSL/TLS) targets a TLS version 1.0 vulnerability in SSL. Here, the victim’s computer is infected with malicious JavaScript that intercepts encrypted cookies sent by a web application. Then the app’s cipher block chaining (CBC) is compromised so as to decrypt its cookies and authentication tokens.
SSL hijacking occurs when an attacker passes forged authentication keys to both the user and application during a TCP handshake. This sets up what appears to be a secure connection when, in fact, the man in the middle controls the entire session.
SSL stripping downgrades a HTTPS connection to HTTP by intercepting the TLS authentication sent from the application to the user. The attacker sends an unencrypted version of the application’s site to the user while maintaining the secured session with the application. Meanwhile, the user’s entire session is visible to the attacker.

Build a Robust API Security Strategy in 2024

Man in the middle attack prevention

Blocking MITM attacks requires several practical steps on the part of users, as well as a combination of encryption and verification methods for applications.

For users, this means:

Avoiding WiFi connections that aren’t password protected.
Paying attention to browser notifications reporting a website as being unsecured.
Immediately logging out of a secure application when it’s not in use.
Not using public networks (e.g., coffee shops, hotels) when conducting sensitive transactions.

For website operators, secure communication protocols, including TLS and HTTPS, help mitigate spoofing attacks by robustly encrypting and authenticating transmitted data. Doing so prevents the interception of site traffic and blocks the decryption of sensitive data, such as authentication tokens.

It is considered best practice for applications to use SSL/TLS to secure every page of their site and not just the pages that require users to log in. Doing so helps decreases the chance of an attacker stealing session cookies from a user browsing on an unsecured section of a website while logged in.’

See how Imperva Web Application Firewall can help you with MITM attacks.

Using Imperva to protect against MITM

MITM attacks often occur due to suboptimal SSL/TLS implementations, like the ones that enable the SSL BEAST exploit or supporting the use of outdated and under-secured ciphers.

To counter these, Imperva provides its customer with an optimized end-to-end SSL/TLS encryption, as part of its suite of security services.

Hosted on Imperva content delivery network (CDN), the certificates are optimally implemented to prevent SSL/TLS compromising attacks, such as downgrade attacks (e.g. SSL stripping), and to ensure compliancy with latest PCI DSS demands.

Offered as a managed service, SSL/TLS configuration is kept up to date maintained by a professional security, both to keep up with compliency demands and to counter emerging threats (e.g. Heartbleed).

Finally, with the Imperva cloud dashboard, customer can also configure HTTP Strict Transport Security (HSTS) policies to enforce the use SSL/TLS security across multiple subdomains. This helps further secure website and web application from protocol downgrade attacks and cookie hijacking attempts.

Latest Blogs

Cartoon illustration of a man in hoodie looking at a robot with a computer monitor head and keyboard body

Feb 19, 2024 6 min read

A man and woman analyzing code on a laptop and computer monitor together

, Sofia Naer

Dec 19, 2023 2 min read

Dec 14, 2023 5 min read

Daniel Johnston

Dec 14, 2023 3 min read

Women at laptop making an online purchase

Imperva Threat Research

Erez Hasson

, Gabi Stapel

Nov 8, 2023 13 min read

Oct 24, 2023 3 min read

Oct 19, 2023 7 min read

Kunal Anand

, Nadav Avital

Oct 10, 2023 1 min read

Latest Articles

Attack Types

707.4k Views

625.3k Views

326.3k Views

308.4k Views

276.6k Views

253.7k Views

228.7k Views

Protect Against Business Logic Abuse

Identify key capabilities to prevent attacks targeting your business logic

The 10th Annual Bad Bot Report

The evolution of malicious automation over the last decade

The State of Security Within eCommerce in 2022

Learn how automated threats and API attacks on retailers are increasing

Prevoty is now part of the Imperva Runtime Protection

Protection against zero-day attacks

No tuning, highly-accurate out-of-the-box

Effective against OWASP top 10 vulnerabilities

An Imperva security specialist will contact you shortly.

