What is a Man-in-the-Middle (MITM) attack?

MITM attacks can have severe consequences for targeted organizations. Undetected interceptions allow attackers to monitor conversations and extract sensitive information. Attackers can harvest login details and bank numbers—anything users transfer via the internet is vulnerable.

How does a man-in-the-middle attack work?

During MITM attacks, criminals insert themselves between two trusted parties. Examples include hijacking data transfer sessions, compromising Wi-Fi servers, or monitoring email communications.

Well-hidden attackers can extract information about the messages we send, the websites we visit, and the text we enter into web application forms. The two main types of MITM attacks are active and passive. Both types pose critical network security threats.

Active MITM attacks

An active Man-in-the-middle attack typically has two components: interception and decryption. The two phases work together to hijack connections and extract information.

An active MITM attack often starts with a malware infection. Attackers may deliver packet sniffing tools via phishing emails, fake websites, or physical devices.

Packet sniffers allow attackers to detect insecure connections (for example, when users visit unencrypted HTTP websites). They then position themselves to intercept traffic—often between clients and web servers.

Next, attackers fool targets into thinking the websites they visit are safe. Code injection or alteration essentially create proxies without user consent. Attackers use the proxy to intercept data and redirect the target to a fake website.

This fake website resembles the real thing, but with a critical difference: data entered into the site is directly extracted by MITM attackers.

Attackers may not be able to read intercepted data due to SSL encryption. They must decrypt the data for secondary attacks or to sell on the Dark Web. Criminals can achieve this via spoofing HTTPS certificates, exploiting TLS vulnerabilities, or extracting encryption keys via SSL hijacking.

Passive MITM attacks

Other attacks take a passive approach. A passive MITM attack infiltrates network infrastructure and waits for users to expose their data. Attackers do not alter data to spoof web connections.

Wi-Fi compromise is a common variation of this man-in-the-middle attack. In these incidents, cyber-attackers create fake Wi-Fi hotspots with believable names. Anyone using these hotspots without VPN protection exposes their data.

Other variants include packet capture, which generally affects users who rely on older email protocols. Radio signal interception is another non-digital form of passive MITM attack.

Man-in-the-middle attack types

Criminals have developed many powerful techniques to hijack connections and fool their targets. The list below covers the most common man-in-the-middle variants. Companies should consider every type when developing cybersecurity strategies.

Email hijacking

In these MITM attacks, criminals take control of corporate email accounts and pose as legitimate contacts. Attackers can monitor incoming and outgoing emails, and use data in future social engineering attacks.

IP address spoofing

IP spoofing changes the IP address of a website or email address. This allows criminals to mask their activities. Website IP addresses appear legitimate from the target's perspective. However, when they visit the site, attackers redirect their browser to a fake website where they can extract data.

DNS spoofing

Domain Name System (DNS) spoofing is another way to fool website visitors into thinking fake sites are genuine. Instead of spoofing IP address data, criminals change the DNS addresses of websites (for example, security.com).

Criminals achieve this via a technique called DNS cache poisoning. Cache poisoning targets the DNS servers used to convert domain names into reachable addresses. Attackers inject malicious DNS information into server registers. When victims seek access to legitimate sites, the DNS resolver directs them to "poisoned" domains.

Session hijacking

Sessions are temporary secure web connections between clients and servers. A man-in-the-middle attack can hijack this relationship by stealing browser cookies.

Session hijacking steals session cookies containing passwords and login credentials. This could include passwords saved in a browser or log in details for online banking apps.

ARP cache poisoning

The Address Resolution Protocol (ARP) works at the network link layer to resolve IP addresses within local networks or subnets. Attackers can use ARP spoofing to infiltrate network resources and extract locally stored data.

This technique fools local users into seeing the attacker's device as a network gateway. When this happens, devices send network access requests through the attacker's fake gateway, including data flows to the external internet. This can include sensitive information such as login credentials or PII.

Eavesdropping via public Wi-Fi

Wi-Fi hijacking targets insecure wireless networks, often in public places. Attackers may create fake Wi-Fi networks that look like legitimate ones, such as those in hotels or cafés. They can also intercept traffic on poorly secured public Wi-Fi networks.

Once connected, attackers can capture user data if encryption isn’t used. This exposes sensitive information, like login credentials or personal details, to theft.

SSL hijacking

The Secure Sockets Layer (SSL) protocol was designed to enable secure connections between users and websites. However, attackers can compromise the SSL protocol via session hijacking techniques.

Criminals position themselves between user devices and servers. SSL vulnerabilities enable data extraction or diversion to fake websites.

