This article is the fifth in the series of ‘Growing Cybersecurity Threats.’ In continuation of our discussion on major cyber threats, we shall be focusing on a type of cyberattack that is executed by a human by intervening in the flow of communication or data – man-in-the-middle attacks.
The simple concept of man-in-the-middle attacks is intruding the conversation when it passes between a user and an application. While the perpetrator intercepts traffic, neither the sender nor the recipient will be knowing that someone has read and altered the conversation. A perpetrator is similar to a mail-man who reads the post, copies the content, and reseals it to deliver to the recipient.
Man-in-the-middle (MITM) attack is performed by the attacker either to insert malicious code, redirect a browser to a malicious website, steal information, or replace information. It is done either by eavesdropping or impersonating one of the parties resembling to be a normal exchange of information. The intruder usually targets credit card numbers, login credentials, financial applications, SaaS businesses, e-commerce websites, and sites with significant information. The stolen information could be used for various purposes like unapproved fund transfers, identity theft, or unauthorized password change. MITM is a decent way of gaining a foothold within a secured perimeter during the infiltration stage of an APT (advanced persistent threat) assault.
Representation of man-in-the-middle attack
Two Phases of MITM attack
In the first stage, the user’s traffic before reaching the intended destination is intercepted through the attacker’s network. It is a passive way of attacking where the attacker offers free and malicious WiFi hotspots to the common public. These connections are not password protected and is open to use for everyone falling in the range. When the victim connects to such a malicious connection, the attacker gains access to the online data been exchanged.
The various ways of intercepting the data are –
1. IP spoofing –
In this form, an attacker disguises as a legitimate application by altering packet headers in an IP address. The users visiting the application are sent to the attacker’s website.
2. DNS spoofing –
In this form, an attacker infiltrates a DNS server and alters a website address record. The users accessing the website are sent to the attacker’s site by altering the DNS record.
3. ARP spoofing –
Here, the attacker links up the MAC address with the IP address of a legitimate user. The attacker performs the linking by using fake ARP messages, and that enables the transfer of data from the user to the attacker.
After interception is performed, the SSL traffic should be decrypted without any clue to the application or user.
The various ways of decrypting the data are –
1. SSL hijacking –
It is performed by passing forged authentication keys to the user as well as application during a TCP handshake. The MITM now controls the entire session.
2. SSL beast –
3. SSL stripping –
It intercepts the TLS authentication and downgrades an HTTP connection that is sent from the application to the user. While maintaining the secured session, the attacker sends the unencrypted application version to the user, and during this time, the entire session will be visible to the attacker.
4. HTTPS spoofing –
The attacker establishes a connection to a secure site and sends a phony certificate. The certificate carries a digital thumbprint with the compromised application that allows the attacker to access any data entered by the victim before it is passed to the application.
Incidents of man-in-the-middle attacks
There have been a lot many MITM attacks since the invention of the internet. Few of the significant ones are listed as follows:
Lenovo confirmed that it has been installing Superfish adware on a few of their laptops along with Superfish public key, which they inserted into the Windows Certificate Store. Hence, when the machine pops-up with a message, “this connection is secure,” that means the laptop is still not trust-worthy.
A flaw in banking apps
A major flaw was identified in mobile apps of HSBC, NatWest, Co-op, Santander, and Allied Irish Bank, which opened them to MITM attacks.
Combating man-in-the-middle attacks
To block MITM attacks, several steps, including a combination of encryption and application verification methods, are to be followed.
A user should practice the following to avoid MITM attack –
- Avoid connecting to insecure or open wi-fi connections.
- Log-off from a secure application when it is not in use.
- Pay attention to notifications when a browser identifies malicious content.
- Do not make any sensitive transaction or transfer confidential information when on public networks, like coffee shops, hotels, etc.
For website operators –
Secure communication protocols – By securing communication protocols like TLS and HTTPS, the website operators can prevent the website interception and blocks the decryption of crucial data. It helps in mitigating spoofing attacks as it robustly encrypts and authenticates transmitted data. The SSL/TLS secures every application of a website, including the signup or login page. It reduces the possibility of stealing session cookies when a user browses on an unsecured area while logged in on a website.
Become a cybersecurity expert
A man-in-the-middle attack is a significant cybersecurity threat that cannot be identified and reduced without a cybersecurity expert. EC-Council University offers a Bachelor of Science in Cybersecurity and Master of Science in Cybersecurity that helps in gaining the knowledge and skills that are required to deal with various cyber threats.
EC-Council University is dedicated to creating superior educational programs in the stream of cybersecurity. These degree programs will equip graduates with the knowledge to assess the latest IT security risks and expert skills to handle them successfully. The university offers Bachelor and Master programs at the degree level. The Bachelor of Science in Cybersecurity (BSCS) gives required exposure, builds cybersecurity skills, and develops leadership abilities that help any candidate to grow as a cybersecurity professional. Master of Science in Cybersecurity (MSCS) makes you expertise in desired skills and helps you in gaining domain knowledge to stand ahead in the competition.
ECCU is accredited by the Distance Education Accrediting Commission (DEAC), which is a recognized accrediting agency by the U.S. Department of Education and is also an acknowledged member of the Council for Higher Education Accreditation (CHEA).
ECCU has industry practitioners as faculty members who also serve as mentors for the students when they aspire to get into cybersecurity. The iLabs facility from the university helps in gaining hands-on practice to the students.