Top 3 US Retailer

It's here! Download the 2024 Annual Security Report

1 (877) 331-2412
DNS Filtering
Content Filtering
Roaming Clients
Malicious Domain Protection
See All Features
Public / Guest WiFi
Higher Education
See All Use Cases
Cisco Umbrella
Compare All
API Documentation
View All Resources
Become A Partner

Man-in-the-Middle Attacks: What Are They?

by Anvesha Tiwary on Mar 11, 2024 2:09:32 PM

A man-in-the-middle (MITM) attack is a form of cyber threat where a bad actor inserts themselves into a conversation between two parties, intercepts traffic, and gains access to information that the two parties were trying to send to each other. It allows attackers to eavesdrop, collect data, and even alter communications between victims. Understanding the mechanics, implications, and defense mechanisms against MITM attacks is essential for protecting personal and organizational data.

Understanding man-in-the-middle attacks

The core concept behind an MITM attack lies in the attacker's ability to position themselves between two legitimate communication channels, effectively becoming the "middle man" without the knowledge of either party. The attacker can then intercept and potentially modify the data flowing between the two parties. This scenario is similar to that of the concept of eavesdropping on a phone call, except for the fact that in the digital realm, the attacker can not only listen but also potentially alter the conversation.

How MITM attacks work

Attackers accomplish this by exploiting vulnerabilities in cryptographic protocols that secure internet traffic. So, to carry out a MITM attack, bad actors target:

Unsecured Wi-Fi networks

Public Wi-Fi networks , especially those operating without robust encryption protocols, are prime targets for MITM attacks. Attackers can set up malicious access points with enticing names, luring the users to connect. Once they get connected, the attacker can intercept any unencrypted data transmitted, including login credentials, financial information, and personal messages.

ARP spoofing

This technique involves the attacker sending out forged Address Resolution Protocol (ARP) packets on the network. These packets trick devices into associating the attacker's MAC address with the legitimate IP address of the intended recipient. Consequently, data meant for the recipient is routed through the attacker's machine, enabling them to intercept it.

DNS spoofing

This method focuses on targeting the Domain Name System (DNS). Attackers manipulate DNS servers to redirect users attempting to access a legitimate website to a malicious clone controlled by the attacker. This allows them to steal login credentials or insert malware into the user's device without their knowledge.

Let's look at some threats and examples of Man-in-the-Middle attacks:

These attacks pose some serious threats from both data protection and even national security standpoints. By gaining access to sensitive data and information through wrongful measures, the attackers can steal credentials and personal information leading to identity theft, financial fraud, trade secrets and leverage this information for ransom, corporate or national espionage or disrupt operations of different kinds.

Email hacking

Attackers can compromise email servers or services to spy on communications and attachments being sent between parties, or alter conversations by inserting their own content or replies, making it seem very legitimate.

Session hijacking

The attackers can take over an active session between two computers to control the conversation and harvest exchanged data. They can target financial transactions, remote system administration sessions or other sensitive communications.

SSL stripping

Removes SSL encryption from traffic between a browser and server so the information sent over HTTP can be read in plain text. This allows the attackers to intercept and access sensitive data entered into login forms, checkout pages, etc.

Mitigating MITM threats

To better protect against MITM attacks, it's important to know how they work and use the right safety measures. Keeping an eye out for threats and making sure to communicate securely are key steps. Some strategies include:

Always using HTTPS websites whenever possible, as the encrypted communication channel significantly reduces the risk of data interception.
Be very careful while using public Wi-Fi hotspots that don’t require authentication. Avoid utilizing unencrypted Wi-Fi networks, particularly for accessing sensitive information.
Multi-factor authentication (MFA) adds an extra layer of security, requiring not only a password but also an additional verification step, such as a code sent via SMS or generated by an authenticator app.
Verifying SSL certificates match the intended domain.
Enhanced awareness about recognizing phishing attempts can prevent credential theft leading to MITM attacks.

