Table of Contents
You send and receive dozens, if not hundreds, of emails each day. Some of these are fluff, spam, and other timewasters. Some of them help you work through the day-to-day operations of your business and personal life. Some of them, however, are important communications containing sensitive data. Financial, medical, and otherwise private information is consistently sent to and from us through emails and interaction with web pages. What if these emails never reached their intended destination? What if a cybercriminal stood between you and your target, intercepting and viewing all the communications you sent? This is the essence of a Man-in-the-Middle (MitM) attack.
The devastating MitM attack is a tool used by cybercriminals to silently intercept Personal Identifying Information, financial data, and other sensitive communications. In this hack, the cybercriminal uses one of several techniques to fraudulently send and receive data transmissions. Then they decrypt the transmission, read its contents, alter the message as they please, and send it to the intended destination. In this way, the hacker positions themselves to receive communication, and thus sensitive data, from both parties.
Let’s take a look at the two parts of the MitM attack:
Interception
To begin a attack, the hacker must first intercept someone’s communication. There are three essential levels where interception can occur.
1. Sender Level
The lowest level of interception occurs when the cybercriminal can convince their target to simply send the message to the wrong place. This commonly occurs as a part of, or after, a successful phishing attack. The cybercriminal might send a phishing email appearing to come from a financial institution requesting a password change. If they can breach an account with a vendor, they might send a phishing email directly from that vendor address to try and trick people into giving up sensitive data.
2. Network Level
In the world of networking, two commonly used terms are Wide Area Network (WAN) and Local Area Network (LAN). In common use cases WAN refers to the Internet while LAN is used to indicate a smaller scope of computers, like an office or home network. On a WAN network, devices must communicate through a router or firewall; these devices help determine which connections are acceptable and which are unsafe. On a LAN network, however, devices can ‘see’ and communicate with each other freely.
If a cybercriminal gains access to the same LAN network as your device, they will be able to see the data you’re sending and receiving. In some cases, they may also be able to push malicious code out through the network or commit a hack directly on your machine. This access allows the criminal to easily perform a MitM attack.
Some ways of gaining access to devices via a LAN are quite sophisticated. For example, cybercriminals have been known to set up unprotected Wi-Fi networks in a publicly convenient area, such as a park or coffee shop, which encourages passerby to take advantage of the ‘free’ service. Once a device joins this network, however, the cybercriminal who setup the LAN will have complete visibility into the device’s interactions.
3. Application/Internet Level
The final, and most complicated, method of Interception relates to web applications and sites. An advanced cybercriminal may be able to identify an application with weak security or an exploitable interface and plant malicious software inside it which will redirect communications to them. The criminal may also be able to hack a site or application’s Domain Name Services (DNS) platform and create new records which redirect visitors to their site instead. Finally, a hacker could perform what’s called ‘IP Spoofing’. This allows them to pretend to be another computer or server which can lead legitimate traffic to their illegitimate site before Internet Service Providers detect the issue.
With all application or internet level interceptions, the primary target is traffic over the internet or WAN. If the cybercriminal can intercept communication between you and your bank or other online services, they may walk away with much more than a password.
Decryption
While explanations of Interception techniques can make it sound simple, there are many precautions in place to protect against such things. Good cybersecurity training will protect you and your staff from sender-level attacks. Strong firewalls, reliable network monitoring, and physical security can protect against network-level attacks. Application or Internet level attacks can be defeated by strong ISP and data center security, code and application development security, and attentiveness to the sites you’re visiting. But what happens when your data is intercepted?
Almost all virtual traffic is encrypted with either Transport Layer Security (TLS) or Secure Sockets Layer (SSL) certificates depending on where the traffic is being sent. A breached LAN is still considered trusted by devices on it, as they don’t know a breach has occurred, but traffic over WAN is never considered trusted. In any case, once the cybercriminal has captured traffic of some kind, they must break its security.
While SSL certificates can technically be ‘cracked’ or solved, the time and difficulty of doing so makes the task functionally impossible. To get around this, cybercriminals use several techniques to establish illegitimate connections instead of forcibly breaking through SSL certificates and other security. A few tools they use are:
- Address Resolution Protocol (ARP) Spoofing or Cache Poisoning – the cybercriminal inputs false data to a LAN which causes network connections to route to their device instead of the intended destination.
- SSL hijacking – the attacker establishes what appear to be legitimate connections with both the target and a web site or application. During this connection they use falsified authentication certificates which makes the session appear real to both the target and the application while all traffic is actually being sent directly to the cybercriminal.
- HTTPS spoofing – the hacker uses malware or a direct connection to a computer to install a falsified security certificate in their target’s browser. When the target attempts to access an online resource, the fake certificate is verified with the application which gives the criminal access to data sent to the app.
- DNS spoofing – as mentioned above, some cybercriminals can hack into insecure DNS providers and inject their own IP addresses in place of legitimate sites.
There are many methods for defeating internet security measures, these are just a few of the tools and techniques cybercriminals have developed.
Stuck Between a Breach and a Hard Place?
With Man-in-the-Middle attacks, the victim is always left holding the bag. Whether it’s responsibility for breached data, loss of financial capital, or damaged reputation, you don’t want to find yourself in the aftermath of a MitM attack. While no one is immune to cybersecurity threats, having an expert IT team on your side can be the difference between another day in the office and a disaster.
If you’re concerned about your IT or want to learn more about , let’s talk! We’d love to hear where your business is at and help support your cybersecurity journey with a free IT consultation. Whatever you need, and wherever you’re at, you need a strong team to support your business goals. You need Strategy.
