What is a man-in-the-middle-attack?A man-in-the-middle (MitM) attack is a type of cyberattack in which communications between two parties is intercepted, often to steal login credentials or personal information, spy on victims, sabotage communications, or corrupt data.\u201cMitM attacks are attacks where the attacker is actually sitting between the victim and a legitimate host the victim is trying to connect to,\u201d says Johannes Ullrich, dean of research at SANS Technology Institute. \u201cSo, they're either passively listening in on the connection or they're actually intercepting the connection, terminating it and setting up a new connection to the destination.\u201dMitM attacks are one of the oldest forms of cyberattack. Computer scientists have been looking at ways to prevent threat actors tampering or eavesdropping on communications since the early 1980s.\u201cMITM attacks are a tactical means to an end,\u201d says Zeki Turedi, technology strategist, EMEA at CrowdStrike. \u201cThe aim could be spying on individuals or groups to redirecting efforts, funds, resources, or attention.\u201dThough MitM attacks can be protected against with encryption, successful attackers will either reroute traffic to phishing sites designed to look legitimate or simply pass on traffic to its intended destination once harvested or recorded, making detection of such attacks incredibly difficult.Man-in-the-middle attack examplesMitM encompass a broad range of techniques and potential outcomes, depending on the target and the goal. For example, in SSL stripping, attackers establish an HTTPS connection between themselves and the server, but use an unsecured HTTP connection with the victim, which means information is sent in plain text without encryption. Evil Twin attacks mirror legitimate Wi-Fi access points but are entirely controlled by malicious actors, who can now monitor, collect, or manipulate all information the user sends.\u201cThese types of attacks can be for espionage or financial gain, or to just be disruptive,\u201d says Turedi. \u201cThe damage caused can range from small to huge, depending on the attacker\u2019s goals and ability to cause mischief.\u201dIn a banking scenario, an attacker could see that a user is making a transfer and change the destination account number or amount being sent. Threat actors could use man-in-the-middle attacks to harvest personal information or login credentials. If attackers detect that applications are being downloaded or updated, compromised updates that install malware can be sent instead of legitimate ones. The EvilGrade exploit kit was designed specifically to target poorly secured updates. Given that they often fail to encrypt traffic, mobile devices are particularly susceptible to this scenario.\u201cThese attacks can be easily automated,\u201d says SANS Institute\u2019s Ullrich. \u201cThere are tools to automate this that look for passwords and write it into a file whenever they see one or they look to wait for particular requests like for downloads and send malicious traffic back.\u201dWhile often these Wi-Fi or physical network attacks require proximity to your victim or targeted network, it is also possible to remotely compromise routing protocols. \u201cThat's a more difficult and more sophisticated attack,\u201d explains Ullrich. \u201cAttackers are able to advertise themselves to the internet as being in charge of these IP addresses, and then the internet routes these IP addresses to the attacker and they again can now launch man-in-the-middle attacks.\u201d\u201cThey can also change the DNS settings for a particular domain [known as DNS spoofing],\u201d Ullrich continues. \u201cSo, if you're going to particular website, you're actually connecting to the wrong IP address that the attacker provided, and again, the attacker can launch a man-in-the-middle attack.\u201dWhile most attacks go through wired networks or Wi-Fi, it is also possible to conduct MitM attacks with fake cellphone towers. Law enforcement agencies across the U.S., Canada and the UK have been found using fake cell phone towers\u2014known as stingrays\u2014to gather information en masse. Stingray devices are also commercially available on the dark web.Researchers from the Technical University of Berlin, ETH Zurich and SINTEF Digital in Norway recently discovered flaws in the authentication and key agreement (AKA) protocols used in 3G, 4G and due to be used in 5G wireless technology rollouts that could lead to attackers performing MitM attacks.