Apart from the above mentioned mitigation strategies, it is essential to look at how DNS security steps in to help. DNS filtering technologies, like DNSFilter, leverage advanced threat intelligence to block malicious websites by checking DNS requests.

These tools are key in protecting against MITM attacks, acting as a strong defense by keeping your internet browsing safe. Try DNSFilter free for 14 days.

There are no suggestions because the search field is empty.
Featured (241)
Protective DNS (11)
Cybersecurity Brief (7)
Deep Dive (6)
Content Filtering (5)
Compare (3)
Malware (3)
Roaming Client (3)
Anycast (2)
IT Challenges (2)
Machine Learning (2)
Phishing (2)
Ransomware (2)
Tech Stack (2)
IndyCar (1)
Secure Web Gateway (1)

What is Secure Web Gateway: What It Does, Benefits, and More

In today's world of ever-increasing cyber threats, organizations need strong defenses to protect their networks and data and in this complex digital ecosystem, we need more than just one line of defense.

Revving Up the Fun: DNSFilter's IndyCar Experience Recap — St. Pete Edition

What a weekend at the track! DNSFilter was thrilled to host 10 guests alongside Pax8 this weekend for an unforgettable IndyCar experience in sunny St. Petersburg. Those who joined us came from Thrive, MVP Network Consulting LLC, Myrtle Beach Academy of Aviation, Entech, NetGain Technologies,Warren Averett Technology Group, LLC, and ECMSI—we were lucky to be in such great company for our very first race of the season.

Man-in-the-Middle Attacks: What Are They?

Explore More Content

Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP Redirects

Ieee account.

Change Username/Password
Update Address

Purchase Details

Payment Options
Order History
View Purchased Documents

Profile Information

Communications Preferences
Profession and Education
Technical Interests
US & Canada: +1 800 678 4333
Worldwide: +1 732 981 0060
Contact & Support
About IEEE Xplore
Accessibility
Terms of Use
Nondiscrimination Policy
Privacy & Opting Out of Cookies

A not-for-profit organization, IEEE is the world's largest technical professional organization dedicated to advancing technology for the benefit of humanity. © Copyright 2024 IEEE - All rights reserved. Use of this web site signifies your agreement to the terms and conditions.

Election 2024
Entertainment
Newsletters
Photography
Press Releases
Israel-Hamas War
Russia-Ukraine War
Global elections
Asia Pacific
Latin America
Middle East
AP Top 25 College Football Poll
Movie reviews
Book reviews
Financial Markets
Business Highlights
Financial wellness
Artificial Intelligence
Social Media

Takeaways from Biden’s State of the Union address: Combative attacks on a foe with no name

President Joe Biden went after rival Donald Trump early and often in a defiant State of the Union address Thursday night meant to contrast his presidency with his predecessor’s and sell the American public on a second term. (March 8)

President Joe Biden arrives for the State of the Union address on Capitol Hill, Thursday, March 7, 2024, in Washington, as Vice President Kamala Harris and House Speaker Mike Johnson of La., watch. (AP Photo/Mark Schiefelbein)

Copy Link copied

WASHINGTON (AP) — The State of the Union address is one of the durable set pieces of the presidency, a forum that almost always favors the speaker in a one-way conversation with millions of Americans.

Most of the speeches are instantly dissected, and almost as quickly forgotten. But this is a most unusual year, with President Joe Biden needing to make the case not simply that his policies warrant a a second term , but that he has the personal capacity at age 81 to do the job.

He laid out the clear contours of the campaign ahead, criticizing former President Donald Trump over the Jan. 6 insurrection and going after the Supreme Court, with justices present, over its ruling that overturned Roe v. Wade.

Also, the shrinking size of a Snickers bar.