Examples of MITM attacks

How does a man-in-the-middle attack unfold in reality? Unfortunately, many real-world MITM attack incidents show how damaging this type of eavesdropping attack can be.

Okta

Authentication specialists Okta suffered an MITM incident in 2022. In this case, the Lapsus$ collective fooled a third-party engineer into clicking on a malicious push MFA notification. Instead of providing secure authentication, the engineer sent their credentials to attackers, who used them to access Okta's thin client desktop.

This MITM attack is significant as it targeted a remote connection secured by multi-factor authentication. Attackers needed the target's phone number to send the notification. They needed to know that the engineer used Okta. And they needed to persuade the engineer to click.

Despite these requirements, the attackers succeeded, indicating MITM attacks are evolving to handle enhanced authentication methods.

Lenovo Superfish Adware

The Lenovo Superfish issue wasn’t a direct MITM attack on Lenovo, but it created a vulnerability that enabled many MITM attacks.

Starting in 2014, Lenovo pre-installed Superfish VisualDiscovery adware on some PCs. To intercept HTTPS traffic, the adware installed a trusted root certificate. This allowed the software to intercept, decrypt, and re-encrypt encrypted web traffic without browser warnings—a classic MITM attack.

Since the private key was easy to recover, attackers could create fake certificates for any website. This meant attackers could spoof secure sites, like banks and emails, without users knowing.

How do man-in-the-middle attacks affect enterprises?

Man-in-the-middle attacks often severely impact the health of targeted organizations.

Financial services companies like Equifax rely on secure data transfer to process transactions and protect client accounts. MITM attacks compromise these services, leading to reputational damage and regulatory risks. For instance, Equifax has paid over $700 million in compensation payments.

MITM attacks also compromise privacy and confidentiality. Organizations rely on privacy to guard intellectual property from competitors or states. Man-in-the-middle attacks intercept information flows. As Edward Snowden's leaks showed, the NSA used MITM tactics to mimic Google and track the browsing of American citizens.

Resolving MITM incidents also costs money. Consultancy firm Accenture calculated that man-in-the-middle attacks cost companies $2 billion in 2020.

How to prevent a man-in-the-middle attack

The consequences detailed above make it essential to secure networks against man-in-the-middle attack types. Here are some best practices to cut MITM risks and safeguard data.

Use secure Wi-Fi networks and encrypted websites

Only visit encrypted websites with the prefix "HTTPS" and avoid all sites with the "HTTP" prefix. You can tell a site has the right prefix by the little padlock icon next to the website address. Alternatively, Chrome allows HTTPS-only browsing. Users can also call up the SSL certificate for any site—robust evidence that the site is secure.

Be very cautious when allowing employees to use public Wi-Fi networks. As discussed above, Wi-Fi spoofing is a classic man-in-the-middle attack strategy.

Add multi-factor authentication to guard against credential theft

Require employees to use multifactor authentication when accessing network resources. MFA adds an insurance policy against credential theft. Attackers may obtain passwords and IDs. MFA requires one-time verification, making it harder to intercept traffic.

Train staff to identify phishing emails

Phishing emails are often used to deliver malware, which attackers may use to enable man-in-the-middle (MITM) attacks. While phishing isn't a direct MITM method, it can open the door to these attacks.

Teach staff to recognize suspicious email addresses and links. Require malware scanning before opening any unsolicited attachments. These steps help reduce the risk of malware infections that could lead to broader security threats.

Use a Virtual Private Network (VPN)

VPNs encrypt remote connections. Even if attackers intercept data flows, they will struggle to decrypt and use the information they extract. VPNs are particularly critical when using public Wi-Fi. They add another layer of protection over potentially compromised networks.

Install threat detection and neutralization tools

Use regularly updated threat detection tools that leverage global threat databases. Proactive network scanning detects interception agents quickly. Security teams can remove malware from network endpoints before an attack occurs.

Update firmware

Ensure home and office routers are up-to-date. Man-in-the-middle attacks often target out-of-date hardware. This is especially important for companies with large or growing remote workforces, as unsecured remote connections are easy to hijack.

Be aware of MITM attacks on mobile devices

Finally, consider interception attacks on mobile devices. Ensure users install security tools on employee smartphones and understand how to detect suspicious SMS messages or emails. Also, consider screening app downloads and blocking untrusted app marketplaces that could host MITM malware.

Man-in-the-middle attacks challenge organizations to secure connections and block eavesdroppers. Implement robust controls and educate network users about MITM threats. That way, you can minimize surveillance risks and avoid damaging data breaches.