In my previous two articles, I’ve elaborated on the most popular contemporary cyber attacks and how to defend against them, but due to sophisticated nature, I skipped Man in The Middle, or MITM, attack. Even though the attack itself can be carried out pretty quickly, MITM is a broad term for various hacking techniques and deserves to be explained separately.

First of all, it’s easier to understand this attack by comparing it to phone conversation eavesdropping. Imagine you’re talking to a friend in a phone booth, and without your knowledge, someone is hiding in close range, listening to what you’re saying. Or the phone booth itself is hacked with a listening bug and transmits the conversation to interested third parties. That’s equivalent to a MITM attack.

What is a MITM attack?

MITM attack occurs when an unauthorized third party gains access to data exchange between two communicating systems. This way, an attacker can gain access to personal information, intercept the communication and inject it with malicious elements, or redirect the unsuspecting user to a fraudulent web site. Furthermore, a MITM attack can be carried out in several different ways, and there’s no all-encompassing defense mechanism against it.

Let’s go through the most common attack scenarios.

Wi-Fi eavesdropping

The number of attacks exploiting insecure Wi-Fi connections skyrocketed and with a good reason. Smartphones opened up the possibility to be online wherever you go, and public Wi-Fi access became common for almost every restaurant, hotel, airport, and alike. Sadly, most of these networks have weak-to-none security configurations, for example, default router login/password, granting easy access to cyber criminals.

One way to exploit insecure networks is through a hacking method called Address Resolution Protocol (ARP) Cache poisoning. In layman’s terms, ARP is like a local networks phone book. Each connected device has it’s MAC address (unique to a physical device) and the IP address linked in ARP data table, and send their information requests through a host, see image below.

By using specific software, a hacker can pretend to be the host of the network, thus taking over the whole communication. Some ARP Cashe poisoning software can even alert if any passwords go through fake networks host, and this information can further be used to cause financial damage.

Another way is setting up your own Wi-Fi access point. This is probably the easiest way to carry out a MITM attack because it involves very little “hacking” in a common sense of the word. An attacker sets up a wireless access point that resembles an authentic Wi-Fi address relevant to that location. For example, if you visit Starbucks, you might see “StarbucksFreeWi-Fi”, but you might also see something like “StarbucksCustomerWiFi”. Both look legit, when in fact the second one is a fake WAP that will log all the data you send through it and try to use it for malicious purposes.

DNS poisoning

Domain Name Systems (DNS) is another crucial phone-book-like part of online communication. When you visit a website, for example, medium.com, your device sends a request to know what IP address, expressed in digital form, correlates to web site’s name. That’s how DNS works, and without it, you would need to remember long unique IP addresses of each different web site.

DNS poisoning is when an attacker intercepts DNS requests and can modify the result.

By using ARP Cache poisoning, explained above, an attacker can reroute all traffic through their device. When an unsuspecting user is trying to access a particular web site, he sends a DNS request. But this time, instead of getting a legitimate IP address, he gets a false IP address and is directed to a malicious web site hosted at a server with IP address in question. While on it, user can enter personal credentials, that can later be used to empty his or her bank account.

Session hijacking with a stolen cookie

This is by far the most invasive type of MITM attacks. First of all, a session is an active communication channel between two devices, most commonly between a browsing user and a server that hosts a web page. When you’re logging into Facebook, you initiate a session and Facebook issues you a cookie. A cookie is a small piece of data by which a web page can identify returning user. When you come back to Facebook for the second time, you provide the cookie and don’t have to log in twice, or every time you visit the same web page that supports cookie authentication.

Once again, by using ARP Cache poisoning, an attacker can get access to full browsing information. Then, by using additional software, he or she can filter through the data to target specific websites, and after that search for a cookie in the data processed. If the cookie is there, then the attacker can hijack the session by providing an authentic cookie and impersonate a genuine user.

Unless an attacker does something specific with the account, you may never know a security breach has happened. Differing from credential stuffing, neither Facebook nor Google would request two-factor authentication because the sites believe the original user came back for some more entertainment. Furthermore, the same Facebook issued cookie can be used to login to websites that support the “login with Facebook” feature, so one cookie can be used to gain access to various sites, amplifying potential damages. Same applies to other web pages using the same authentication techniques.