Here are some key takeaways from the speech.

HE WHO WON’T BE NAMED

President Joe Biden delivers the State of the Union address to a joint session of Congress at the U.S. Capitol, Thursday March 7, 2024, in Washington. (AP Photo/Andrew Harnik)

President Joe Biden delivers the State of the Union address to a joint session of Congress at the U.S. Capitol. (AP Photo/Andrew Harnik)

Biden opened the speech with fiery denunciations of the rioters who stormed the Capitol on Jan. 6, 2021, then singled out Republicans in the chamber and GOP foe Trump. But he refused to utter Trump’s name, saying that “my predecessor and some of you here seek to bury the truth about Jan. 6.”

He wrapped that into a larger theme that democracy is threatened like no time since the Civil War, signaling a clear line of attack he will use against the man he would not name.

He also criticized “my predecessor” for Trump’s assertion that Russian President Vladimir Putin can “do whatever the hell he wants” with respect to NATO allies, and he implored Congress to pass additional aid for Ukraine.

Speaking with a vigor that his supporters have said has been lacking, he set up a contrast between his internationalist view of the world and the more isolationist leaning of his “predecessor.”

Biden used almost the entirety of the speech to find ways to try to persuade Americans of the contrast.

THE OLD AGE QUESTION

Biden jokes about his age at State of the Union, but talks about ‘core values’

When asked about his age and how it affects is ability to be president, Biden’s stock answer is: Watch me.

On Thursday night, he delivered what a lot of his own supporters had found wanting. It was a high energy, forceful speech, and at times he taunted Republicans with ad-libs. When they heckled his support for bipartisan border security legislation, Biden said, “Look at the facts, I know you know how to read.”

Biden stumbled over a few words, and in the Republican response, Sen. Katie Britt of Alabama called him “dithering and diminished” but it was a more vigorous performance than other speeches where his remarks can be meandering or hard to hear. It was also a rejoinder to criticisms that Biden is too old to keep serving as president. He would be 86 at the end of a second term, and Republicans — though Trump is only four years younger — have relished slicing and dicing videos of the president to make him look as feeble as possible on social media.

Biden leaned into his age, mentioning he was born during World War II, but defended his vision for the country as fresh. “You can’t lead America with ancient ideas that only take us back.”

ABORTION ON THE BALLOT

Maria Shriver, left, Kate Cox, of Dallas and Latorya Beasley of Birmingham, Ala., stand before President Joe Biden delivers the State of the Union address. (AP Photo/Andrew Harnik)

The president said efforts to restrict abortion were an “assault on freedom,” and he derided the Supreme Court ruling that overturned Roe v. Wade, with members of the Supreme Court who were in the majority in that decision, seated just feet away.

He also welcomed Kate Cox, a Dallas mother whose fetus had a fatal condition that put her own health at risk. She had to leave the state in order to get an abortion. “My God,” Biden said, “what freedoms will you take away next?”

Through much of his career, Biden has not emphasized abortion rights. In his speech, he showed how much he believes that issue could be a key to a second term.

HEALTH CARE, STILL A BFD

Back to “my predecessor.” Biden playfully said that the Obama-era health care law is still a “big deal,” paying homage to the moment as vice president he used more colorful language to describe the landmark policy win for President Barack Obama. And he vowed to work to make a tax credit tied to the law permanent.

“Over 100 million of you can no longer be denied health insurance because of a pre-existing condition,” Biden said. “Well, my predecessor, many in this chamber, want to take the prescription drug benefit away by repealing the Affordable Care Act. I’m not going let that happen.”

Biden appeared to slip in a riff about pharmaceutical companies selling their drugs at a cheaper prices around the globe, telling the audience that he’d like to take them on Air Force One to several major global cities including Moscow to see how much they would save on the same drugs.

Biden quickly caught himself, saying it was “probably” the case even in Russia, and pressed ahead. “Bring your prescription with you. And I promise you I’ll get it for you for 40%. The cost you pay now.”

