What is a man in the middle attack?

A classic, low tech way of stealing information — in the time before computers — was eavesdropping. A spy sitting in the middle of a communication, undetected, listening in.

Well, this kind of information theft has carried through into the age of computers. A man in the middle attack mirrors the act of eavesdropping… and more.

Here, we explore exactly what a man in the middle attack is, and what you can do about them.

What is a man in the middle attack?

A man in the middle (MitM) attack is as the name suggests: a cyberattack in which the attacker sits in the middle of a connection between two parties. This could be a client and a server, or communication between two parties, for instance.

In MitM attacks, an attacker intercepts these communications. They can ‘listen in’, reroute traffic, or change the content of the communication.  

For a non-technical example, imaging a rogue messenger reading or editing letters before delivery. Or a spy eavesdropping on a target’s conversation and feeding the information back to their superior.

Why would an attacker use this attack?

So, what does a man in the middle attack give the attacker?

MitM attacks are hard to detect, and so they allow attackers to secretly spy on their victim in real-time. This means that they can covertly learn classified or sensitive information. This includes seeing and stealing things like login information and personal details.

This kind of attack also allows attackers to sabotage communications. That is, they can corrupt data and change what they like. This includes the potential to reroute messages, bank transfers, and so on.

Different types of man in the middle attack

‘Man in the middle attack’ is an umbrella term that covers many different attack techniques. The common thread is that these techniques allow someone to sit in the middle of an interaction, and silently listen or make changes.

Here are a few examples of MitM attacks.

  • HTTPS spoofing

The attacker creates a site with a URL that looks the same as one of a legitimate site. However, it has a minor difference, such as a misspelling, or a different Unicode character that looks the same as the original. So, you think you’re on the legitimate site, but you aren’t.

  • Session hijacking

Session hijacking is where an attacker steals your active session cookie once you’ve logged in to an account, allowing them access.  

  • WiFi eavesdropping

Also known as evil twin attack, WiFi eavesdropping is where attackers listen on the WiFi network you’re connected to. This might be a public or unsecured network. Or, the attacker may have created a network with a commonly trusted name to trick you into connecting, where they can then watch your activity. 

  • ARP poison routing

Address resolution protocol (ARP) spoofing or poisoning is where an attacker sends false information into the ARP system. This tricks the victim computer into thinking the attacker’s computer is the network gateway. This means that when you connect to the network, the attacker receives your traffic. From there they can read it, delete it, modify it, and send it to its intended host.  

Spotting a man in the middle attack

Man in the middle attacks are a concern because they are typically difficult to spot. The attacker may only be silently listening or recording the sent information. They can also re-encrypt it, making it hard to tell that the information may have been tampered with.

There are, however, potentially a few tell-tale signs you could look for if you suspect a man in the middle attack.

  • Latency issues

If a response takes longer than it should, it may suggest third party interference. (That is, a man in the middle delaying responses.)

  • Strange browser addresses

If a web address seems strange or doesn’t match your expectations, double-check it or avoid it. This could be a sign that the site is not what it claims to be.

  • Certificate examination

With many MitM attacks involving websites, examining the site security certificate can help you to detect a threat.

Preventing a man in the middle attack

Because they’re so difficult to spot, the best offence against a man in the middle attack is a strong defence.

  • Encryption and VPN use

Encrypted information can fall foul of a man in the middle attack. However, encryption makes it much harder for cybercriminals to intercept and understand communications and data.  

  • Multi-factor authentication

Multi-factor authentication makes it harder for unauthorised parties to access your accounts and information. As a result, man in the middle attacks become harder to pull off, as attackers would need to gain more information and access.

  • Avoidance of risk

Train your team to avoid unnecessary risk. For instance, don’t connect to unsecured or public WiFi. Type website addresses instead of following suspicious links and be wary of phishing emails. Similarly, ensure any guests to your business use a separate WiFi network to your internal team.

Man in the middle attack

In today’s heavily connected world, cybersecurity is of paramount importance. Knowing the kinds of attacks that you might encounter can help you keep your data and accounts secure.

While man in the middle attacks might not be as common as other kinds of cyberattack, they are still a threat worth guarding against.

Useful links

GDPR and the dark web

10 things a horrible developer would do

Privilege creep: do you really need access? A message from your IT team