\u00a0Man-in-the-middle attack preventionThough flaws are sometimes discovered, encryption protocols such as TLS are the best way to help protect against MitM attacks. The latest version of TLS became the official standard in August 2018. There are also others such as SSH or newer protocols such as Google\u2019s QUIC.If it becomes commercially viable, quantum cryptography could provide a robust protection against MitM attacks based on the theory that it is impossible to copy quantum data, and it cannot be observed without changing its state and therefore providing a strong indicator if traffic has been interfered with en route.For end-user education, encourage staff not to use open public Wi-Fi or Wi-Fi offerings at public places where possible, as this is much easier to spoof than cell phone connections, and tell them to heed warnings from browsers that sites or connections may not be legitimate. Use VPNs to help ensure secure connections.\u201cThe best methods include multi-factor authentication, maximizing network control and visibility, and segmenting your network,\u201d says Alex Hinchliffe, threat intelligence analyst at Unit 42, Palo Alto Networks.Prevention is better than trying to remediate after an attack, especially an attack that is so hard to spot. \u201cThese attacks are fundamentally sneaky and difficult for most traditional security appliances to initially detect,\u201d says Crowdstrike\u2019s Turedi.How common are man-in-the-middle attacks?Though not as common as ransomware or phishing attacks, MitM attacks are an ever-present threat for organizations. IBM X-Force\u2019s Threat Intelligence Index 2018 says that 35 percent of exploitation activity involved attackers attempting to conduct MitM attacks, but hard numbers are difficult to come by.\u201cI would say, based on anecdotal reports, that MitM attacks are not incredibly prevalent,\u201d says Hinchliffe. \u201cMuch of the same objectives\u2014spying on data\/communications, redirecting traffic and so on\u2014can be done using malware installed on the victim\u2019s system. If there are simpler ways to perform attacks, the adversary will often take the easy route.\u201dA notable recent example was a group of Russian GRU agents who tried to hack into the office of the Organisation for the Prohibition of Chemical Weapons (OPCW) at The Hague using a Wi-Fi spoofing device.Greater adoption of HTTPS and more in-browser warnings have reduced the potential threat of some MitM attacks. In 2017 the Electronic Frontier Foundation (EFF) reported that over half of all internet traffic is now encrypted, with Google now reporting that over 90 percent of traffic in some countries is now encrypted. Major browsers such as Chrome and Firefox will also warn users if they are at risk from MitM attacks. \u201cWith the increased adoption of SSL and the introduction of modern browsers, such as Google Chrome, MitM attacks on Public WiFi hotspots have waned in popularity,\u201d says CrowdStrike\u2019s Turedi.\u201cToday, what is commonly seen is the utilization of MitM principals in highly sophisticated attacks,\u201d Turedi adds. \u201cOne example observed recently on open-source reporting was malware targeting a large financial organization\u2019s SWIFT network, in which a MitM technique was utilized to provide a false account balance in an effort to remain undetected as funds were maliciously being siphoned to the cybercriminal\u2019s account.\u201dThe threat still exists, however. For example, the Retefe banking Trojan will reroute traffic from banking domains through servers controlled by the attacker, decrypting and modifying the request before re-encrypting the data and sending it on to the bank. A recently discovered flaw in the TLS protocol\u2014including the newest 1.3 version\u2014enables attackers to break the RSA key exchange and intercept data.The proliferation of IoT devices may also increase the prevalence of man-in-the-middle attacks, due to the lack of security in many such devices. CSO has previously reported on the potential for MitM-style attacks to be executed on IoT devices and either send false information back to the organization or the wrong instructions to the devices themselves.\u201cIoT devices tend to be more vulnerable to attack because they don't implement a lot of the standard mitigations against MitM attacks,\u201d says Ullrich. \u201cA lot of IoT devices do not yet implement TLS or implemented older versions of it that are not as robust as the latest version.\u201dA survey by Ponemon Institute and OpenSky found that 61 percent of security practitioners in the U.S. say they cannot control the proliferation of IoT and IIoT devices within their companies, while 60 percent say they are unable to avoid security exploits and data breaches relating to IoT and IIoT.\u201cWith the mobile applications and IoT devices, there's nobody around and that's a problem; some of these applications, they will ignore these errors and still connect and that defeats the purpose of TLS,\u201d says Ullrich.Editor\u2019s note: This story, originally published in 2019, has been updated to reflect recent trends.