WAR IN GAZA GETS ITS MOMENT

Biden promises ‘no U.S. boots on the ground’ in Gaza

The bloody conflict between Israel and Hamas was an unavoidable backdrop to Biden’s speech. His motorcade took a different route to the U.S. Capitol after protesters blocked part of Pennsylvania Avenue. Inside the House chamber, some lawmakers wore keffiyehs, the black and white checkered scarves that have symbolized solidarity with Palestinians.

Biden announced plans for the U.S. military to help establish a temporary pier on the coast of Gaza , an effort that the administration says should significantly boost the flow of aid into the besieged territory.

The unveiling of the plan was perhaps the most substantive element of his address that touched on the war. It allowed Biden to demonstrate that he’s taking action in the face of anger and defiance from some Democrats over his strong support for Israel even as the Palestinian death toll mounts. It also comes after Biden last week approved the U.S. military airdropping aid into Gaza .

The temporary pier, Biden said,” will enable a massive increase in humanitarian assistance getting into Gaza.”

But at the same time he called on the Israelis to do more to alleviate the suffering even as they try to eliminate Hamas. “To Israel, I say this humanitarian assistance cannot be a secondary consideration or a bargaining chip,” Biden said.

MIDDLE CLASS JOE

President Biden outlines policies to deal with housing crisis, prescription drugs

Biden outlined an economic vision that went big and small. He touted a post-pandemic economic recovery that didn’t sacrifice job creation in order to tame inflation. With housing prices still high, he proposed a tax credit that would reduce mortgage costs.

He also hammered Republicans for tax policies that favor the wealthy. “Check the numbers. Folks at home, does anybody really think the tax code is fair?”

Biden said there should be a minimum tax rate of 25% on billionaires, saying “no billionaire should pay a lower federal tax rate than a teacher, a sanitation worker or a nurse.”

The president talked about cracking down on junk fees that can chip away at Americans’ budgets and he criticized snack companies for “shrinkflation,” which means getting less product for the same price.

“You get charged the same amount and you got about 10% fewer Snickers in it.”

President Joe Biden speaks during a St. Patrick's Day reception in the East Room of the White House, Sunday, March 17, 2024. (AP Photo/Stephanie Scarbrough)

MUST-SEE, BUT NOT NECESSARILY ON TV

When Biden was elected to the Senate in 1972, the State of the Union address was appointment television for tens of millions of Americans who watched on three major networks.

Now it is so much more than a television event. The traditional ways of measuring viewers has shown a steady decline. Biden’s address last year drew the second smallest audience for the annual event in at least 30 years, according to the Nielsen company.

The audience is so fragmented that Biden’s campaign was prepared with targeted segments to pump out to specific audiences on social media. Guests whose stories were highlighted in the speech will make the rounds on local television markets to talk about the real-life impact of Biden’s policies. And look for Biden and his surrogates to find creative ways to get bits of his message to Americans that didn’t tune in on Thursday evening.

Hours before delivering the address, Biden posted on his X account a video of him getting advice on delivering the big speech from actors, including Morgan Freeman, Michael Douglas, and Geena Davis, who have played president in the movies and TV.

IMAGES

What Is a Man-in-the-Middle (MITM) Attack? Definition and Prevention
What is a Man-in-the-Middle-Attack (MITM) and How to Protect Yourself
What is Man-In-The-Middle Attack?
What is Man in the Middle Attack in Cyber Security?
Man in the middle attack model.
What is a Man-In-The-Middle Attack?

