Are Man-in-the-Middle Attacks Still a Threat?

man-in-the-middle featured

Man-in-the-Middle attacks, where a malicious actor secretly intercepts and possibly alters the communication between two unsuspecting parties, have significantly escalated with digital connectivity and remote work surge. While the attack method is not new, its implications have grown in magnitude in the era of widespread digital transformation.

Modern businesses, from multinational corporations to small and medium enterprises, are constantly targeted by MitM attacks, often needing their knowledge. Consequently, vital data is compromised, financial losses are incurred, and trust is eroded. These scenarios underscore the urgency for organizations to understand and take preventative measures against MitM attacks.

This article discusses MitM attacks, how they operate, and why they’ve become a critical concern for contemporary businesses. We will also explore various preventive strategies organizations can deploy to safeguard against these invisible yet potent threats.


Current Threats to Financial Infrastructure

In June 2023, Microsoft announced that it had discovered Storm-1167, a group of hackers and machines launching Adversary-in-the-Middle (or Man-in-the-Middle) attacks against financial institutions. 

These attacks use landing pages to harvest login credentials and multi-factor authentication (MFA) credentials like one-time passwords. Outside of this, these attackers use standard MitM methods like phishing emails, SMS texts, and Business Email Compromise (BEC) attacks. 


What Are Man-in-the-Middle Attacks?

A MitM attack is a cybersecurity attack where an attacker secretly intercepts and potentially alters data sent between two parties who believe they are directly communicating. 

In an attack scenario, the attacker enters a connection with two or more victims through some fraudulent means and relays messages between them, making them believe that they are talking directly to each other over a private connection when the attacker controls the entire conversation.

There are several types of MitM attacks, including:

  • IP Spoofing: Here, the attacker alters packet headers to make it seem as though packets are coming from a trusted source. A “packet” is a single quantum of information containing data and metadata transmitted over networked connections. At this level, the attacker can spoof the Internet address a packet claims to come from.
  • Email Hijacking: Attackers can access a person’s email account, then control all communication, view sensitive data, etc. These can include lower-privilege accounts or admin accounts via BEC techniques
  • Wi-Fi Eavesdropping: Public Internet connections are often insecure or unencrypted, and an attacker can monitor all data transmitted over the network
  • DNS Spoofing: By tampering with the domain name system settings, an attacker can redirect traffic to a different server entirely. Instead of visiting a legit website, the user ends up on a phishing site created by an attacker to harvest information
  • SSL Hijacking: This is the most insidious form of attack in which the hacker steals secure credentials and bypasses authentication and encryption over SSL connection. This allows attackers to bypass MFA or encryption entirely if appropriately executed. 

    How Do Man-in-the-Middle Attacks Work?

    MitM attacks occur when an outside entity intercepts communication between two systems. This can happen in any form of online communication, including email, texts, or even packet-level transmission.         

    The basic steps for a MitM attack are:

    • Interception: First, the attacker must be able to intercept the traffic. This could happen in various ways (like those listed above), but most often occur inserting a router or computer between two locations and catching IP packets or using phishing to get users to willingly visit malicious sites.
    • Decryption: Even if data is encrypted, it can be read by hackers with the right technology (and a lot of patience). Hackers can bypass security with forged SSL certificates or by  using classic cracking techniques like a dictionary or rainbow table attack.
    • Eavesdropping and Injection: Eavesdropping means, obviously, spending time taking IP packets and copying them, reading them, and/or passing them on to their destination. Many successful MitM attacks can eavesdrop on network communications without any party knowing.
    • Relaying and Modification: After reading and/or altering the data, the attacker then sends the message to the intended recipient, who believes the message is from the original sender. The recipient may respond, and the attacker can then intercept, read/alter, and relay that message as well, continuing the deception.


    How Can My Organization Prevent MitM Attacks?


    Prevention techniques are myriad and complex primarily because there are so many vectors through which an attack can occur–and so many ways that the threat can evolve once it’s successful. These measures range from prophylactic security like encryption to ongoing soft security on an organizational level.

    Here are several methods an organization can use to help prevent such attacks:

    • Encryption: Data encryption is critical, especially when using public networks. Encrypted data can be intercepted but can’t be read or modified without the encryption key. Using HTTPS instead of HTTP is one way to ensure encryption is used for data in transit.
    • Virtual Private Networks: A VPN creates a secure connection over the internet between the user and the network that essentially blocks outside viewing of data. This prevents attackers from intercepting the data transmitted between the VPN and the user.
    • Secure Wi-Fi: Any Wi-Fi connection should be made under WPA2 or WPA3 encryption. Additionally, while public Wi-Fi is convenient, it should not be used to manage or transmit sensitive data.
    • Digital Certificates: Digital certificates help ensure the integrity and authenticity of a website. Users should be educated to check for a website’s digital certificate before submitting sensitive information.
    • Employee Education: This is one of the most crucial steps. Many successful cyber attacks occur because an employee unknowingly clicks a link they shouldn’t have or gives away information. Regular training sessions can inform employees of the latest threats and how to avoid them.
    • Intrusion Detection/Prevention Systems (IDS/IPS): These systems monitor network traffic for suspicious behavior and issue alerts when such activity is detected. Some systems can also take steps to prevent the activity.
    • Multi-Factor Authentication (MFA): MFA will require a user to provide multiple forms of credentials, most often those associated with biometrics. MitM attacks can often be mitigated simply by the fact that required biometric authentication will necessarily require the presence of the original user. 

            Cybersecurity is an ongoing process where an organization continually reviews and updated. Even if you implement these measures, your organization must constantly update and train to meet evolving threats. 


            Integrate Common Security Measures for Compliance with Lazarus Alliance

            Make sure that your security infrastructure maintains common countermeasures against Man-in-the-Middle attacks–a basic foundation for any compliance strategy. Work with Lazarus Alliance. 

            Lazarus Alliance