VIDEO

Man-in-the-Middle
Man-in-the-Middle Attacks
What is a Man-in-the-Middle Attack? (In About A Minute)
What is a Man-in-the-Middle Attack?
Man in the middle attack in hindi
What is Man-in-the-Middle Attack

COMMENTS

Man-in-the-Middle Attack: Types and Examples
A man-in-the-middle (MITM) attack is a form of cyberattack in which criminals exploiting weak web-based protocols insert themselves between entities in a communication channel to steal data.. None of the parties sending email, texting, or chatting on a video call are aware that an attacker has inserted their presence into the conversation and that the attacker is stealing their data.
'Ultimate' MiTM Attack Steals $1M from Israeli Startup
Researchers uncovers "ultimate man-in-the-middle attack" that used an elaborate spoofing campaign to fool a Chinese VC firm and rip off an emerging business. Hackers pulled off an elaborate ...
Man-in-the-middle (MitM) attack definition and examples
A man-in-the-middle (MitM) attack is a type of cyberattack in which communications between two parties is intercepted, often to steal login credentials or personal information, spy on victims ...
Man-in-the-middle attack: Real-life example and video walkthrough
In this episode of Cyber Work Applied, Keatron demonstrates a man-in-the-middle attack real-life example: an innocent victim joins the same Wi-Fi network as a malicious attacker. Once the victim joins, it only takes a few steps for Keatron to completely compromise the machine using MITM attack tools. Watch the full breakdown below of how the ...
Vulnerability Case Study: Man-in-the-Middle Attacks
Man-in-the-middle (MITM) attacks are named for the attacker's position as quite literally the man in the middle. The attacker site between two other parties, and both of them believe they are talking to each other but , instead, they are really talking to the man in the middle, the attacker. To accomplish the classic version of this attack ...
Man in the Middle Attack: Tutorial & Examples
A man-in-the-middle attack is a type of eavesdropping attack, where attackers interrupt an existing conversation or data transfer. After inserting themselves in the "middle" of the transfer, the attackers pretend to be both legitimate participants. This enables an attacker to intercept information and data from either party while also sending ...
Man-in-the-Middle (MITM) Attack: Definition, Examples & More
A man-in-the-middle (MITM) attack is a cyber attack in which a threat actor puts themselves in the middle of two parties, typically a user and an application, to intercept their communications and data exchanges and use them for malicious purposes like making unauthorized purchases or hacking. By secretly standing between the user and a trusted ...
Case study: How a Man-in-the-middle attack caused over $700 ...
Man-in-the-middle (MITM) is a type of cyber attack in which an unauthorized party intercepts communication between two entities without their knowledge and insert themselves in the "middle" of ...
All about Man-in-the-Middle Attacks
In a man-in-the-middle attack (MITM), a black hat hacker takes a position between two victims who are communicating with one another. In this spot, the attacker relays all communication, can listen to it, and even modify it. Imagine that Alice and Barbara talk to one another on the phone in Lojban, which is an obscure language.
Man in the Middle (MITM) Attacks Explained
In this tutorial, we'll study how man-in-the-middle attacks really work. At first, we'll see the typical motivations of an attacker to execute a man-in-the-middle attack. Next, we'll understand the technical details of this attack. Finally, we'll see notorious cases of man-in-the-middle attacks in the real world. 2. Typical Motivations ...
Man-in-the-middle-attack: Understanding in simple words
A man-in-the-middle-attack is a kind of cyberattack where an unapproved outsider enters into an online correspondence between two users, remains escaped the two parties. The malware that is in the ...
What is a Man-in-the-Middle Attack: Detection and Prevention Tips
A man-in-the-middle (MitM) attack is a form of cyberattack where important data is intercepted by an attacker using a technique to interject themselves into the communication process. The attacker can be a passive listener in your conversation, silently stealing your secrets, or an active participant, altering the contents of your messages, or impersonating the person/system you think you're ...
19 Keys To Detecting And Preventing Man-In-The-Middle Attacks
getty. In a man-in-the-middle attack, a message intended for a specific receiver is secretly intercepted by a third party. This allows the attacker to access confidential information (hence the ...
Man In The Middle Attack: Forensics
We fabricate a case where a person is an object of a Man In the Middle Attack and subsequently analyze victim's device to corroborate the facts and trace the perpetrator. The paper is divided into two sections. Section 1 demonstrates how did the attacker tamper the original message posted on LinkedIn by using Man In The Middle (MITM) attack.
Man-in-the Middle (MITM) Attack
A man-in-the-middle attack represents a cyberattack in which a malicious player inserts himself into a conversation between two parties, impersonates both of them, and gains access to the information that the two parties were trying to share. The malicious player intercepts, sends, and receives data meant for someone else - or not meant to be ...
A novel intelligent approach for man‐in‐the‐middle attacks detection
2 CASE STUDY. In a Man in the-Middle attack, the attacker stealthily analyzes the traffic between two parts that expect to be communicating directly with each other. The attacker is situated between the client and the application. The goal of this attack is to collect information, or modify this information by false data Mallik .
What is MITM (Man in the Middle) Attack
A man in the middle (MITM) attack is a general term for when a perpetrator positions himself in a conversation between a user and an application—either to eavesdrop or to impersonate one of the parties, making it appear as if a normal exchange of information is underway. The goal of an attack is to steal personal information, such as login ...
Man in the Middle Attacks: Analysis, Motivation and Prevention
Man in the Middle (MITM) attacks are aimed at seizing data between two nodes. The ARP Spoofing/Poisoning technique is a technique frequently used by attackers which allows MITM attacks to be ...
(PDF) Man-in-The-Middle Attacks & Countermeasures Analysis
This project investigates the different vectors to perform a Man-in-The-Middle attack, and the possible defenses. ... the author presents a really simple case study: a host sends a broadcast ...
Multi-Channel Man-in-the-Middle attacks against protected Wi-Fi
Man-in-the-middle (MitM) attacks are a common form of security attack towards wireless networks that allow attackers to catch and manipulate communication between two end devices. One of the advanced MitM attacks is the Multi-Channel MitM (MC-MitM) attack that can manipulate the encrypted network traffic, as presented in ( Vanhoef & Piessens ...
Man-in-the-Middle Attacks: What Are They?
A man-in-the-middle (MITM) attack is a form of cyber threat where a bad actor inserts themselves into a conversation between two parties, intercepts traffic, and gains access to information that the two parties were trying to send to each other. It allows attackers to eavesdrop, collect data, and even alter communications between victims. Understanding the mechanics, implications, and defense ...
Vulnerability Case Study: Man-in-the-Middle Attacks
The attacker sits between two other parties, and both of them believe they are talking to each other but, instead, they are really talking to the man in the middle, the attacker. To accomplish the classic version of this attack, the attacker must either be located between the two communicating systems or must share a network path with one of them.
Man-in-the-Middle Attacks without Rogue AP: When WPAs Meet ICMP
Modern Wi-Fi networks are commonly protected by the security mechanisms, e.g., WPA, WPA2 or WPA3, and thus it is difficult for an attacker (a malicious supplicant) to hijack the traffic of other supplicants as a man-in-the-middle (MITM). In traditional Evil Twins attacks, attackers may deploy a bogus wireless access point (AP) to hijack the victim supplicants' traffic (e.g., stealing ...
PDF Case Study:Comparative Analysis of Man-In-The-Middle-Attacks and
Abstract - The Man-In-The-Middle (MITM) attack is one of the most well-known attacks in computer security, representing one of the biggest concerns for security professionals. MITM targets the actual data that flows between endpoints, and the confidentiality and integrity of the data itself. In this paper gives exhaustive study on MITM attack ...
Case study: How a Man-in-the-middle attack caused over $700 ...
Man-in-the-middle attack . It looks like something out of a movie. But this is as real as it gets: the cautionary tale of how criminals exploited a patched vulnerability to deploy a man-in-the ...
Key takeaways from Biden's State of the Union address
Takeaways from Biden's State of the Union address: Combative attacks on a foe with no name President Joe Biden went after rival Donald Trump early and often in a defiant State of the Union address Thursday night meant to contrast his presidency with his predecessor's and sell the American public on a second term.

Man-in-the-Middle Attack: Types and Examples

Man-in-the-Middle Attack Definition

Types Of Industries And Personas That Are Most Vulnerable To MITM Attacks

Types of Man-in-the Middle (MITM) Attacks

1. Email Hijacking

2. Wi-Fi Eavesdropping

3. DNS Spoofing

4. Session Hijacking

5. Secure Sockets Layer (SSL) Hijacking

5. ARP Cache Poisoning

6. IP Spoofing

7. Stealing Browser Cookies

How Does a Man-in-the-Middle (MITM) Attack Work?

Examples Of Man-In-The-Middle Attacks

MITM Issues in Mobile Apps

How to Detect a Man-in-the Middle (MITM) Attack?

Impact Of Man-In-The-Middle Attacks On Enterprises

How to Prevent Man-in-the-Middle Attacks?

Frequently Asked Questions about Man-in-the-Middle Attacks

Get A Cyber Threat Assessment Today

Quick Links

Free Product Demo

Resource Center

Free Trials

Contact Sales

‘Ultimate’ MiTM Attack Steals $1M from Israeli Startup

Suggested articles

Cybercriminals Ramp Up Exploits Against Serious Zyxel Flaw

Feds Pinpoint Russia as ‘Likely’ Culprit Behind SolarWinds Attack

Dark Web Pricing Skyrockets for Microsoft RDP Servers, Payment-Card Data

InfoSec Insider

Securing Your Move to the Hybrid Cloud

Why Physical Security Maintenance Should Never Be an Afterthought

Conti’s Reign of Chaos: Costa Rica in the Crosshairs

How War Impacts Cyber Insurance

Rethinking Vulnerability Management in a Heightened Threat Landscape

Infosec Insider Post

Sponsored Content

Our Network

Man-in-the-middle (MitM) attack definition and examples

What is a man-in-the-middle-attack?

Man-in-the-middle attack examples

Man-in-the-middle attack prevention

How common are man-in-the-middle attacks?

Related content

More from this author

Show me more

Threat hunting is still at an early stage, but AI can help

Keeping up with AI: OWASP LLM AI Cybersecurity and Governance Checklist

CSO Executive Sessions: 2024 International Women's Day special

CSO Executive Sessions: Former convicted hacker Hieu Minh Ngo on blindspots in data protection

CSO Executive Sessions Australia with Sunil Sale, CISO at MinterEllison

Reaping the Benefits of Security Metrics

Table of Contents

Man-in-the-Middle (MITM) Attack: Definition, Examples & More

What is a Man-in-the-Middle (MITM) Attack?

The Danger of Man-in-the-Middle Attacks

Types of Man-in-the-Middle Attacks

Examples of Man-in-the-Middle Attacks

Equifax website spoofing compromises millions of users

Lenovo machines distributed to customers with adware installed

Who is at Risk of Man-in-the-Middle Attacks?

How Does a Man-in-the-Middle Attack Work?

Interception

Popular Man-in-the-Middle Attack Tools

How to Detect Man-in-the-Middle Attacks

How to Prevent Man-in-the-Middle Attacks

MITM Attack Concepts to Know

How StrongDM Simplifies MITM Attack Protection

MITM Attacks: Frequently Asked Questions

What is the effect of a man-in-the-middle attack?

What is the key requirement for a man-in-the-middle attack to be successful?

Is man-in-the-middle a DoS attack?

Does VPN prevent man-in-the-middle?

Protect Against Man-in-the-Middle with StrongDM

About the Author

You May Also Like

What is a Man-in-the-Middle Attack: Detection and Prevention Tips

How Does A Man-in-the-Middle Attack Work?

Download the full Netcat cheatsheet